1
/* LibTomCrypt, modular cryptographic library -- Tom St Denis
3
* LibTomCrypt is a library that provides various cryptographic
4
* algorithms in a highly modular and flexible manner.
6
* The library is free for all purposes without any express
9
* Tom St Denis, tomstdenis@iahu.ca, http://libtomcrypt.org
12
/*******************************************************************************
16
* DESCRIPTION: block-cipher algorithm SAFER (Secure And Fast Encryption
17
* Routine) in its four versions: SAFER K-64, SAFER K-128,
18
* SAFER SK-64 and SAFER SK-128.
20
* AUTHOR: Richard De Moliner (demoliner@isi.ee.ethz.ch)
21
* Signal and Information Processing Laboratory
22
* Swiss Federal Institute of Technology
23
* CH-8092 Zuerich, Switzerland
25
* DATE: September 9, 1995
29
*******************************************************************************/
35
const struct _cipher_descriptor
38
8, 8, 8, 8, SAFER_K64_DEFAULT_NOF_ROUNDS,
48
9, 8, 8, 8, SAFER_SK64_DEFAULT_NOF_ROUNDS,
58
10, 16, 16, 8, SAFER_K128_DEFAULT_NOF_ROUNDS,
68
11, 16, 16, 8, SAFER_SK128_DEFAULT_NOF_ROUNDS,
76
/******************* Constants ************************************************/
77
// #define TAB_LEN 256
79
/******************* Assertions ***********************************************/
81
/******************* Macros ***************************************************/
82
#define ROL8(x, n) ((unsigned char)((unsigned int)(x) << (n)\
83
|(unsigned int)((x) & 0xFF) >> (8 - (n))))
84
#define EXP(x) safer_ebox[(x) & 0xFF]
85
#define LOG(x) safer_lbox[(x) & 0xFF]
86
#define PHT(x, y) { y += x; x += y; }
87
#define IPHT(x, y) { x -= y; y -= x; }
89
/******************* Types ****************************************************/
90
extern const unsigned char safer_ebox[], safer_lbox[];
93
static void _Safer_Expand_Userkey(const unsigned char *userkey_1,
94
const unsigned char *userkey_2,
95
unsigned int nof_rounds,
99
static void Safer_Expand_Userkey(const unsigned char *userkey_1,
100
const unsigned char *userkey_2,
101
unsigned int nof_rounds,
105
{ unsigned int i, j, k;
106
unsigned char ka[SAFER_BLOCK_LEN + 1];
107
unsigned char kb[SAFER_BLOCK_LEN + 1];
109
if (SAFER_MAX_NOF_ROUNDS < nof_rounds)
110
nof_rounds = SAFER_MAX_NOF_ROUNDS;
111
*key++ = (unsigned char)nof_rounds;
112
ka[SAFER_BLOCK_LEN] = (unsigned char)0;
113
kb[SAFER_BLOCK_LEN] = (unsigned char)0;
115
for (j = 0; j < SAFER_BLOCK_LEN; j++) {
116
ka[j] = ROL8(userkey_1[j], 5);
117
ka[SAFER_BLOCK_LEN] ^= ka[j];
118
kb[j] = *key++ = userkey_2[j];
119
kb[SAFER_BLOCK_LEN] ^= kb[j];
121
for (i = 1; i <= nof_rounds; i++) {
122
for (j = 0; j < SAFER_BLOCK_LEN + 1; j++) {
123
ka[j] = ROL8(ka[j], 6);
124
kb[j] = ROL8(kb[j], 6);
128
while (k >= (SAFER_BLOCK_LEN + 1)) { k -= SAFER_BLOCK_LEN + 1; }
130
for (j = 0; j < SAFER_BLOCK_LEN; j++) {
133
+ safer_ebox[(int)safer_ebox[(int)((18 * i + j + 1)&0xFF)]]) & 0xFF;
134
if (++k == (SAFER_BLOCK_LEN + 1)) { k = 0; }
136
*key++ = (ka[j] + safer_ebox[(int)safer_ebox[(int)((18 * i + j + 1)&0xFF)]]) & 0xFF;
141
while (k >= (SAFER_BLOCK_LEN + 1)) { k -= SAFER_BLOCK_LEN + 1; }
143
for (j = 0; j < SAFER_BLOCK_LEN; j++) {
146
+ safer_ebox[(int)safer_ebox[(int)((18 * i + j + 10)&0xFF)]]) & 0xFF;
147
if (++k == (SAFER_BLOCK_LEN + 1)) { k = 0; }
149
*key++ = (kb[j] + safer_ebox[(int)safer_ebox[(int)((18 * i + j + 10)&0xFF)]]) & 0xFF;
155
zeromem(ka, sizeof(ka));
156
zeromem(kb, sizeof(kb));
161
static void Safer_Expand_Userkey(const unsigned char *userkey_1,
162
const unsigned char *userkey_2,
163
unsigned int nof_rounds,
167
_Safer_Expand_Userkey(userkey_1, userkey_2, nof_rounds, strengthened, key);
168
burn_stack(sizeof(unsigned char) * (2 * (SAFER_BLOCK_LEN + 1)) + sizeof(unsigned int)*2);
172
int safer_k64_setup(const unsigned char *key, int keylen, int numrounds, symmetric_key *skey)
174
_ARGCHK(key != NULL);
175
_ARGCHK(skey != NULL);
177
if (numrounds != 0 && (numrounds < 6 || numrounds > SAFER_MAX_NOF_ROUNDS)) {
178
return CRYPT_INVALID_ROUNDS;
182
return CRYPT_INVALID_KEYSIZE;
185
Safer_Expand_Userkey(key, key, (unsigned int)(numrounds != 0 ?numrounds:SAFER_K64_DEFAULT_NOF_ROUNDS), 0, skey->safer.key);
189
int safer_sk64_setup(const unsigned char *key, int keylen, int numrounds, symmetric_key *skey)
191
_ARGCHK(key != NULL);
192
_ARGCHK(skey != NULL);
194
if (numrounds != 0 && (numrounds < 6 || numrounds > SAFER_MAX_NOF_ROUNDS)) {
195
return CRYPT_INVALID_ROUNDS;
199
return CRYPT_INVALID_KEYSIZE;
202
Safer_Expand_Userkey(key, key, (unsigned int)(numrounds != 0 ?numrounds:SAFER_SK64_DEFAULT_NOF_ROUNDS), 1, skey->safer.key);
206
int safer_k128_setup(const unsigned char *key, int keylen, int numrounds, symmetric_key *skey)
208
_ARGCHK(key != NULL);
209
_ARGCHK(skey != NULL);
211
if (numrounds != 0 && (numrounds < 6 || numrounds > SAFER_MAX_NOF_ROUNDS)) {
212
return CRYPT_INVALID_ROUNDS;
216
return CRYPT_INVALID_KEYSIZE;
219
Safer_Expand_Userkey(key, key+8, (unsigned int)(numrounds != 0 ?numrounds:SAFER_K128_DEFAULT_NOF_ROUNDS), 0, skey->safer.key);
223
int safer_sk128_setup(const unsigned char *key, int keylen, int numrounds, symmetric_key *skey)
225
_ARGCHK(key != NULL);
226
_ARGCHK(skey != NULL);
228
if (numrounds != 0 && (numrounds < 6 || numrounds > SAFER_MAX_NOF_ROUNDS)) {
229
return CRYPT_INVALID_ROUNDS;
233
return CRYPT_INVALID_KEYSIZE;
236
Safer_Expand_Userkey(key, key+8, (unsigned int)(numrounds != 0?numrounds:SAFER_SK128_DEFAULT_NOF_ROUNDS), 1, skey->safer.key);
241
static void _safer_ecb_encrypt(const unsigned char *block_in,
242
unsigned char *block_out,
245
void safer_ecb_encrypt(const unsigned char *block_in,
246
unsigned char *block_out,
249
