libmcrypt-nm/lib/gost.c

/*
 * The GOST 28147-89 cipher
 *
 * This is based on the 25 Movember 1993 draft translation
 * by Aleksandr Malchik, with Whitfield Diffie, of the Government
 * Standard of the U.S.S.R. GOST 28149-89, "Cryptographic Transformation
 * Algorithm", effective 1 July 1990.  (Whitfield.Diffie@eng.sun.com)
 *
 * That is a draft, and may contain errors, which will be faithfully
 * reflected here, along with possible exciting new bugs.
 *
 * Some details have been cleared up by the paper "Soviet Encryption
 * Algorithm" by Josef Pieprzyk and Leonid Tombak of the University
 * of Wollongong, New South Wales.  (josef/leo@cs.adfa.oz.au)
 *
 * The standard is written by A. Zabotin (project leader), G.P. Glazkov,
 * and V.B. Isaeva.  It was accepted and introduced into use by the
 * action of the State Standards Committee of the USSR on 2 June 89 as
 * No. 1409.  It was to be reviewed in 1993, but whether anyone wishes
 * to take on this obligation from the USSR is questionable.
 *
 * This code is placed in the public domain.
 */

/* modified in order to use the libmcrypt API by Nikos Mavroyanopoulos 
 * All modifications are placed under the license of libmcrypt.
 */

/* $Id: gost.c,v 1.6 2000/02/02 20:15:50 nikos Exp $ */

#include "libdefs.h"
#include "swap.h"
/*
 * If you read the standard, it belabors the point of copying corresponding
 * bits from point A to point B quite a bit.  It helps to understand that
 * the standard is uniformly little-endian, although it numbers bits from
 * 1 rather than 0, so bit n has value 2^(n-1).  The least significant bit
 * of the 32-bit words that are manipulated in the algorithm is the first,
 * lowest-numbered, in the bit string.
 */

void _mcrypt_kboxinit(void);

/*
 * The standard does not specify the contents of the 8 4 bit->4 bit
 * substitution boxes, saying they're a parameter of the network
 * being set up.  For illustration purposes here, I have used
 * the first rows of the 8 S-boxes from the DES.  (Note that the
 * DES S-boxes are numbered starting from 1 at the msb.  In keeping
 * with the rest of the GOST, I have used little-endian numbering.
 * Thus, k8 is S-box 1.
 *
 * Obviously, a careful look at the cryptographic properties of the cipher
 * must be undertaken before "production" substitution boxes are defined.
 *
 * The standard also does not specify a standard bit-string representation
 * for the contents of these blocks.
 */

/* These are NOT the original s-boxes. I replaced them with the ones
 * found in Applied Cryptography book by Bruce Schneier. These were
 * used in an application for the Central Bank of the Russian Federation
 * --Nikos
 */
static int init=0;

static unsigned char const k1[16] = {
        1, 15, 13, 0, 5, 7, 10, 4, 9, 2, 3, 14, 6, 11, 8, 2
};
static unsigned char const k2[16] = {
        13, 11, 4, 1, 3, 15, 5, 9, 0, 10, 14, 7, 6, 8, 2, 12
};
static unsigned char const k3[16] = {
        4, 11, 10, 0, 7, 2, 1, 13, 3, 6, 8, 5, 9, 12, 15, 14
};
static unsigned char const k4[16] = {
        6, 12, 7, 1, 5, 15, 13, 8, 4, 10, 9, 14, 0, 3, 11, 2
};
static unsigned char const k5[16] = {
        7, 13, 10, 1, 0, 8, 9, 15, 14, 4, 6, 12, 11, 2, 5, 3
};
static unsigned char const k6[16] = {
        5, 8, 1, 13, 10, 3, 4, 2, 14, 15, 12, 7, 6, 0, 9, 11
};
static unsigned char const k7[16] = {
        14, 11, 4, 12, 6, 13, 15, 10, 2, 3, 8, 1, 0, 7, 5, 9
};
static unsigned char const k8[16] = {
        4, 10, 9, 2, 13, 8, 0, 14, 6, 11, 1, 12, 7, 15, 5, 3
};

