📄 loki97.c
字号:
/* * Implements the LOKI97 block cipher.<p> * * LOKI97 is a 128-bit symmetric block cipher with a 256-bit key schedule, * which may be initialised from 128, 192, or 256-bit keys. It uses 16 rounds * of data computation using a balanced feistel network with a complex * function f which incorporates two S-P layers. The 256-bit key schedule * uses 33 rounds of an unbalanced feistel network using the same complex * function f to generate the subkeys.<p> * * LOKI97 was written by Lawrie Brown (ADFA), Josef Pieprzyk, and Jennifer * Seberry (UOW) in 1997.<p> * * <b>Copyright</b> © 1998 by <a href="mailto:Lawrie.Brown@adfa.oz.au"> * Lawrie Brown</a> & ITRACE (UNSW) * * <br>All rights reserved.<p> * * Author: Lawrie Brown * * code derived from LOKI97 java implementation by Lawrie Brown & Raif Naffah *//* include standard AES C header file */#include "loki97.h"/* Global defines and variables */#define NAME "LOKI97"#define DEBUG 0/* * Debug diagnostics. Valid values of symbolic constant DEBUG: <p> * * Values are:<dl compact> * <dt> 1 <dd> engine calls, * <dt> 2 <dd> enc/dec round values, * <dt> 3 <dd> subkeys, * <dt> 4 <dd> func f calls, * <dt> 5 <dd> func f internals, * <dt> 6 <dd> static init. </dl> */#define debuglevel DEBUG
/* LOKI97 algorithm specific constants and tables *//* ........................................................................... *//* Generator polynomial for S-box S1, in GF(2<sup>13</sup>). */#define S1_GEN 0x2911/* Size of S-box S1, for 13-bit inputs. */#define S1_SIZE 0x2000/* Table of pre-computed S-box S1 values. */static BYTE S1[S1_SIZE];/* Generator polynomial for S-box S2, in GF(2<sup>11</sup>). */#define S2_GEN 0xAA7/* Size of S-box S2, for 11-bit inputs. */#define S2_SIZE 0x800/* Table of pre-computed S-box S2 values. */static BYTE S2[S2_SIZE];/* Constant value for Delta which is used in the key schedule */static ULONG64 DELTA = {0x9E3779B9L, 0x7F4A7C15L};/* * Table specifying the pre-computed permutation P. * nb. precompute permutations for lowest 8 bits only, * value of P is a 64-bit wide (long) mask of the permuted input value. */static ULONG64 P[0x100];/* Flag specifying whether once-off init of S1, S2 and P has been done */static int init_done = FALSE;/* prototypes for local utility functions */static int enECB(cipherInstance *cipher, keyInstance *key, BYTE *input, int inputLen, BYTE *outBuffer);static int enCBC(cipherInstance *cipher, keyInstance *key, BYTE *input, int inputLen, BYTE *outBuffer);static int enCFB1(cipherInstance *cipher, keyInstance *key, BYTE *input, int inputLen, BYTE *outBuffer);static int deECB(cipherInstance *cipher, keyInstance *key, BYTE *input, int inputLen, BYTE *outBuffer);static int deCBC(cipherInstance *cipher, keyInstance *key, BYTE *input, int inputLen, BYTE *outBuffer);static int deCFB1(cipherInstance *cipher, keyInstance *key, BYTE *input, int inputLen, BYTE *outBuffer);static ULONG64 f (ULONG64 A, ULONG64 B) ;static ULONG64 add64(ULONG64 a, ULONG64 b) ;static ULONG64 sub64(ULONG64 a, ULONG64 b) ;static int exp3 (int b, int g, int n) ;static int mult (int a, int b, int g, int n) ;static ULONG64 byteToULONG64(BYTE *inp) ;static BYTE *ULONG64ToBYTE(BYTE *buf, ULONG64 I) ;static BYTE *charToBYTE(BYTE *buf, char *hex, int len) ;static ULONG64 charToULONG64(char *hex) ;static int fromHex (char ch) ;static int puthex(BYTE *out, int len, FILE *f);
