3 The serpent block cipher.
5 For more details on this algorithm, see the Serpent website at
6 http://www.cl.cam.ac.uk/~rja14/serpent.html
8 Copyright (C) 2011 Niels Möller
9 Copyright (C) 2010, 2011 Simon Josefsson
10 Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc.
12 This file is part of GNU Nettle.
14 GNU Nettle is free software: you can redistribute it and/or
15 modify it under the terms of either:
17 * the GNU Lesser General Public License as published by the Free
18 Software Foundation; either version 3 of the License, or (at your
19 option) any later version.
23 * the GNU General Public License as published by the Free
24 Software Foundation; either version 2 of the License, or (at your
25 option) any later version.
27 or both in parallel, as here.
29 GNU Nettle is distributed in the hope that it will be useful,
30 but WITHOUT ANY WARRANTY; without even the implied warranty of
31 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
32 General Public License for more details.
34 You should have received copies of the GNU General Public License and
35 the GNU Lesser General Public License along with this program. If
36 not, see http://www.gnu.org/licenses/.
39 /* This file is derived from cipher/serpent.c in Libgcrypt v1.4.6.
40 The adaption to Nettle was made by Simon Josefsson on 2010-12-07
41 with final touches on 2011-05-30. Changes include replacing
42 libgcrypt with nettle in the license template, renaming
43 serpent_context to serpent_ctx, renaming u32 to uint32_t, removing
44 libgcrypt stubs and selftests, modifying entry function prototypes,
45 using FOR_BLOCKS to iterate through data in encrypt/decrypt, using
46 LE_READ_UINT32 and LE_WRITE_UINT32 to access data in
47 encrypt/decrypt, and running indent on the code. */
59 #include "serpent-internal.h"
61 /* These are the S-Boxes of Serpent. They are copied from Serpents
62 reference implementation (the optimized one, contained in
63 `floppy2') and are therefore:
65 Copyright (C) 1998 Ross Anderson, Eli Biham, Lars Knudsen.
67 To quote the Serpent homepage
68 (http://www.cl.cam.ac.uk/~rja14/serpent.html):
70 "Serpent is now completely in the public domain, and we impose no
71 restrictions on its use. This was announced on the 21st August at
72 the First AES Candidate Conference. The optimised implementations
73 in the submission package are now under the GNU PUBLIC LICENSE
74 (GPL), although some comments in the code still say otherwise. You
75 are welcome to use Serpent for any application." */
77 /* S0 inverse: 13 3 11 0 10 6 5 12 1 14 4 7 15 9 8 2 */
78 /* Original single-assignment form:
100 #define SBOX0_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \
123 /* S1 inverse: 5 8 2 14 15 6 12 3 11 4 7 9 1 13 10 0 */
124 /* Original single-assignment form:
144 #define SBOX1_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \
166 /* S2 inverse: 12 9 15 4 11 14 1 2 0 3 6 13 5 8 10 7 */
167 /* Original single-assignment form:
187 #define SBOX2_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \
209 /* S3 inverse: 0 9 10 7 11 14 6 13 3 5 12 2 4 8 15 1 */
210 /* Original single-assignment form:
229 #define SBOX3_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \
250 /* S4 inverse: 5 0 8 3 10 9 7 14 2 12 11 6 4 15 13 1 */
251 /* Original single-assignment form:
270 #define SBOX4_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \
291 /* S5 inverse: 8 15 2 9 4 1 13 14 11 6 5 3 7 12 10 0 */
292 /* Original single-assignment form:
311 #define SBOX5_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \
332 /* S6 inverse: 15 10 1 13 5 3 6 0 4 9 14 7 2 12 8 11 */
333 /* Original single-assignment form:
354 #define SBOX6_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \
377 /* S7 inverse: 3 0 6 13 9 14 15 8 5 12 11 7 10 1 4 2 */
378 /* Original single-assignment form:
398 #define SBOX7_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \
420 /* In-place inverse linear transformation. */
421 #define LINEAR_TRANSFORMATION_INVERSE(x0,x1,x2,x3) \