/* Byte-at-a-time substitution boxes */
static unsigned char k87[256];
static unsigned char k65[256];
static unsigned char k43[256];
static unsigned char k21[256];

/*
 * Build byte-at-a-time subtitution tables.
 * This must be called once for global setup.
 */

void _mcrypt_gost_set_key (word32 *inst, word32* key, int len) {

        _mcrypt_kboxinit();
        inst[0] = 0;    inst[1] = 0;
        inst[2] = 0;    inst[3] = 0;
        inst[4] = 0;    inst[5] = 0;
        inst[6] = 0;    inst[7] = 0;
        memmove( inst, key, len);
#ifdef WORDS_BIGENDIAN
        inst[0] = byteswap(inst[0]);
        inst[1] = byteswap(inst[1]);
        inst[2] = byteswap(inst[2]);
        inst[3] = byteswap(inst[3]);
        inst[4] = byteswap(inst[4]);
        inst[5] = byteswap(inst[5]);
        inst[6] = byteswap(inst[6]);
        inst[7] = byteswap(inst[7]);
#endif
}

void _mcrypt_kboxinit(void)
{
        int i;

        if (init==0) { 
                init=1;
                for (i = 0; i < 256; i++) {
                        k87[i] = k8[i >> 4] << 4 | k7[i & 15];
                        k65[i] = k6[i >> 4] << 4 | k5[i & 15];
                        k43[i] = k4[i >> 4] << 4 | k3[i & 15];
                        k21[i] = k2[i >> 4] << 4 | k1[i & 15];
                }
        }

}

/*
 * Do the substitution and rotation that are the core of the operation,
 * like the expansion, substitution and permutation of the DES.
 * It would be possible to perform DES-like optimisations and store
 * the table entries as 32-bit words, already rotated, but the
 * efficiency gain is questionable.
 *
 * This should be inlined for maximum speed
 */
static word32 f(word32 x)
{
        /* Do substitutions */
# if 0
        /* This is annoyingly slow */
        x = k8[x >> 28 & 15] << 28 | k7[x >> 24 & 15] << 24 |
            k6[x >> 20 & 15] << 20 | k5[x >> 16 & 15] << 16 |
            k4[x >> 12 & 15] << 12 | k3[x >> 8 & 15] << 8 |
            k2[x >> 4 & 15] << 4 | k1[x & 15];
# else
        /* This is faster */
        x = k87[x >> 24 & 255] << 24 | k65[x >> 16 & 255] << 16 |
            k43[x >> 8 & 255] << 8 | k21[x & 255];
# endif

        /* Rotate left 11 bits */
        return x << 11 | x >> (32 - 11);

}

/*
 * The GOST standard defines the input in terms of bits 1..64, with
 * bit 1 being the lsb of in[0] and bit 64 being the msb of in[1].
 *
 * The keys are defined similarly, with bit 256 being the msb of key[7].
 */
void _mcrypt_gost_encrypt(word32 const key[8], word32 * in)
{
        register word32 n1, n2; /* As named in the GOST */

/* Added to make it compatible with bigendian machines 
 * --nikos 
 */

#ifndef WORDS_BIGENDIAN
        n1 = byteswap(in[0]);
        n2 = byteswap(in[1]);
#else
        n1 = in[0];
        n2 = in[1];
#endif

