001: package org.bouncycastle.crypto.engines;
002:
003: import org.bouncycastle.crypto.BlockCipher;
004: import org.bouncycastle.crypto.CipherParameters;
005: import org.bouncycastle.crypto.DataLengthException;
006: import org.bouncycastle.crypto.params.KeyParameter;
007:
008: /**
009: * Serpent is a 128-bit 32-round block cipher with variable key lengths,
010: * including 128, 192 and 256 bit keys conjectured to be at least as
011: * secure as three-key triple-DES.
012: * <p>
013: * Serpent was designed by Ross Anderson, Eli Biham and Lars Knudsen as a
014: * candidate algorithm for the NIST AES Quest.>
015: * <p>
016: * For full details see the <a href="http://www.cl.cam.ac.uk/~rja14/serpent.html">The Serpent home page</a>
017: */
018: public class SerpentEngine implements BlockCipher {
019: private static final int BLOCK_SIZE = 16;
020:
021: static final int ROUNDS = 32;
022: static final int PHI = 0x9E3779B9; // (sqrt(5) - 1) * 2**31
023:
024: private boolean encrypting;
025: private int[] wKey;
026:
027: private int X0, X1, X2, X3; // registers
028:
029: /**
030: * initialise a Serpent cipher.
031: *
032: * @param encrypting whether or not we are for encryption.
033: * @param params the parameters required to set up the cipher.
034: * @exception IllegalArgumentException if the params argument is
035: * inappropriate.
036: */
037: public void init(boolean encrypting, CipherParameters params) {
038: if (params instanceof KeyParameter) {
039: this .encrypting = encrypting;
040: this .wKey = makeWorkingKey(((KeyParameter) params).getKey());
041: return;
042: }
043:
044: throw new IllegalArgumentException(
045: "invalid parameter passed to Serpent init - "
046: + params.getClass().getName());
047: }
048:
049: public String getAlgorithmName() {
050: return "Serpent";
051: }
052:
053: public int getBlockSize() {
054: return BLOCK_SIZE;
055: }
056:
057: /**
058: * Process one block of input from the array in and write it to
059: * the out array.
060: *
061: * @param in the array containing the input data.
062: * @param inOff offset into the in array the data starts at.
063: * @param out the array the output data will be copied into.
064: * @param outOff the offset into the out array the output will start at.
065: * @exception DataLengthException if there isn't enough data in in, or
066: * space in out.
067: * @exception IllegalStateException if the cipher isn't initialised.
068: * @return the number of bytes processed and produced.
069: */
070: public final int processBlock(byte[] in, int inOff, byte[] out,
071: int outOff) {
072: if (wKey == null) {
073: throw new IllegalStateException("Serpent not initialised");
074: }
075:
076: if ((inOff + BLOCK_SIZE) > in.length) {
077: throw new DataLengthException("input buffer too short");
078: }
079:
080: if ((outOff + BLOCK_SIZE) > out.length) {
081: throw new DataLengthException("output buffer too short");
082: }
083:
084: if (encrypting) {
085: encryptBlock(in, inOff, out, outOff);
086: } else {
087: decryptBlock(in, inOff, out, outOff);
088: }
089:
090: return BLOCK_SIZE;
091: }
092:
093: public void reset() {
094: }
095:
096: /**
097: * Expand a user-supplied key material into a session key.
098: *
099: * @param key The user-key bytes (multiples of 4) to use.
100: * @exception IllegalArgumentException
101: */
102: private int[] makeWorkingKey(byte[] key)
103: throws IllegalArgumentException {
104: //
105: // pad key to 256 bits