/* Initialise cipher, precompute S-boxes and permutation table *//* ......................................................................... */int cipherInit(cipherInstance *cipher, BYTE mode, char *IV){ int S1_MASK = S1_SIZE - 1; /* mask to select S1 input bits */ int S2_MASK = S2_SIZE - 1; /* mask to select S2 input bits */ int i, j, k; /* index into S-box, P bit , out bit */ int b; /* S-box fn input */ long pval; /* perm P mask for given input value */ BYTE *input; /* pointer into byte array for IV */ if (debuglevel) fprintf(stderr,"%s: cipherInit(mode=%d, IV=%s)\n", NAME, mode, IV); if (!init_done) { /* precompute S-box tables for S1 and S2 */ if (debuglevel > 5) fprintf(stderr,"%s: Static init of S1, S2 & P \n", NAME); for (i = 0; i < S1_SIZE; i++) { /* for all S1 inputs */ b = i ^ S1_MASK; /* compute input value */ S1[i] = exp3(b, S1_GEN, S1_SIZE); /* compute fn value */ if (debuglevel > 5) fprintf(stderr,"%s: S1[%04X] = %02X\n", NAME, i, S1[i]); } for (i = 0; i < S2_SIZE; i++) { /* for all S2 inputs */ b = i ^ S2_MASK; /* compute input value */ S2[i] = exp3(b, S2_GEN, S2_SIZE); /* compute fn value */ if (debuglevel > 5) fprintf(stderr,"%s: S2[%04X] = %02X\n", NAME, i, S2[i]); } /* initialising expanded permutation P table (for lowest BYTE only) */ /* Permutation P maps input bits [63..0] to outputs bits: */ /* [56, 48, 40, 32, 24, 16, 8, 0, */ /* 57, 49, 41, 33, 25, 17, 9, 1, */ /* 58, 50, 42, 34, 26, 18, 10, 2, */ /* 59, 51, 43, 35, 27, 19, 11, 3, */ /* 60, 52, 44, 36, 28, 20, 12, 4, */ /* 61, 53, 45, 37, 29, 21, 13, 5, */ /* 62, 54, 46, 38, 30, 22, 14, 6, */ /* 63, 55, 47, 39, 31, 23, 15, 7] <- this row only used in table */ /* since it is so regular, we can construct it on the fly */ for (i = 0; i < 0x100; i++) { /* loop over all 8-bit inputs */ /* for each input bit permute to specified output position */ pval = 0L; for (j = 0, k = 7; j < 4; j++, k += 8) /* do right half of P */ pval |= (long)((i >> j) & 0x1) << k; P[i].r = pval; pval = 0L; for (j = 4, k = 7; j < 8; j++, k += 8) /* do left half of P */ pval |= (long)((i >> j) & 0x1) << k; P[i].l = pval; if (debuglevel > 5) fprintf(stderr,"%s: P[%02X] = %08X%08X\n", NAME, i, P[i].l, P[i].r); } /* and remember that init has been done */ init_done = TRUE; } /* now fill out cipherInstance structure */ cipher->mode = mode; /* copy mode over */ if (IV != NULL) { /* IV specified */ charToBYTE(cipher->IV,IV,sizeof(cipher->IV)); /* convert IV */ /* pack IV into IVL and IVR */ input = cipher->IV; cipher->IVL = byteToULONG64(input); input += 8; cipher->IVR = byteToULONG64(input); input += 8; } else { /* no IV, so set to 0 */ memset(cipher->IV,0,sizeof(cipher->IV)); cipher->IVL.l = cipher->IVL.r = cipher->IVR.l = cipher->IVR.r = 0L; } cipher->blockSize = BLOCK_SIZE*8; /* BLOCK_SIZE in bits */ /* decide correct return value */ if ((mode == MODE_ECB)||(mode == MODE_CBC)||(mode == MODE_CFB1)) return TRUE; else return BAD_CIPHER_MODE;}