        /* Instead of swapping halves, swap names each round */
        n2 ^= f(n1 + key[0]);
        n1 ^= f(n2 + key[1]);
        n2 ^= f(n1 + key[2]);
        n1 ^= f(n2 + key[3]);
        n2 ^= f(n1 + key[4]);
        n1 ^= f(n2 + key[5]);
        n2 ^= f(n1 + key[6]);
        n1 ^= f(n2 + key[7]);

        n2 ^= f(n1 + key[0]);
        n1 ^= f(n2 + key[1]);
        n2 ^= f(n1 + key[2]);
        n1 ^= f(n2 + key[3]);
        n2 ^= f(n1 + key[4]);
        n1 ^= f(n2 + key[5]);
        n2 ^= f(n1 + key[6]);
        n1 ^= f(n2 + key[7]);

        n2 ^= f(n1 + key[0]);
        n1 ^= f(n2 + key[1]);
        n2 ^= f(n1 + key[2]);
        n1 ^= f(n2 + key[3]);
        n2 ^= f(n1 + key[4]);
        n1 ^= f(n2 + key[5]);
        n2 ^= f(n1 + key[6]);
        n1 ^= f(n2 + key[7]);

        n2 ^= f(n1 + key[7]);
        n1 ^= f(n2 + key[6]);
        n2 ^= f(n1 + key[5]);
        n1 ^= f(n2 + key[4]);
        n2 ^= f(n1 + key[3]);
        n1 ^= f(n2 + key[2]);
        n2 ^= f(n1 + key[1]);
        n1 ^= f(n2 + key[0]);

        /* There is no swap after the last round */

#ifndef WORDS_BIGENDIAN
        in[0] = byteswap(n2);
        in[1] = byteswap(n1);
#else
        in[0] = n2;
        in[1] = n1;
#endif
}


/*
 * The key schedule is somewhat different for decryption.
 * (The key table is used once forward and three times backward.)
 * You could define an expanded key, or just write the code twice,
 * as done here.
 */
void _mcrypt_gost_decrypt(word32 const key[8], word32 * in)
{
        register word32 n1, n2; /* As named in the GOST */

#ifndef WORDS_BIGENDIAN
        n1 = byteswap(in[0]);
        n2 = byteswap(in[1]);
#else
        n1 = in[0];
        n2 = in[1];
#endif

        n2 ^= f(n1 + key[0]);
        n1 ^= f(n2 + key[1]);
        n2 ^= f(n1 + key[2]);
        n1 ^= f(n2 + key[3]);
        n2 ^= f(n1 + key[4]);
        n1 ^= f(n2 + key[5]);
        n2 ^= f(n1 + key[6]);
        n1 ^= f(n2 + key[7]);

        n2 ^= f(n1 + key[7]);
        n1 ^= f(n2 + key[6]);
        n2 ^= f(n1 + key[5]);
        n1 ^= f(n2 + key[4]);
        n2 ^= f(n1 + key[3]);
        n1 ^= f(n2 + key[2]);
        n2 ^= f(n1 + key[1]);
        n1 ^= f(n2 + key[0]);

        n2 ^= f(n1 + key[7]);
        n1 ^= f(n2 + key[6]);
        n2 ^= f(n1 + key[5]);
        n1 ^= f(n2 + key[4]);
        n2 ^= f(n1 + key[3]);
        n1 ^= f(n2 + key[2]);
        n2 ^= f(n1 + key[1]);
        n1 ^= f(n2 + key[0]);

        n2 ^= f(n1 + key[7]);
        n1 ^= f(n2 + key[6]);
        n2 ^= f(n1 + key[5]);
        n1 ^= f(n2 + key[4]);
        n2 ^= f(n1 + key[3]);
        n1 ^= f(n2 + key[2]);
        n2 ^= f(n1 + key[1]);
        n1 ^= f(n2 + key[0]);

#ifndef WORDS_BIGENDIAN
        in[0] = byteswap(n2);
        in[1] = byteswap(n1);
#else
        in[0] = n2;
        in[1] = n1;
#endif