106: //
107: int[] kPad = new int[16];
108: int off = 0;
109: int length = 0;
110:
111: for (off = key.length - 4; off > 0; off -= 4) {
112: kPad[length++] = bytesToWord(key, off);
113: }
114:
115: if (off == 0) {
116: kPad[length++] = bytesToWord(key, 0);
117: if (length < 8) {
118: kPad[length] = 1;
119: }
120: } else {
121: throw new IllegalArgumentException(
122: "key must be a multiple of 4 bytes");
123: }
124:
125: //
126: // expand the padded key up to 33 x 128 bits of key material
127: //
128: int amount = (ROUNDS + 1) * 4;
129: int[] w = new int[amount];
130:
131: //
132: // compute w0 to w7 from w-8 to w-1
133: //
134: for (int i = 8; i < 16; i++) {
135: kPad[i] = rotateLeft(kPad[i - 8] ^ kPad[i - 5]
136: ^ kPad[i - 3] ^ kPad[i - 1] ^ PHI ^ (i - 8), 11);
137: }
138:
139: System.arraycopy(kPad, 8, w, 0, 8);
140:
141: //
142: // compute w8 to w136
143: //
144: for (int i = 8; i < amount; i++) {
145: w[i] = rotateLeft(w[i - 8] ^ w[i - 5] ^ w[i - 3] ^ w[i - 1]
146: ^ PHI ^ i, 11);
147: }
148:
149: //
150: // create the working keys by processing w with the Sbox and IP
151: //
152: sb3(w[0], w[1], w[2], w[3]);
153: w[0] = X0;
154: w[1] = X1;
155: w[2] = X2;
156: w[3] = X3;
157: sb2(w[4], w[5], w[6], w[7]);
158: w[4] = X0;
159: w[5] = X1;
160: w[6] = X2;
161: w[7] = X3;
162: sb1(w[8], w[9], w[10], w[11]);
163: w[8] = X0;
164: w[9] = X1;
165: w[10] = X2;
166: w[11] = X3;
167: sb0(w[12], w[13], w[14], w[15]);
168: w[12] = X0;
169: w[13] = X1;
170: w[14] = X2;
171: w[15] = X3;
172: sb7(w[16], w[17], w[18], w[19]);
173: w[16] = X0;
174: w[17] = X1;
175: w[18] = X2;
176: w[19] = X3;
177: sb6(w[20], w[21], w[22], w[23]);
178: w[20] = X0;
179: w[21] = X1;
180: w[22] = X2;
181: w[23] = X3;
182: sb5(w[24], w[25], w[26], w[27]);
183: w[24] = X0;
184: w[25] = X1;
185: w[26] = X2;
186: w[27] = X3;
187: sb4(w[28], w[29], w[30], w[31]);
188: w[28] = X0;
189: w[29] = X1;
190: w[30] = X2;
191: w[31] = X3;
192: sb3(w[32], w[33], w[34], w[35]);
193: w[32] = X0;
194: w[33] = X1;
195: w[34] = X2;
196: w[35] = X3;
197: sb2(w[36], w[37], w[38], w[39]);
198: w[36] = X0;
199: w[37] = X1;
200: w[38] = X2;
201: w[39] = X3;
202: sb1(w[40], w[41], w[42], w[43]);
203: w[40] = X0;
204: w[41] = X1;
205: w[42] = X2;
206: w[43] = X3;
207: sb0(w[44], w[45], w[46], w[47]);
208: w[44] = X0;
209: w[45] = X1;
210: w[46] = X2;
211: w[47] = X3;
212: sb7(w[48], w[49], w[50], w[51]);
213: w[48] = X0;
214: w[49] = X1;
215: w[50] = X2;
216: w[51] = X3;
217: sb6(w[52], w[53], w[54], w[55]);
218: w[52] = X0;
219: w[53] = X1;
220: w[54] = X2;
221: w[55] = X3;
222: sb5(w[56], w[57], w[58], w[59]);
223: w[56] = X0;
224: w[57] = X1;
225: w[58] = X2;
226: w[59] = X3;
227: sb4(w[60], w[61], w[62], w[63]);
228: w[60] = X0;
229: w[61] = X1;
230: w[62] = X2;
231: w[63] = X3;
232: sb3(w[64], w[65], w[66], w[67]);
233: w[64] = X0;
234: w[65] = X1;
235: w[66] = X2;
236: w[67] = X3;
237: sb2(w[68], w[69], w[70], w[71]);
238: w[68] = X0;
239: w[69] = X1;
240: w[70] = X2;
241: w[71] = X3;
242: sb1(w[72], w[73], w[74], w[75]);
243: w[72] = X0;
244: w[73] = X1;
245: w[74] = X2;
246: w[75] = X3;
247: sb0(w[76], w[77], w[78], w[79]);
248: w[76] = X0;
249: w[77] = X1;
250: w[78] = X2;
251: w[79] = X3;
252: sb7(w[80], w[81], w[82], w[83]);
253: w[80] = X0;
254: w[81] = X1;
255: w[82] = X2;
256: w[83] = X3;
257: sb6(w[84], w[85], w[86], w[87]);
258: w[84] = X0;
259: w[85] = X1;
260: w[86] = X2;
261: w[87] = X3;
