4
* generate tables for the AES cipher
11
* Copyright(c) 2001-2006 Cisco Systems, Inc.
12
* All rights reserved.
14
* Redistribution and use in source and binary forms, with or without
15
* modification, are permitted provided that the following conditions
18
* Redistributions of source code must retain the above copyright
19
* notice, this list of conditions and the following disclaimer.
21
* Redistributions in binary form must reproduce the above
22
* copyright notice, this list of conditions and the following
23
* disclaimer in the documentation and/or other materials provided
24
* with the distribution.
26
* Neither the name of the Cisco Systems, Inc. nor the names of its
27
* contributors may be used to endorse or promote products derived
28
* from this software without specific prior written permission.
30
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
31
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
32
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
33
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
34
* COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
35
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
36
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
37
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
38
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
39
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
40
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
41
* OF THE POSSIBILITY OF SUCH DAMAGE.
47
#include "crypto_math.h"
50
unsigned char aes_sbox[256];
52
unsigned char aes_inv_sbox[256];
54
uint32_t T0[256], T1[256], T2[256], T3[256], T4[256];
57
#define AES_INVERSE_TEST 0 /* set to 1 to test forward/backwards aes */
59
/* functions for precomputing AES values */
62
* A[] is the 8 x 8 binary matrix (represented as an array of columns,
63
* where each column is an octet) which defines the affine
64
* transformation used in the AES substitution table (Section
68
uint8_t A[8] = { 31, 62, 124, 248, 241, 227, 199, 143 };
71
* b is the 8 bit vector (represented as an octet) used in the affine
72
* transform described above.
83
for (i=0; i < 256; i++) {
84
x = gf2_8_compute_inverse((gf2_8)i);
85
x = A_times_x_plus_b(A, x, b);
92
aes_compute_tables(void) {
97
/* initialize substitution table */
100
/* combine sbox with linear operations to form 8-bit to 32-bit tables */
101
for (i=0; i < 256; i++) {
103
x2 = gf2_8_shift(x1);
135
* the tables U0, U1, U2, U3 implement the aes operations invSubBytes,
136
* invMixColumns, and invShiftRows
139
uint32_t U0[256], U1[256], U2[256], U3[256], U4[256];
141
extern uint8_t aes_inv_sbox[256];
144
aes_compute_inv_tables(void) {
146
uint8_t x, xe, x9, xd, xb;
149
/* combine sbox with linear operations to form 8-bit to 32-bit tables */
150
for (i=0; i < 256; i++) {
153
xe = gf2_8_multiply(0x0e, x);
154
x9 = gf2_8_multiply(0x09, x);
155
xd = gf2_8_multiply(0x0d, x);
156
xb = gf2_8_multiply(0x0b, x);
182
tmp.v8[0] = tmp.v8[1] = tmp.v8[2] = tmp.v8[3] = x;
189
* aes_test_inverse() returns err_status_ok if aes
190
* encryption and decryption are true inverses of each other, and
191
* returns err_status_algo_fail otherwise
197
aes_test_inverse(void);
199
#define TABLES_32BIT 1
206
aes_compute_inv_tables();
209
printf("uint32_t U0 = {");
210
for (i=0; i < 256; i++) {
213
printf("0x%0x, ", U0[i]);
217
printf("uint32_t U1 = {");
218
for (i=0; i < 256; i++) {
221
printf("0x%x, ", U1[i]);
225
printf("uint32_t U2 = {");
226
for (i=0; i < 256; i++) {
229
printf("0x%x, ", U2[i]);
233
printf("uint32_t U3 = {");
234
for (i=0; i < 256; i++) {
237
printf("0x%x, ", U3[i]);
241
printf("uint32_t U4 = {");
242
for (i=0; i < 256; i++) {
245
printf("0x%x, ", U4[i]);
251
printf("uint32_t U0 = {");
252
for (i=0; i < 256; i++) {
255
printf("0x%lx, ", U0[i]);
259
printf("uint32_t U1 = {");
260
for (i=0; i < 256; i++) {
263
printf("0x%lx, ", U1[i]);
267
printf("uint32_t U2 = {");
268
for (i=0; i < 256; i++) {
271
printf("0x%lx, ", U2[i]);
275
printf("uint32_t U3 = {");
276
for (i=0; i < 256; i++) {
279
printf("0x%lx, ", U3[i]);
283
printf("uint32_t U4 = {");
284
for (i=0; i < 256; i++) {
287
printf("0x%lx, ", U4[i]);
292
#endif /* TABLES_32BIT */
297
* test that aes_encrypt and aes_decrypt are actually
298
* inverses of each other
301
printf("aes inverse test: ");
302
if (aes_test_inverse() == err_status_ok)
316
aes_test_inverse(void) {
318
aes_expanded_key_t expanded_key, decrypt_key;
319
uint8_t plaintext[16] = {
320
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
321
0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff
324
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
325
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
328
v128_set_to_zero(&x);
330
v128_copy_octet_string(&k, key);
331
v128_copy_octet_string(&x, plaintext);
332
aes_expand_encryption_key(k, expanded_key);
333
aes_expand_decryption_key(k, decrypt_key);
334
aes_encrypt(&x, expanded_key);
335
aes_decrypt(&x, decrypt_key);
337
/* compare to expected value then report */
338
v128_copy_octet_string(&y, plaintext);
340
if (v128_is_eq(&x, &y))
341
return err_status_ok;
342
return err_status_algo_fail;