}
1	/*
2	* The GOST 28147-89 cipher
3	*
4	* This is based on the 25 Movember 1993 draft translation
5	* by Aleksandr Malchik, with Whitfield Diffie, of the Government
6	* Standard of the U.S.S.R. GOST 28149-89, "Cryptographic Transformation
7	* Algorithm", effective 1 July 1990. (Whitfield.Diffie@eng.sun.com)
8	*
9	* That is a draft, and may contain errors, which will be faithfully
10	* reflected here, along with possible exciting new bugs.
11	*
12	* Some details have been cleared up by the paper "Soviet Encryption
13	* Algorithm" by Josef Pieprzyk and Leonid Tombak of the University
14	* of Wollongong, New South Wales. (josef/leo@cs.adfa.oz.au)
15	*
16	* The standard is written by A. Zabotin (project leader), G.P. Glazkov,
17	* and V.B. Isaeva. It was accepted and introduced into use by the
18	* action of the State Standards Committee of the USSR on 2 June 89 as
19	* No. 1409. It was to be reviewed in 1993, but whether anyone wishes
20	* to take on this obligation from the USSR is questionable.
21	*
22	* This code is placed in the public domain.
23	*/
24
25	/* modified in order to use the libmcrypt API by Nikos Mavroyanopoulos
26	* All modifications are placed under the license of libmcrypt.
27	*/
28
29	/* $Id: gost.c,v 1.6 2000/02/02 20:15:50 nikos Exp $ */
30
31	#include "libdefs.h"
32	#include "swap.h"
33	/*
34	* If you read the standard, it belabors the point of copying corresponding
35	* bits from point A to point B quite a bit. It helps to understand that
36	* the standard is uniformly little-endian, although it numbers bits from
37	* 1 rather than 0, so bit n has value 2^(n-1). The least significant bit
38	* of the 32-bit words that are manipulated in the algorithm is the first,
39	* lowest-numbered, in the bit string.
40	*/
41
42	void _mcrypt_kboxinit(void);
43
44	/*
45	* The standard does not specify the contents of the 8 4 bit->4 bit
46	* substitution boxes, saying they're a parameter of the network
47	* being set up. For illustration purposes here, I have used
48	* the first rows of the 8 S-boxes from the DES. (Note that the
49	* DES S-boxes are numbered starting from 1 at the msb. In keeping
50	* with the rest of the GOST, I have used little-endian numbering.
51	* Thus, k8 is S-box 1.
52	*
53	* Obviously, a careful look at the cryptographic properties of the cipher
54	* must be undertaken before "production" substitution boxes are defined.
55	*
56	* The standard also does not specify a standard bit-string representation
57	* for the contents of these blocks.
58	*/
59
60	/* These are NOT the original s-boxes. I replaced them with the ones
61	* found in Applied Cryptography book by Bruce Schneier. These were
62	* used in an application for the Central Bank of the Russian Federation
63	* --Nikos
64	*/
65	static int init=0;
66
67	static unsigned char const k1[16] = {
68	1, 15, 13, 0, 5, 7, 10, 4, 9, 2, 3, 14, 6, 11, 8, 2
69	};
70	static unsigned char const k2[16] = {
71	13, 11, 4, 1, 3, 15, 5, 9, 0, 10, 14, 7, 6, 8, 2, 12