/* * Returns residue of base b to power 3 mod g in GF(2^n). * * @param b Base of exponentiation, the exponent being always 3. * @param g Irreducible polynomial generating Galois Field (GF(2^n)). * @param n Size of the galois field. * @return (b ** 3) mod g. */static int exp3 (int b, int g, int n) { int r = b; /* r = b */ if (b == 0) return 0; b = mult(r, b, g, n); /* r = b ** 2 */ r = mult(r, b, g, n); /* r = b ** 3 */ return r;}/* * Returns the product of two binary numbers a and b, using the * generator g as the modulus: p = (a * b) mod g. g Generates a * suitable Galois Field in GF(2^n). * * @param a First multiplicand. * @param b Second multiplicand. * @param g Irreducible polynomial generating Galois Field. * @param n Size of the galois field. * @return (a * b) mod g. */static int mult (int a, int b, int g, int n) { int p = 0; while (b != 0) { if ((b & 0x01) != 0) p ^= a; a <<= 1; if (a >= n) a ^= g; b >>= 1; } return p;}
/* Basic NIST API methods for LOKI97 *//* ......................................................................... *//* Expand a user-supplied key material into a LOKI97 session key. */int makeKey(keyInstance *key, BYTE direction, int keyLen, char *keyMaterial){ ULONG64 k4, k3, k2, k1; /* key schedule 128-bit entities */ ULONG64 deltan = DELTA; /* multiples of delta */ ULONG64 t1, t2; /* temps used for doing 64-bit adds */ ULONG64 f_out; /* fn f output value for debug */ int i = 0; /* index into key input */ /* do some basic sanity checks on the keyMaterial */ if ((key == NULL) || (keyMaterial == NULL)) return BAD_KEY_INSTANCE; if (!(direction == DIR_ENCRYPT || direction == DIR_DECRYPT)) return BAD_KEY_DIR; if (!(keyLen == 128 || keyLen == 192 || keyLen == 256)) return BAD_KEY_MAT; /* fill out the keyInstance structure with input params */ key->direction = direction; key->keyLen = keyLen; strncpy(key->keyMaterial, keyMaterial, MAX_KEY_SIZE); /* convert ascii hex text into into 64-bit entities: k4, k3, k2, k1 */ k4 = charToULONG64(keyMaterial); keyMaterial += 16; k3 = charToULONG64(keyMaterial); keyMaterial += 16; if (keyLen == 128) { /* 128-bit key - call fn f twice to gen 256 bits */ k2 = f(k3, k4); k1 = f(k4, k3); } else { /* 192 or 256-bit key - pack k2 from key data */ k2 = charToULONG64(keyMaterial); keyMaterial += 16; if (keyLen == 192) /* 192-bit key - call fn f once to gen 256 bits */ k1 = f(k4, k3); else { /* 256-bit key - pack k1 from key data */ k1 = charToULONG64(keyMaterial); keyMaterial += 16; } } if (debuglevel) fprintf(stderr,"%s: makeKey(%08X%08X%08X%08X%08X%08X%08X%08X,%s)\n", NAME, k4.l, k4.r, k3.l, k3.r, k2.l, k2.r, k1.l, k1.r, direction?"Dec":"Enc"); /* iterate over all LOKI97 rounds to generate the required subkeys */ for (i = 0; i < NUM_SUBKEYS; i++) { t1 = add64(k1,k3); /* compute f(k1+k3+n.delta,k2) */ t2 = add64(t1,deltan); f_out = f(t2, k2); key->SK[i].l = k4.l ^ f_out.l; /* compute next subkey using fn f */ key->SK[i].r = k4.r ^ f_out.r; k4 = k3; /* exchange the other words around */ k3 = k2; k2 = k1; k1 = key->SK[i]; deltan = add64(deltan,DELTA); /* next multiple of delta */ if (debuglevel > 2) fprintf(stderr,"%s: SK[%02d]=%08X%08X\t", NAME, i, key->SK[i].l, key->SK[i].r); if (debuglevel > 2) fprintf(stderr,"f=%08X%08X,\tdeltan=%08X%08X\n", f_out.l, f_out.r, deltan.l, deltan.r); } return TRUE;}
/* ....................................................................... *//* * blockEncrypt(cipher,key,input,inputLen,outBuffer) - * encrypt blocks of plaintext from input to outBuffer using cipher & key. */int blockEncrypt(cipherInstance *cipher, keyInstance *key, BYTE *input, int inputLen, BYTE *outBuffer){ /* do some basic sanity checks on params */ if (!init_done) return BAD_CIPHER_STATE;⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -