dfc.c

文件驱动加密,功能强大,可产生加密分区,支持AES,MD2,MD4,MD5MD2, MD4, MD5, RIPEMD-128, RIPEMD-160, SHA-1, SHA-224, SHA-256,

/* This is an independent implementation of the encryption algorithm:   */
/*                                                                      */
/*         DFC designed by a team at CNRS and France Telecom            */
/*                                                                      */
/* which is a candidate algorithm in the Advanced Encryption Standard   */
/* programme of the US National Institute of Standards and Technology.  */
/*                                                                      */
/* Copyright in this implementation is held by Dr B R Gladman but I     */
/* hereby give permission for its free direct or derivative use subject */
/* to acknowledgment of its origin and compliance with any conditions   */
/* that the originators of the algorithm place on its exploitation.     */
/*                                                                      */
/* Dr Brian Gladman 14th January 1999									*/
/*                                                                      */
/* My thanks go to Serge Vaudenay of the Ecole Normale Superieure       */
/* for providing test vectors. This implementation has also been        */
/* tested with an independent implementation by Dr Russell Bradford     */
/* (Department of Mathematical Sciences, University of Bath, Bath,      */
/* UK) and checks out.   My thanks go to Russell for his help in        */
/* comparing our implementations and finding bugs (and for help in      */
/* resolving 'endian' issues before test vectors became available).     */

/* Timing data for DFC (dfc.c)

Core timing without I/O endian conversion:

Algorithm: dfc (dfc.c)

128 bit key:
Key Setup:    5222 cycles
Encrypt:      1203 cycles =    21.3 mbits/sec
Decrypt:      1244 cycles =    20.6 mbits/sec
Mean:         1224 cycles =    20.9 mbits/sec

192 bit key:
Key Setup:    5203 cycles
Encrypt:      1288 cycles =    19.9 mbits/sec
Decrypt:      1235 cycles =    20.7 mbits/sec
Mean:         1262 cycles =    20.3 mbits/sec

256 bit key:
Key Setup:    5177 cycles
Encrypt:      1178 cycles =    21.7 mbits/sec
Decrypt:      1226 cycles =    20.9 mbits/sec
Mean:         1202 cycles =    21.3 mbits/sec

Full timing with I/O endian conversion:

128 bit key:
Key Setup:    5227 cycles
Encrypt:      1247 cycles =    20.5 mbits/sec
Decrypt:      1222 cycles =    20.9 mbits/sec
Mean:         1235 cycles =    20.7 mbits/sec

192 bit key:
Key Setup:    5252 cycles
Encrypt:      1215 cycles =    21.1 mbits/sec
Decrypt:      1265 cycles =    20.2 mbits/sec
Mean:         1240 cycles =    20.6 mbits/sec

256 bit key:
Key Setup:    5174 cycles
Encrypt:      1247 cycles =    20.5 mbits/sec
Decrypt:      1206 cycles =    21.2 mbits/sec
Mean:         1227 cycles =    20.9 mbits/sec

*/

/* The EES string is as follows (the abstract contains an error in 
   the last line of this sequence which changes KC and KD):

    0xb7e15162, 0x8aed2a6a, 0xbf715880, 0x9cf4f3c7, 
    0x62e7160f, 0x38b4da56, 0xa784d904, 0x5190cfef, 
    0x324e7738, 0x926cfbe5, 0xf4bf8d8d, 0x8c31d763,
    0xda06c80a, 0xbb1185eb, 0x4f7c7b57, 0x57f59584, 

    0x90cfd47d, 0x7c19bb42, 0x158d9554, 0xf7b46bce, 
    0xd55c4d79, 0xfd5f24d6, 0x613c31c3, 0x839a2ddf,
    0x8a9a276b, 0xcfbfa1c8, 0x77c56284, 0xdab79cd4, 
    0xc2b3293d, 0x20e9e5ea, 0xf02ac60a, 0xcc93ed87, 

    0x4422a52e, 0xcb238fee, 0xe5ab6add, 0x835fd1a0,
    0x753d0a8f, 0x78e537d2, 0xb95bb79d, 0x8dcaec64, 
    0x2c1e9f23, 0xb829b5c2, 0x780bf387, 0x37df8bb3, 
    0x00d01334, 0xa0d0bd86, 0x45cbfa73, 0xa6160ffe,