{ unsigned char a, b, c, d, e, f, g, h, t;
253
_ARGCHK(block_in != NULL);
254
_ARGCHK(block_out != NULL);
255
_ARGCHK(skey != NULL);
257
key = skey->safer.key;
258
a = block_in[0]; b = block_in[1]; c = block_in[2]; d = block_in[3];
259
e = block_in[4]; f = block_in[5]; g = block_in[6]; h = block_in[7];
260
if (SAFER_MAX_NOF_ROUNDS < (round = *key)) round = SAFER_MAX_NOF_ROUNDS;
263
a ^= *++key; b += *++key; c += *++key; d ^= *++key;
264
e ^= *++key; f += *++key; g += *++key; h ^= *++key;
265
a = EXP(a) + *++key; b = LOG(b) ^ *++key;
266
c = LOG(c) ^ *++key; d = EXP(d) + *++key;
267
e = EXP(e) + *++key; f = LOG(f) ^ *++key;
268
g = LOG(g) ^ *++key; h = EXP(h) + *++key;
269
PHT(a, b); PHT(c, d); PHT(e, f); PHT(g, h);
270
PHT(a, c); PHT(e, g); PHT(b, d); PHT(f, h);
271
PHT(a, e); PHT(b, f); PHT(c, g); PHT(d, h);
272
t = b; b = e; e = c; c = t; t = d; d = f; f = g; g = t;
274
a ^= *++key; b += *++key; c += *++key; d ^= *++key;
275
e ^= *++key; f += *++key; g += *++key; h ^= *++key;
276
block_out[0] = a & 0xFF; block_out[1] = b & 0xFF;
277
block_out[2] = c & 0xFF; block_out[3] = d & 0xFF;
278
block_out[4] = e & 0xFF; block_out[5] = f & 0xFF;
279
block_out[6] = g & 0xFF; block_out[7] = h & 0xFF;
283
void safer_ecb_encrypt(const unsigned char *block_in,
284
unsigned char *block_out,
287
_safer_ecb_encrypt(block_in, block_out, skey);
288
burn_stack(sizeof(unsigned char) * 9 + sizeof(unsigned int) + sizeof(unsigned char *));
293
static void _safer_ecb_decrypt(const unsigned char *block_in,
294
unsigned char *block_out,
297
void safer_ecb_decrypt(const unsigned char *block_in,
298
unsigned char *block_out,
301
{ unsigned char a, b, c, d, e, f, g, h, t;
305
_ARGCHK(block_in != NULL);
306
_ARGCHK(block_out != NULL);
307
_ARGCHK(skey != NULL);
309
key = skey->safer.key;
310
a = block_in[0]; b = block_in[1]; c = block_in[2]; d = block_in[3];
311
e = block_in[4]; f = block_in[5]; g = block_in[6]; h = block_in[7];
312
if (SAFER_MAX_NOF_ROUNDS < (round = *key)) round = SAFER_MAX_NOF_ROUNDS;
313
key += SAFER_BLOCK_LEN * (1 + 2 * round);
314
h ^= *key; g -= *--key; f -= *--key; e ^= *--key;
315
d ^= *--key; c -= *--key; b -= *--key; a ^= *--key;
318
t = e; e = b; b = c; c = t; t = f; f = d; d = g; g = t;
319
IPHT(a, e); IPHT(b, f); IPHT(c, g); IPHT(d, h);
320
IPHT(a, c); IPHT(e, g); IPHT(b, d); IPHT(f, h);
321
IPHT(a, b); IPHT(c, d); IPHT(e, f); IPHT(g, h);
322
h -= *--key; g ^= *--key; f ^= *--key; e -= *--key;
323
d -= *--key; c ^= *--key; b ^= *--key; a -= *--key;
324
h = LOG(h) ^ *--key; g = EXP(g) - *--key;
325
f = EXP(f) - *--key; e = LOG(e) ^ *--key;
326
d = LOG(d) ^ *--key; c = EXP(c) - *--key;
327
b = EXP(b) - *--key; a = LOG(a) ^ *--key;
329
block_out[0] = a & 0xFF; block_out[1] = b & 0xFF;
330
block_out[2] = c & 0xFF; block_out[3] = d & 0xFF;
331