262: sb5(w[88], w[89], w[90], w[91]);
263: w[88] = X0;
264: w[89] = X1;
265: w[90] = X2;
266: w[91] = X3;
267: sb4(w[92], w[93], w[94], w[95]);
268: w[92] = X0;
269: w[93] = X1;
270: w[94] = X2;
271: w[95] = X3;
272: sb3(w[96], w[97], w[98], w[99]);
273: w[96] = X0;
274: w[97] = X1;
275: w[98] = X2;
276: w[99] = X3;
277: sb2(w[100], w[101], w[102], w[103]);
278: w[100] = X0;
279: w[101] = X1;
280: w[102] = X2;
281: w[103] = X3;
282: sb1(w[104], w[105], w[106], w[107]);
283: w[104] = X0;
284: w[105] = X1;
285: w[106] = X2;
286: w[107] = X3;
287: sb0(w[108], w[109], w[110], w[111]);
288: w[108] = X0;
289: w[109] = X1;
290: w[110] = X2;
291: w[111] = X3;
292: sb7(w[112], w[113], w[114], w[115]);
293: w[112] = X0;
294: w[113] = X1;
295: w[114] = X2;
296: w[115] = X3;
297: sb6(w[116], w[117], w[118], w[119]);
298: w[116] = X0;
299: w[117] = X1;
300: w[118] = X2;
301: w[119] = X3;
302: sb5(w[120], w[121], w[122], w[123]);
303: w[120] = X0;
304: w[121] = X1;
305: w[122] = X2;
306: w[123] = X3;
307: sb4(w[124], w[125], w[126], w[127]);
308: w[124] = X0;
309: w[125] = X1;
310: w[126] = X2;
311: w[127] = X3;
312: sb3(w[128], w[129], w[130], w[131]);
313: w[128] = X0;
314: w[129] = X1;
315: w[130] = X2;
316: w[131] = X3;
317:
318: return w;
319: }
320:
321: private int rotateLeft(int x, int bits) {
322: return (x << bits) | (x >>> -bits);
323: }
324:
325: private int rotateRight(int x, int bits) {
326: return (x >>> bits) | (x << -bits);
327: }
328:
329: private int bytesToWord(byte[] src, int srcOff) {
330: return (((src[srcOff] & 0xff) << 24)
331: | ((src[srcOff + 1] & 0xff) << 16)
332: | ((src[srcOff + 2] & 0xff) << 8) | ((src[srcOff + 3] & 0xff)));
333: }
334:
335: private void wordToBytes(int word, byte[] dst, int dstOff) {
336: dst[dstOff + 3] = (byte) (word);
337: dst[dstOff + 2] = (byte) (word >>> 8);
338: dst[dstOff + 1] = (byte) (word >>> 16);
339: dst[dstOff] = (byte) (word >>> 24);
340: }
341:
342: /**
343: * Encrypt one block of plaintext.
344: *
345: * @param in the array containing the input data.
346: * @param inOff offset into the in array the data starts at.
347: * @param out the array the output data will be copied into.
348: * @param outOff the offset into the out array the output will start at.
349: */
350: private void encryptBlock(byte[] in, int inOff, byte[] out,
351: int outOff) {
352: X3 = bytesToWord(in, inOff);
353: X2 = bytesToWord(in, inOff + 4);
354: X1 = bytesToWord(in, inOff + 8);
355: X0 = bytesToWord(in, inOff + 12);
356:
357: sb0(wKey[0] ^ X0, wKey[1] ^ X1, wKey[2] ^ X2, wKey[3] ^ X3);
358: LT();
359: sb1(wKey[4] ^ X0, wKey[5] ^ X1, wKey[6] ^ X2, wKey[7] ^ X3);
360: LT();
361: sb2(wKey[8] ^ X0, wKey[9] ^ X1, wKey[10] ^ X2, wKey[11] ^ X3);
362: LT();
363: sb3(wKey[12] ^ X0, wKey[13] ^ X1, wKey[14] ^ X2, wKey[15] ^ X3);
364: LT();
365: sb4(wKey[16] ^ X0, wKey[17] ^ X1, wKey[18] ^ X2, wKey[19] ^ X3);
366: LT();
367: sb5(wKey[20] ^ X0, wKey[21] ^ X1, wKey[22] ^ X2, wKey[23] ^ X3);
368: LT();
369: sb6(wKey[24] ^ X0, wKey[25] ^ X1, wKey[26] ^ X2, wKey[27] ^ X3);
370: LT();
371: sb7(wKey[28] ^ X0, wKey[29] ^ X1, wKey[30] ^ X2, wKey[31] ^ X3);
372: LT();
373: sb0(wKey[32] ^ X0, wKey[33] ^ X1, wKey[34] ^ X2, wKey[35] ^ X3);
374: LT();
375: sb1(wKey[36] ^ X0, wKey[37] ^ X1, wKey[38] ^ X2, wKey[39] ^ X3);
376: LT();
377: sb2(wKey[40] ^ X0, wKey[41] ^ X1, wKey[42] ^ X2, wKey[43] ^ X3);
378: LT();
379: sb3(wKey[44] ^ X0, wKey[45] ^ X1, wKey[46] ^ X2, wKey[47] ^ X3);
380: LT();