423 x2 = ROTL32 (10, x2); \
424 x0 = ROTL32 (27, x0); \
425 x2 = x2 ^ x3 ^ (x1 << 7); \
427 x3 = ROTL32 (25, x3); \
428 x1 = ROTL32 (31, x1); \
429 x3 = x3 ^ x2 ^ (x0 << 3); \
431 x2 = ROTL32 (29, x2); \
432 x0 = ROTL32 (19, x0); \
435 /* Round inputs are x0,x1,x2,x3 (destroyed), and round outputs are
437 #define ROUND_INVERSE(which, subkey, x0,x1,x2,x3, y0,y1,y2,y3) \
439 LINEAR_TRANSFORMATION_INVERSE (x0,x1,x2,x3); \
440 SBOX##which##_INVERSE(x0,x1,x2,x3, y0,y1,y2,y3); \
441 KEYXOR(y0,y1,y2,y3, subkey); \
444 #if HAVE_NATIVE_64_BIT
446 /* In-place inverse linear transformation. */
447 #define LINEAR_TRANSFORMATION64_INVERSE(x0,x1,x2,x3) \
449 x2 = DROTL32 (10, x2); \
450 x0 = DROTL32 (27, x0); \
451 x2 = x2 ^ x3 ^ DRSHIFT32(7, x1); \
453 x3 = DROTL32 (25, x3); \
454 x1 = DROTL32 (31, x1); \
455 x3 = x3 ^ x2 ^ DRSHIFT32(3, x0); \
457 x2 = DROTL32 (29, x2); \
458 x0 = DROTL32 (19, x0); \
461 #define ROUND64_INVERSE(which, subkey, x0,x1,x2,x3, y0,y1,y2,y3) \
463 LINEAR_TRANSFORMATION64_INVERSE (x0,x1,x2,x3); \
464 SBOX##which##_INVERSE(x0,x1,x2,x3, y0,y1,y2,y3); \
465 KEYXOR64(y0,y1,y2,y3, subkey); \
468 #endif /* HAVE_NATIVE_64_BIT */
471 serpent_decrypt (const struct serpent_ctx *ctx,
472 size_t length, uint8_t * dst, const uint8_t * src)
474 assert( !(length % SERPENT_BLOCK_SIZE));
476 #if HAVE_NATIVE_64_BIT
477 if (length & SERPENT_BLOCK_SIZE)
479 while (length >= SERPENT_BLOCK_SIZE)
482 uint32_t x0,x1,x2,x3, y0,y1,y2,y3;
485 x0 = LE_READ_UINT32 (src);
486 x1 = LE_READ_UINT32 (src + 4);
487 x2 = LE_READ_UINT32 (src + 8);
488 x3 = LE_READ_UINT32 (src + 12);
490 /* Inverse of special round */
491 KEYXOR (x0,x1,x2,x3, ctx->keys[32]);
492 SBOX7_INVERSE (x0,x1,x2,x3, y0,y1,y2,y3);
493 KEYXOR (y0,y1,y2,y3, ctx->keys[31]);
500 ROUND_INVERSE (7, ctx->keys[k+7], x0,x1,x2,x3, y0,y1,y2,y3);
502 ROUND_INVERSE (6, ctx->keys[k+6], y0,y1,y2,y3, x0,x1,x2,x3);
503 ROUND_INVERSE (5, ctx->keys[k+5], x0,x1,x2,x3, y0,y1,y2,y3);
504 ROUND_INVERSE (4, ctx->keys[k+4], y0,y1,y2,y3, x0,x1,x2,x3);
505 ROUND_INVERSE (3, ctx->keys[k+3], x0,x1,x2,x3, y0,y1,y2,y3);
506 ROUND_INVERSE (2, ctx->keys[k+2], y0,y1,y2,y3, x0,x1,x2,x3);
507 ROUND_INVERSE (1, ctx->keys[k+1], x0,x1,x2,x3, y0,y1,y2,y3);
508 ROUND_INVERSE (0, ctx->keys[k], y0,y1,y2,y3, x0,x1,x2,x3);
511 LE_WRITE_UINT32 (dst, x0);
512 LE_WRITE_UINT32 (dst + 4, x1);
513 LE_WRITE_UINT32 (dst + 8, x2);
514 LE_WRITE_UINT32 (dst + 12, x3);
516 src += SERPENT_BLOCK_SIZE;
517 dst += SERPENT_BLOCK_SIZE;
518 length -= SERPENT_BLOCK_SIZE;
520 #if HAVE_NATIVE_64_BIT
521 FOR_BLOCKS(length, dst, src, 2*SERPENT_BLOCK_SIZE)
523 uint64_t x0,x1,x2,x3, y0,y1,y2,y3;
526 x0 = LE_READ_UINT32 (src);
527 x1 = LE_READ_UINT32 (src + 4);
528 x2 = LE_READ_UINT32 (src + 8);
529 x3 = LE_READ_UINT32 (src + 12);
531 x0 <<= 32; x0 |= LE_READ_UINT32 (src + 16);
532 x1 <<= 32; x1 |= LE_READ_UINT32 (src + 20);
533 x2 <<= 32; x2 |= LE_READ_UINT32 (src + 24);
534 x3 <<= 32; x3 |= LE_READ_UINT32 (src + 28);
536 /* Inverse of special round */
537 KEYXOR64 (x0,x1,x2,x3, ctx->keys[32]);
538 SBOX7_INVERSE (x0,x1,x2,x3, y0,y1,y2,y3);
539 KEYXOR64 (y0,y1,y2,y3, ctx->keys[31]);
546 ROUND64_INVERSE (7, ctx->keys[k+7], x0,x1,x2,x3, y0,y1,y2,y3);
548 ROUND64_INVERSE (6, ctx->keys[k+6], y0,y1,y2,y3, x0,x1,x2,x3);
549 ROUND64_INVERSE (5, ctx->keys[k+5], x0,x1,x2,x3, y0,y1,y2,y3);
550 ROUND64_INVERSE (4, ctx->keys[k+4], y0,y1,y2,y3, x0,x1,x2,x3);
551 ROUND64_INVERSE (3, ctx->keys[k+3], x0,x1,x2,x3, y0,y1,y2,y3);
552 ROUND64_INVERSE (2, ctx->keys[k+2], y0,y1,y2,y3, x0,x1,x2,x3);
553 ROUND64_INVERSE (1, ctx->keys[k+1], x0,x1,x2,x3, y0,y1,y2,y3);
554 ROUND64_INVERSE (0, ctx->keys[k], y0,y1,y2,y3, x0,x1,x2,x3);
557 LE_WRITE_UINT32 (dst + 16, x0);
558 LE_WRITE_UINT32 (dst + 20, x1);
559 LE_WRITE_UINT32 (dst + 24, x2);
560 LE_WRITE_UINT32 (dst + 28, x3);
561 x0 >>= 32; LE_WRITE_UINT32 (dst, x0);
562 x1 >>= 32; LE_WRITE_UINT32 (dst + 4, x1);
563 x2 >>= 32; LE_WRITE_UINT32 (dst + 8, x2);
564 x3 >>= 32; LE_WRITE_UINT32 (dst + 12, x3);
566 #endif /* HAVE_NATIVE_64_BIT */