block_out[4] = e & 0xFF; block_out[5] = f & 0xFF;
332
block_out[6] = g & 0xFF; block_out[7] = h & 0xFF;
336
void safer_ecb_decrypt(const unsigned char *block_in,
337
unsigned char *block_out,
340
_safer_ecb_decrypt(block_in, block_out, skey);
341
burn_stack(sizeof(unsigned char) * 9 + sizeof(unsigned int) + sizeof(unsigned char *));
345
int safer_64_keysize(int *keysize)
347
_ARGCHK(keysize != NULL);
349
return CRYPT_INVALID_KEYSIZE;
356
int safer_128_keysize(int *keysize)
358
_ARGCHK(keysize != NULL);
360
return CRYPT_INVALID_KEYSIZE;
367
int safer_k64_test(void)
372
static const unsigned char k64_pt[] = { 1, 2, 3, 4, 5, 6, 7, 8 },
373
k64_key[] = { 8, 7, 6, 5, 4, 3, 2, 1 },
374
k64_ct[] = { 200, 242, 156, 221, 135, 120, 62, 217 };
377
unsigned char buf[2][8];
381
if ((err = safer_k64_setup(k64_key, 8, 6, &skey)) != CRYPT_OK) {
384
safer_ecb_encrypt(k64_pt, buf[0], &skey);
385
safer_ecb_decrypt(buf[0], buf[1], &skey);
387
if (memcmp(buf[0], k64_ct, 8) != 0 || memcmp(buf[1], k64_pt, 8) != 0) {
388
return CRYPT_FAIL_TESTVECTOR;
396
int safer_sk64_test(void)
401
static const unsigned char sk64_pt[] = { 1, 2, 3, 4, 5, 6, 7, 8 },
402
sk64_key[] = { 1, 2, 3, 4, 5, 6, 7, 8 },
403
sk64_ct[] = { 95, 206, 155, 162, 5, 132, 56, 199 };
406
unsigned char buf[2][8];
410
if ((err = safer_sk64_setup(sk64_key, 8, 6, &skey)) != CRYPT_OK) {
414
safer_ecb_encrypt(sk64_pt, buf[0], &skey);
415
safer_ecb_decrypt(buf[0], buf[1], &skey);
417
if (memcmp(buf[0], sk64_ct, 8) != 0 || memcmp(buf[1], sk64_pt, 8) != 0) {
418
return CRYPT_FAIL_TESTVECTOR;
421
/* now see if we can encrypt all zero bytes 1000 times, decrypt and come back where we started */
422
for (y = 0; y < 8; y++) buf[0][y] = 0;
423
for (y = 0; y < 1000; y++) safer_ecb_encrypt(buf[0], buf[0], &skey);
424
for (y = 0; y < 1000; y++) safer_ecb_decrypt(buf[0], buf[0], &skey);
425
for (y = 0; y < 8; y++) if (buf[0][y] != 0) return CRYPT_FAIL_TESTVECTOR;
431
int safer_sk128_test(void)
436
static const unsigned char sk128_pt[] = { 1, 2, 3, 4, 5, 6, 7, 8 },
437
sk128_key[] = { 1, 2, 3, 4, 5, 6, 7, 8,
438
0, 0, 0, 0, 0, 0, 0, 0 },
439
sk128_ct[] = { 255, 120, 17, 228, 179, 167, 46, 113 };
442
unsigned char buf[2][8];
446
if ((err = safer_sk128_setup(sk128_key, 16, 0, &skey)) != CRYPT_OK) {
449
safer_ecb_encrypt(sk128_pt, buf[0], &skey);
450
safer_ecb_decrypt(buf[0], buf[1], &skey);
452
if (memcmp(buf[0], sk128_ct, 8) != 0 || memcmp(buf[1], sk128_pt, 8) != 0) {
453
return CRYPT_FAIL_TESTVECTOR;
456
/* now see if we can encrypt all zero bytes 1000 times, decrypt and come back where we started */
457
for (y = 0; y < 8; y++) buf[0][y] = 0;
458
for (y = 0; y < 1000; y++) safer_ecb_encrypt(buf[0], buf[0], &skey);
459
for (y = 0; y < 1000; y++) safer_ecb_decrypt(buf[0], buf[0], &skey);
460
for (y = 0; y < 8; y++) if (buf[0][y] != 0) return CRYPT_FAIL_TESTVECTOR;