381: sb4(wKey[48] ^ X0, wKey[49] ^ X1, wKey[50] ^ X2, wKey[51] ^ X3);
382: LT();
383: sb5(wKey[52] ^ X0, wKey[53] ^ X1, wKey[54] ^ X2, wKey[55] ^ X3);
384: LT();
385: sb6(wKey[56] ^ X0, wKey[57] ^ X1, wKey[58] ^ X2, wKey[59] ^ X3);
386: LT();
387: sb7(wKey[60] ^ X0, wKey[61] ^ X1, wKey[62] ^ X2, wKey[63] ^ X3);
388: LT();
389: sb0(wKey[64] ^ X0, wKey[65] ^ X1, wKey[66] ^ X2, wKey[67] ^ X3);
390: LT();
391: sb1(wKey[68] ^ X0, wKey[69] ^ X1, wKey[70] ^ X2, wKey[71] ^ X3);
392: LT();
393: sb2(wKey[72] ^ X0, wKey[73] ^ X1, wKey[74] ^ X2, wKey[75] ^ X3);
394: LT();
395: sb3(wKey[76] ^ X0, wKey[77] ^ X1, wKey[78] ^ X2, wKey[79] ^ X3);
396: LT();
397: sb4(wKey[80] ^ X0, wKey[81] ^ X1, wKey[82] ^ X2, wKey[83] ^ X3);
398: LT();
399: sb5(wKey[84] ^ X0, wKey[85] ^ X1, wKey[86] ^ X2, wKey[87] ^ X3);
400: LT();
401: sb6(wKey[88] ^ X0, wKey[89] ^ X1, wKey[90] ^ X2, wKey[91] ^ X3);
402: LT();
403: sb7(wKey[92] ^ X0, wKey[93] ^ X1, wKey[94] ^ X2, wKey[95] ^ X3);
404: LT();
405: sb0(wKey[96] ^ X0, wKey[97] ^ X1, wKey[98] ^ X2, wKey[99] ^ X3);
406: LT();
407: sb1(wKey[100] ^ X0, wKey[101] ^ X1, wKey[102] ^ X2, wKey[103]
408: ^ X3);
409: LT();
410: sb2(wKey[104] ^ X0, wKey[105] ^ X1, wKey[106] ^ X2, wKey[107]
411: ^ X3);
412: LT();
413: sb3(wKey[108] ^ X0, wKey[109] ^ X1, wKey[110] ^ X2, wKey[111]
414: ^ X3);
415: LT();
416: sb4(wKey[112] ^ X0, wKey[113] ^ X1, wKey[114] ^ X2, wKey[115]
417: ^ X3);
418: LT();
419: sb5(wKey[116] ^ X0, wKey[117] ^ X1, wKey[118] ^ X2, wKey[119]
420: ^ X3);
421: LT();
422: sb6(wKey[120] ^ X0, wKey[121] ^ X1, wKey[122] ^ X2, wKey[123]
423: ^ X3);
424: LT();
425: sb7(wKey[124] ^ X0, wKey[125] ^ X1, wKey[126] ^ X2, wKey[127]
426: ^ X3);
427:
428: wordToBytes(wKey[131] ^ X3, out, outOff);
429: wordToBytes(wKey[130] ^ X2, out, outOff + 4);
430: wordToBytes(wKey[129] ^ X1, out, outOff + 8);
431: wordToBytes(wKey[128] ^ X0, out, outOff + 12);
432: }
433:
434: /**
435: * Decrypt one block of ciphertext.
436: *
437: * @param in the array containing the input data.
438: * @param inOff offset into the in array the data starts at.
439: * @param out the array the output data will be copied into.
440: * @param outOff the offset into the out array the output will start at.
441: */
442: private void decryptBlock(byte[] in, int inOff, byte[] out,
443: int outOff) {
444: X3 = wKey[131] ^ bytesToWord(in, inOff);
445: X2 = wKey[130] ^ bytesToWord(in, inOff + 4);
446: X1 = wKey[129] ^ bytesToWord(in, inOff + 8);
447: X0 = wKey[128] ^ bytesToWord(in, inOff + 12);
448:
449: ib7(X0, X1, X2, X3);
450: X0 ^= wKey[124];
451: X1 ^= wKey[125];
452: X2 ^= wKey[126];
453: X3 ^= wKey[127];
454: inverseLT();
455: ib6(X0, X1, X2, X3);
456: X0 ^= wKey[120];
457: X1 ^= wKey[121];
458: X2 ^= wKey[122];
459: X3 ^= wKey[123];
460: inverseLT();
461: ib5(X0, X1, X2, X3);
462: X0 ^= wKey[116];
463: X1 ^= wKey[117];
464: X2 ^= wKey[118];
465: X3 ^= wKey[119];
466: inverseLT();
467: ib4(X0, X1, X2, X3);
468: X0 ^= wKey[112];
469: X1 ^= wKey[113];
470: X2 ^= wKey[114];
471: X3 ^= wKey[115];
472: inverseLT();
473: ib3(X0, X1, X2, X3);
474: X0 ^= wKey[108];
475: X1 ^= wKey[109];
476: X2 ^= wKey[110];
477: X3 ^= wKey[111];
478: inverseLT();
479: ib2(X0, X1, X2, X3);
480: X0 ^= wKey[104];
481: X1 ^= wKey[105];
482: X2 ^= wKey[106];
483: X3 ^= wKey[107];
484: inverseLT();
485: ib1(X0, X1, X2, X3);
486: X0 ^= wKey[100];
487: X1 ^= wKey[101];
488: X2 ^= wKey[102];
489: X3 ^= wKey[103];
490: inverseLT();