72	};
73	static unsigned char const k3[16] = {
74	4, 11, 10, 0, 7, 2, 1, 13, 3, 6, 8, 5, 9, 12, 15, 14
75	};
76	static unsigned char const k4[16] = {
77	6, 12, 7, 1, 5, 15, 13, 8, 4, 10, 9, 14, 0, 3, 11, 2
78	};
79	static unsigned char const k5[16] = {
80	7, 13, 10, 1, 0, 8, 9, 15, 14, 4, 6, 12, 11, 2, 5, 3
81	};
82	static unsigned char const k6[16] = {
83	5, 8, 1, 13, 10, 3, 4, 2, 14, 15, 12, 7, 6, 0, 9, 11
84	};
85	static unsigned char const k7[16] = {
86	14, 11, 4, 12, 6, 13, 15, 10, 2, 3, 8, 1, 0, 7, 5, 9
87	};
88	static unsigned char const k8[16] = {
89	4, 10, 9, 2, 13, 8, 0, 14, 6, 11, 1, 12, 7, 15, 5, 3
90	};
91
92	/* Byte-at-a-time substitution boxes */
93	static unsigned char k87[256];
94	static unsigned char k65[256];
95	static unsigned char k43[256];
96	static unsigned char k21[256];
97
98	/*
99	* Build byte-at-a-time subtitution tables.
100	* This must be called once for global setup.
101	*/
102
103	void _mcrypt_gost_set_key (word32 inst, word32 key, int len) {
104
105	_mcrypt_kboxinit();
106	inst[0] = 0; inst[1] = 0;
107	inst[2] = 0; inst[3] = 0;
108	inst[4] = 0; inst[5] = 0;
109	inst[6] = 0; inst[7] = 0;
110	memmove( inst, key, len);
111	#ifdef WORDS_BIGENDIAN
112	inst[0] = byteswap(inst[0]);
113	inst[1] = byteswap(inst[1]);
114	inst[2] = byteswap(inst[2]);
115	inst[3] = byteswap(inst[3]);
116	inst[4] = byteswap(inst[4]);
117	inst[5] = byteswap(inst[5]);
118	inst[6] = byteswap(inst[6]);
119	inst[7] = byteswap(inst[7]);
120	#endif
121	}
122
123	void _mcrypt_kboxinit(void)
124	{
125	int i;
126
127	if (init==0) {
128	init=1;
129	for (i = 0; i < 256; i++) {
130	k87[i] = k8[i >> 4] << 4 \| k7[i & 15];
131	k65[i] = k6[i >> 4] << 4 \| k5[i & 15];
132	k43[i] = k4[i >> 4] << 4 \| k3[i & 15];
133	k21[i] = k2[i >> 4] << 4 \| k1[i & 15];
134	}
135	}
136
137	}
138
139	/*
140	* Do the substitution and rotation that are the core of the operation,
141	* like the expansion, substitution and permutation of the DES.
142	* It would be possible to perform DES-like optimisations and store
143	* the table entries as 32-bit words, already rotated, but the
144	* efficiency gain is questionable.
145	*
146	* This should be inlined for maximum speed
147	*/
148	static word32 f(word32 x)
149	{
150	/* Do substitutions */
151	# if 0
152	/* This is annoyingly slow */
153	x = k8[x >> 28 & 15] << 28 \| k7[x >> 24 & 15] << 24 \|
154	k6[x >> 20 & 15] << 20 \| k5[x >> 16 & 15] << 16 \|
155	k4[x >> 12 & 15] << 12 \| k3[x >> 8 & 15] << 8 \|
156	k2[x >> 4 & 15] << 4 \| k1[x & 15];
157	# else
158	/* This is faster */
159	x = k87[x >> 24 & 255] << 24 \| k65[x >> 16 & 255] << 16 \|
160	k43[x >> 8 & 255] << 8 \| k21[x & 255];
161	# endif
162
163	/* Rotate left 11 bits */
164	return x << 11 \| x >> (32 - 11);
165
166	}
167
168	/*
169	* The GOST standard defines the input in terms of bits 1..64, with
170	* bit 1 being the lsb of in[0] and bit 64 being the msb of in[1].
171	*
172	* The keys are defined similarly, with bit 256 being the msb of key[7].