491: ib0(X0, X1, X2, X3);
492: X0 ^= wKey[96];
493: X1 ^= wKey[97];
494: X2 ^= wKey[98];
495: X3 ^= wKey[99];
496: inverseLT();
497: ib7(X0, X1, X2, X3);
498: X0 ^= wKey[92];
499: X1 ^= wKey[93];
500: X2 ^= wKey[94];
501: X3 ^= wKey[95];
502: inverseLT();
503: ib6(X0, X1, X2, X3);
504: X0 ^= wKey[88];
505: X1 ^= wKey[89];
506: X2 ^= wKey[90];
507: X3 ^= wKey[91];
508: inverseLT();
509: ib5(X0, X1, X2, X3);
510: X0 ^= wKey[84];
511: X1 ^= wKey[85];
512: X2 ^= wKey[86];
513: X3 ^= wKey[87];
514: inverseLT();
515: ib4(X0, X1, X2, X3);
516: X0 ^= wKey[80];
517: X1 ^= wKey[81];
518: X2 ^= wKey[82];
519: X3 ^= wKey[83];
520: inverseLT();
521: ib3(X0, X1, X2, X3);
522: X0 ^= wKey[76];
523: X1 ^= wKey[77];
524: X2 ^= wKey[78];
525: X3 ^= wKey[79];
526: inverseLT();
527: ib2(X0, X1, X2, X3);
528: X0 ^= wKey[72];
529: X1 ^= wKey[73];
530: X2 ^= wKey[74];
531: X3 ^= wKey[75];
532: inverseLT();
533: ib1(X0, X1, X2, X3);
534: X0 ^= wKey[68];
535: X1 ^= wKey[69];
536: X2 ^= wKey[70];
537: X3 ^= wKey[71];
538: inverseLT();
539: ib0(X0, X1, X2, X3);
540: X0 ^= wKey[64];
541: X1 ^= wKey[65];
542: X2 ^= wKey[66];
543: X3 ^= wKey[67];
544: inverseLT();
545: ib7(X0, X1, X2, X3);
546: X0 ^= wKey[60];
547: X1 ^= wKey[61];
548: X2 ^= wKey[62];
549: X3 ^= wKey[63];
550: inverseLT();
551: ib6(X0, X1, X2, X3);
552: X0 ^= wKey[56];
553: X1 ^= wKey[57];
554: X2 ^= wKey[58];
555: X3 ^= wKey[59];
556: inverseLT();
557: ib5(X0, X1, X2, X3);
558: X0 ^= wKey[52];
559: X1 ^= wKey[53];
560: X2 ^= wKey[54];
561: X3 ^= wKey[55];
562: inverseLT();
563: ib4(X0, X1, X2, X3);
564: X0 ^= wKey[48];
565: X1 ^= wKey[49];
566: X2 ^= wKey[50];
567: X3 ^= wKey[51];
568: inverseLT();
569: ib3(X0, X1, X2, X3);
570: X0 ^= wKey[44];
571: X1 ^= wKey[45];
572: X2 ^= wKey[46];
573: X3 ^= wKey[47];
574: inverseLT();
575: ib2(X0, X1, X2, X3);
576: X0 ^= wKey[40];
577: X1 ^= wKey[41];
578: X2 ^= wKey[42];
579: X3 ^= wKey[43];
580: inverseLT();
581: ib1(X0, X1, X2, X3);
582: X0 ^= wKey[36];
583: X1 ^= wKey[37];
584: X2 ^= wKey[38];
585: X3 ^= wKey[39];
586: inverseLT();
587: ib0(X0, X1, X2, X3);
588: X0 ^= wKey[32];
589: X1 ^= wKey[33];
590: X2 ^= wKey[34];
591: X3 ^= wKey[35];
592: inverseLT();
593: ib7(X0, X1, X2, X3);
594: X0 ^= wKey[28];
595: X1 ^= wKey[29];
596: X2 ^= wKey[30];
597: X3 ^= wKey[31];
598: inverseLT();
599: ib6(X0, X1, X2, X3);
600: X0 ^= wKey[24];
601: X1 ^= wKey[25];
602: X2 ^= wKey[26];
603: X3 ^= wKey[27];
604: inverseLT();
605: ib5(X0, X1, X2, X3);
606: X0 ^= wKey[20];
607: X1 ^= wKey[21];
608: X2 ^= wKey[22];
609: X3 ^= wKey[23];
610: inverseLT();
611: ib4(X0, X1, X2, X3);
612: X0 ^= wKey[16];
613: X1 ^= wKey[17];
614: X2 ^= wKey[18];
615: X3 ^= wKey[19];
616: inverseLT();
617: ib3(X0, X1, X2, X3);
618: X0 ^= wKey[12];
619: X1 ^= wKey[13];
620: X2 ^= wKey[14];
621: X3 ^= wKey[15];
622: inverseLT();
623: ib2(X0, X1, X2, X3);
624: X0 ^= wKey[8];
625: X1 ^= wKey[9];
626: X2 ^= wKey[10];
627: X3 ^= wKey[11];
628: inverseLT();
629: ib1(X0, X1, X2, X3);
630: X0 ^= wKey[4];
631: X1 ^= wKey[5];
632: X2 ^= wKey[6];
633: X3 ^= wKey[7];
634: inverseLT();
635: ib0(X0, X1, X2, X3);
636:
637: wordToBytes(X3 ^ wKey[3], out, outOff);
638: wordToBytes(X2 ^ wKey[2], out, outOff + 4);
639: wordToBytes(X1 ^ wKey[1], out, outOff + 8);
640: wordToBytes(X0 ^ wKey[0], out, outOff + 12);
641: }
642:
643: /**
644: * The sboxes below are based on the work of Brian Gladman and
645: * Sam Simpson, whose original notice appears below.
646: * <p>
647: * For further details see:
648: * http://fp.gladman.plus.com/cryptography_technology/serpent/
649: */
650:
651: /* Partially optimised Serpent S Box boolean functions derived */
652: /* using a recursive descent analyser but without a full search */
653: /* of all subtrees. This set of S boxes is the result of work */
654: /* by Sam Simpson and Brian Gladman using the spare time on a */
655: /* cluster of high capacity servers to search for S boxes with */
656: /* this customised search engine. There are now an average of */
657: /* 15.375 terms per S box. */
658: /* */
659: /* Copyright: Dr B. R Gladman (gladman@seven77.demon.co.uk) */
660: /* and Sam Simpson (s.simpson@mia.co.uk) */
661: /* 17th December 1998 */
662: /* */
663: /* We hereby give permission for information in this file to be */
664: /* used freely subject only to acknowledgement of its origin. */
665:
666: /**
667: * S0 - { 3, 8,15, 1,10, 6, 5,11,14,13, 4, 2, 7, 0, 9,12 } - 15 terms.
668: */
669: private void sb0(int a, int b, int c, int d) {
670: int t1 = a ^ d;
671: int t3 = c ^ t1;
672: int t4 = b ^ t3;
673: X3 = (a & d) ^ t4;
674: int t7 = a ^ (b & t1);
675: X2 = t4 ^ (c | t7);
676: int t12 = X3 & (t3 ^ t7);
677: X1 = (~t3) ^ t12;
678: X0 = t12 ^ (~t7);
679: }
680:
681: /**
682: * InvSO - {13, 3,11, 0,10, 6, 5,12, 1,14, 4, 7,15, 9, 8, 2 } - 15 terms.
683: */
684: private void ib0(int a, int b, int c, int d) {
685: int t1 = ~a;
686: int t2 = a ^ b;
687: int t4 = d ^ (t1 | t2);
688: int t5 = c ^ t4;
689: X2 = t2 ^ t5;
690: int t8 = t1 ^ (d & t2);
691: X1 = t4 ^ (X2 & t8);
692: X3 = (a & t4) ^ (t5 | X1);
693: X0 = X3 ^ (t5 ^ t8);
694: }
695:
696: /**
697: * S1 - {15,12, 2, 7, 9, 0, 5,10, 1,11,14, 8, 6,13, 3, 4 } - 14 terms.
698: */
699: private void sb1(int a, int b, int c, int d) {
700: int t2 = b ^ (~a);
701: int t5 = c ^ (a | t2);
702: X2 = d ^ t5;
703: int t7 = b ^ (d | t2);
704: int t8 = t2 ^ X2;
705: X3 = t8 ^ (t5 & t7);
706: int t11 = t5 ^ t7;
707: X1 = X3 ^ t11;
708: X0 = t5 ^ (t8 & t11);
709: }
710:
711: /**
712: * InvS1 - { 5, 8, 2,14,15, 6,12, 3,11, 4, 7, 9, 1,13,10, 0 } - 14 steps.
713: */
714: private void ib1(int a, int b, int c, int d) {
715: int t1 = b ^ d;
716: int t3 = a ^ (b & t1);
717: int t4 = t1 ^ t3;
718: X3 = c ^ t4;
719: int t7 = b ^ (t1 & t3);
720: int t8 = X3 | t7;
721: X1 = t3 ^ t8;
722: int t10 = ~X1;
723: int t11 = X3 ^ t7;
724: X0 = t10 ^ t11;
725: X2 = t4 ^ (t10 | t11);
726: }
727:
728: /**
729: * S2 - { 8, 6, 7, 9, 3,12,10,15,13, 1,14, 4, 0,11, 5, 2 } - 16 terms.