173	*/
174	void _mcrypt_gost_encrypt(word32 const key[8], word32 * in)
175	{
176	register word32 n1, n2; /* As named in the GOST */
177
178	/* Added to make it compatible with bigendian machines
179	* --nikos
180	*/
181
182	#ifndef WORDS_BIGENDIAN
183	n1 = byteswap(in[0]);
184	n2 = byteswap(in[1]);
185	#else
186	n1 = in[0];
187	n2 = in[1];
188	#endif
189
190	/* Instead of swapping halves, swap names each round */
191	n2 ^= f(n1 + key[0]);
192	n1 ^= f(n2 + key[1]);
193	n2 ^= f(n1 + key[2]);
194	n1 ^= f(n2 + key[3]);
195	n2 ^= f(n1 + key[4]);
196	n1 ^= f(n2 + key[5]);
197	n2 ^= f(n1 + key[6]);
198	n1 ^= f(n2 + key[7]);
199
200	n2 ^= f(n1 + key[0]);
201	n1 ^= f(n2 + key[1]);
202	n2 ^= f(n1 + key[2]);
203	n1 ^= f(n2 + key[3]);
204	n2 ^= f(n1 + key[4]);
205	n1 ^= f(n2 + key[5]);
206	n2 ^= f(n1 + key[6]);
207	n1 ^= f(n2 + key[7]);
208
209	n2 ^= f(n1 + key[0]);
210	n1 ^= f(n2 + key[1]);
211	n2 ^= f(n1 + key[2]);
212	n1 ^= f(n2 + key[3]);
213	n2 ^= f(n1 + key[4]);
214	n1 ^= f(n2 + key[5]);
215	n2 ^= f(n1 + key[6]);
216	n1 ^= f(n2 + key[7]);
217
218	n2 ^= f(n1 + key[7]);
219	n1 ^= f(n2 + key[6]);
220	n2 ^= f(n1 + key[5]);
221	n1 ^= f(n2 + key[4]);
222	n2 ^= f(n1 + key[3]);
223	n1 ^= f(n2 + key[2]);
224	n2 ^= f(n1 + key[1]);
225	n1 ^= f(n2 + key[0]);
226
227	/* There is no swap after the last round */
228
229	#ifndef WORDS_BIGENDIAN
230	in[0] = byteswap(n2);
231	in[1] = byteswap(n1);
232	#else
233	in[0] = n2;
234	in[1] = n1;
235	#endif
236	}
237
238
239	/*
240	* The key schedule is somewhat different for decryption.
241	* (The key table is used once forward and three times backward.)
242	* You could define an expanded key, or just write the code twice,
243	* as done here.
244	*/
245	void _mcrypt_gost_decrypt(word32 const key[8], word32 * in)
246	{
247	register word32 n1, n2; /* As named in the GOST */
248
249	#ifndef WORDS_BIGENDIAN
250	n1 = byteswap(in[0]);
251	n2 = byteswap(in[1]);
252	#else
253	n1 = in[0];
254	n2 = in[1];
255	#endif
256
257	n2 ^= f(n1 + key[0]);
258	n1 ^= f(n2 + key[1]);
259	n2 ^= f(n1 + key[2]);
260	n1 ^= f(n2 + key[3]);
261	n2 ^= f(n1 + key[4]);
262	n1 ^= f(n2 + key[5]);
263	n2 ^= f(n1 + key[6]);
264	n1 ^= f(n2 + key[7]);
265
266	n2 ^= f(n1 + key[7]);
267	n1 ^= f(n2 + key[6]);
268	n2 ^= f(n1 + key[5]);
269	n1 ^= f(n2 + key[4]);
270	n2 ^= f(n1 + key[3]);
271	n1 ^= f(n2 + key[2]);
272	n2 ^= f(n1 + key[1]);
273	n1 ^= f(n2 + key[0]);
274
275	n2 ^= f(n1 + key[7]);
276	n1 ^= f(n2 + key[6]);
277	n2 ^= f(n1 + key[5]);
278	n1 ^= f(n2 + key[4]);
279	n2 ^= f(n1 + key[3]);
280	n1 ^= f(n2 + key[2]);
281	n2 ^= f(n1 + key[1]);
282	n1 ^= f(n2 + key[0]);
283
284	n2 ^= f(n1 + key[7]);
285	n1 ^= f(n2 + key[6]);
286	n2 ^= f(n1 + key[5]);
287	n1 ^= f(n2 + key[4]);
288	n2 ^= f(n1 + key[3]);
289	n1 ^= f(n2 + key[2]);
290	n2 ^= f(n1 + key[1]);
291	n1 ^= f(n2 + key[0]);
292
293	#ifndef WORDS_BIGENDIAN
294	in[0] = byteswap(n2);
295	in[1] = byteswap(n1);
296	#else
297	in[0] = n2;
298	in[1] = n1;
299	#endif
300
301	}