730: */
731: private void sb2(int a, int b, int c, int d) {
732: int t1 = ~a;
733: int t2 = b ^ d;
734: int t3 = c & t1;
735: X0 = t2 ^ t3;
736: int t5 = c ^ t1;
737: int t6 = c ^ X0;
738: int t7 = b & t6;
739: X3 = t5 ^ t7;
740: X2 = a ^ ((d | t7) & (X0 | t5));
741: X1 = (t2 ^ X3) ^ (X2 ^ (d | t1));
742: }
743:
744: /**
745: * InvS2 - {12, 9,15, 4,11,14, 1, 2, 0, 3, 6,13, 5, 8,10, 7 } - 16 steps.
746: */
747: private void ib2(int a, int b, int c, int d) {
748: int t1 = b ^ d;
749: int t2 = ~t1;
750: int t3 = a ^ c;
751: int t4 = c ^ t1;
752: int t5 = b & t4;
753: X0 = t3 ^ t5;
754: int t7 = a | t2;
755: int t8 = d ^ t7;
756: int t9 = t3 | t8;
757: X3 = t1 ^ t9;
758: int t11 = ~t4;
759: int t12 = X0 | X3;
760: X1 = t11 ^ t12;
761: X2 = (d & t11) ^ (t3 ^ t12);
762: }
763:
764: /**
765: * S3 - { 0,15,11, 8,12, 9, 6, 3,13, 1, 2, 4,10, 7, 5,14 } - 16 terms.
766: */
767: private void sb3(int a, int b, int c, int d) {
768: int t1 = a ^ b;
769: int t2 = a & c;
770: int t3 = a | d;
771: int t4 = c ^ d;
772: int t5 = t1 & t3;
773: int t6 = t2 | t5;
774: X2 = t4 ^ t6;
775: int t8 = b ^ t3;
776: int t9 = t6 ^ t8;
777: int t10 = t4 & t9;
778: X0 = t1 ^ t10;
779: int t12 = X2 & X0;
780: X1 = t9 ^ t12;
781: X3 = (b | d) ^ (t4 ^ t12);
782: }
783:
784: /**
785: * InvS3 - { 0, 9,10, 7,11,14, 6,13, 3, 5,12, 2, 4, 8,15, 1 } - 15 terms
786: */
787: private void ib3(int a, int b, int c, int d) {
788: int t1 = a | b;
789: int t2 = b ^ c;
790: int t3 = b & t2;
791: int t4 = a ^ t3;
792: int t5 = c ^ t4;
793: int t6 = d | t4;
794: X0 = t2 ^ t6;
795: int t8 = t2 | t6;
796: int t9 = d ^ t8;
797: X2 = t5 ^ t9;
798: int t11 = t1 ^ t9;
799: int t12 = X0 & t11;
800: X3 = t4 ^ t12;
801: X1 = X3 ^ (X0 ^ t11);
802: }
803:
804: /**
805: * S4 - { 1,15, 8, 3,12, 0,11, 6, 2, 5, 4,10, 9,14, 7,13 } - 15 terms.
806: */
807: private void sb4(int a, int b, int c, int d) {
808: int t1 = a ^ d;
809: int t2 = d & t1;
810: int t3 = c ^ t2;
811: int t4 = b | t3;
812: X3 = t1 ^ t4;
813: int t6 = ~b;
814: int t7 = t1 | t6;
815: X0 = t3 ^ t7;
816: int t9 = a & X0;
817: int t10 = t1 ^ t6;
818: int t11 = t4 & t10;
819: X2 = t9 ^ t11;
820: X1 = (a ^ t3) ^ (t10 & X2);
821: }
822:
823: /**
824: * InvS4 - { 5, 0, 8, 3,10, 9, 7,14, 2,12,11, 6, 4,15,13, 1 } - 15 terms.
825: */
826: private void ib4(int a, int b, int c, int d) {
827: int t1 = c | d;
828: int t2 = a & t1;
829: int t3 = b ^ t2;
830: int t4 = a & t3;
831: int t5 = c ^ t4;
832: X1 = d ^ t5;
833: int t7 = ~a;
834: int t8 = t5 & X1;
835: X3 = t3 ^ t8;
836: int t10 = X1 | t7;
837: int t11 = d ^ t10;
838: X0 = X3 ^ t11;
839: X2 = (t3 & t11) ^ (X1 ^ t7);
840: }
841:
842: /**
843: * S5 - {15, 5, 2,11, 4,10, 9,12, 0, 3,14, 8,13, 6, 7, 1 } - 16 terms.
844: */
845: private void sb5(int a, int b, int c, int d) {
846: int t1 = ~a;
847: int t2 = a ^ b;
848: int t3 = a ^ d;
849: int t4 = c ^ t1;
850: int t5 = t2 | t3;
851: X0 = t4 ^ t5;
852: int t7 = d & X0;
853: int t8 = t2 ^ X0;
854: X1 = t7 ^ t8;
855: int t10 = t1 | X0;
856: int t11 = t2 | t7;
857: int t12 = t3 ^ t10;
858: X2 = t11 ^ t12;
859: X3 = (b ^ t7) ^ (X1 & t12);
860: }
861:
862: /**
863: * InvS5 - { 8,15, 2, 9, 4, 1,13,14,11, 6, 5, 3, 7,12,10, 0 } - 16 terms.
864: */
865: private void ib5(int a, int b, int c, int d) {
866: int t1 = ~c;
867: int t2 = b & t1;
868: int t3 = d ^ t2;
869: int t4 = a & t3;
870: int t5 = b ^ t1;
871: X3 = t4 ^ t5;
872: int t7 = b | X3;
873: int t8 = a & t7;
874: X1 = t3 ^ t8;
875: int t10 = a | d;
876: int t11 = t1 ^ t7;
877: X0 = t10 ^ t11;
878: X2 = (b & t10) ^ (t4 | (a ^ c));
879: }
880:
881: /**
882: * S6 - { 7, 2,12, 5, 8, 4, 6,11,14, 9, 1,15,13, 3,10, 0 } - 15 terms.
883: */
884: private void sb6(int a, int b, int c, int d) {
885: int t1 = ~a;
886: int t2 = a ^ d;
887: int t3 = b ^ t2;
888: int t4 = t1 | t2;
889: int t5 = c ^ t4;
890: X1 = b ^ t5;
891: int t7 = t2 | X1;
892: int t8 = d ^ t7;
893: int t9 = t5 & t8;
894: X2 = t3 ^ t9;
895: int t11 = t5 ^ t8;
896: X0 = X2 ^ t11;
897: X3 = (~t5) ^ (t3 & t11);
898: }
899:
900: /**
901: * InvS6 - {15,10, 1,13, 5, 3, 6, 0, 4, 9,14, 7, 2,12, 8,11 } - 15 terms.
902: */
903: private void ib6(int a, int b, int c, int d) {
904: int t1 = ~a;
905: int t2 = a ^ b;
906: int t3 = c ^ t2;
907: int t4 = c | t1;
908: int t5 = d ^ t4;
909: X1 = t3 ^ t5;
910: int t7 = t3 & t5;
911: int t8 = t2 ^ t7;
912: int t9 = b | t8;
913: X3 = t5 ^ t9;
914: int t11 = b | X3;
915: X0 = t8 ^ t11;
916: X2 = (d & t1) ^ (t3 ^ t11);
917: }
918:
919: /**
920: * S7 - { 1,13,15, 0,14, 8, 2,11, 7, 4,12,10, 9, 3, 5, 6 } - 16 terms.
921: */
922: private void sb7(int a, int b, int c, int d) {
923: int t1 = b ^ c;
924: int t2 = c & t1;
925: int t3 = d ^ t2;
926: int t4 = a ^ t3;
927: int t5 = d | t1;
928: int t6 = t4 & t5;
929: X1 = b ^ t6;
930: int t8 = t3 | X1;
931: int t9 = a & t4;
932: X3 = t1 ^ t9;
933: int t11 = t4 ^ t8;
934: int t12 = X3 & t11;
935: X2 = t3 ^ t12;
936: X0 = (~t11) ^ (X3 & X2);
937: }
938:
939: /**
940: * InvS7 - { 3, 0, 6,13, 9,14,15, 8, 5,12,11, 7,10, 1, 4, 2 } - 17 terms.
941: */
942: private void ib7(int a, int b, int c, int d) {
943: int t3 = c | (a & b);
944: int t4 = d & (a | b);
945: X3 = t3 ^ t4;
946: int t6 = ~d;
947: int t7 = b ^ t4;
948: int t9 = t7 | (X3 ^ t6);
949: X1 = a ^ t9;
950: X0 = (c ^ t7) ^ (d | X1);
951: X2 = (t3 ^ X1) ^ (X0 ^ (a & X3));
952: }
953:
954: /**
955: * Apply the linear transformation to the register set.
956: */
957: private void LT() {
958: int x0 = rotateLeft(X0, 13);
959: int x2 = rotateLeft(X2, 3);
960: int x1 = X1 ^ x0 ^ x2;
961: int x3 = X3 ^ x2 ^ x0 << 3;
962:
963: X1 = rotateLeft(x1, 1);
964: X3 = rotateLeft(x3, 7);
965: X0 = rotateLeft(x0 ^ X1 ^ X3, 5);
966: X2 = rotateLeft(x2 ^ X3 ^ (X1 << 7), 22);
967: }
968:
969: /**
970: * Apply the inverse of the linear transformation to the register set.
971: */
972: private void inverseLT() {
973: int x2 = rotateRight(X2, 22) ^ X3 ^ (X1 << 7);
974: int x0 = rotateRight(X0, 5) ^ X1 ^ X3;
975: int x3 = rotateRight(X3, 7);
976: int x1 = rotateRight(X1, 1);
977: X3 = x3 ^ x2 ^ x0 << 3;
978: X1 = x1 ^ x0 ^ x2;
979: X2 = rotateRight(x2, 3);
980: X0 = rotateRight(x0, 13);
981: }
982: }
|