    0x393c48cb, 0xbbca060f, 0x0ff8ec6d, 0x31beb5cc, 
    0xeed7f2f0, 0xbb088017, 0x163bc60d, 0xf45a0ecb, 
    0x1bcd289b, 0x06cbbfea, 0x21ad08e1, 0x847f3f73,
    0x78d56ced, 0x94640d6e, 0xf0d3d37b, 0xe67008e1, 
    
    0x86d1bf27, 0x5b9b241d, 0xeb64749a, 0x47dfdfb9, 

    Where:

    EES = RT(0) | RT(1) | ... | RT(63) | KD | KC

    Note that the abstract describing DFC is written 
    in big endian notation with the most significant 
    digits of a sequence of digits placed at the low
    index positions in arrays. This format is used
    here and is only converted to machine format at
    the point that maths is done on any numbers in 
    the round function.
    
    The key input is thus treated as an array of 32 
    bit words numbered from 0..3, 0..5 or 0..7 
    depending on key length.  The first (leftmost) 
    bit of this key string as defined in the DFC 
    abstract is the most significant bit of word 0 
    and the rightmost bit of this string is the least 
    signicant bit of the highest numbered key word.

    The input and output blocks for the cipher are 
    also treated as arrays of 32 bit words numbered
    from 0..3.  The most significant bit of word 0 is
    the 1st (leftmost) bit of the 128 bit input string 
    and the least significant bit of word 3 is the 
    last (rightmost) bit.
    
    Note that the inputs, the output and the key are
    in Intel little endian format when BYTE_SWAP is 
    defined
*/

#define BYTE_SWAP

#ifdef CORE_TIME
#  undef BYTE_SWAP
#endif

#include "../std_defs.h"

static char *alg_name[] = { "dfc", "dfc.c", "dfc" };

char **cipher_name()
{
    return alg_name;
};

/* The following arrays are all stored in big endian    */
/* format with 32 bit words at lower array positions    */
/* being more significant in multi-word values          */

u4byte rt64[64] = 
{
    0xb7e15162, 0x8aed2a6a, 0xbf715880, 0x9cf4f3c7, 
    0x62e7160f, 0x38b4da56, 0xa784d904, 0x5190cfef, 
    0x324e7738, 0x926cfbe5, 0xf4bf8d8d, 0x8c31d763,
    0xda06c80a, 0xbb1185eb, 0x4f7c7b57, 0x57f59584, 

    0x90cfd47d, 0x7c19bb42, 0x158d9554, 0xf7b46bce, 
    0xd55c4d79, 0xfd5f24d6, 0x613c31c3, 0x839a2ddf,
    0x8a9a276b, 0xcfbfa1c8, 0x77c56284, 0xdab79cd4, 
    0xc2b3293d, 0x20e9e5ea, 0xf02ac60a, 0xcc93ed87, 

    0x4422a52e, 0xcb238fee, 0xe5ab6add, 0x835fd1a0,
    0x753d0a8f, 0x78e537d2, 0xb95bb79d, 0x8dcaec64, 
    0x2c1e9f23, 0xb829b5c2, 0x780bf387, 0x37df8bb3, 
    0x00d01334, 0xa0d0bd86, 0x45cbfa73, 0xa6160ffe,

    0x393c48cb, 0xbbca060f, 0x0ff8ec6d, 0x31beb5cc, 
    0xeed7f2f0, 0xbb088017, 0x163bc60d, 0xf45a0ecb, 
    0x1bcd289b, 0x06cbbfea, 0x21ad08e1, 0x847f3f73,
    0x78d56ced, 0x94640d6e, 0xf0d3d37b, 0xe67008e1, 
};

u4byte  kc = 0xeb64749a;

u4byte  kd2[2] = 
{
    0x86d1bf27, 0x5b9b241d  
};

u4byte  ka2[6] = 
{
    0xb7e15162, 0x8aed2a6a, 
    0xbf715880, 0x9cf4f3c7, 
    0x62e7160f, 0x38b4da56, 
};

u4byte  kb2[6] =
{
    0xa784d904, 0x5190cfef, 
    0x324e7738, 0x926cfbe5, 
    0xf4bf8d8d, 0x8c31d763,
};

u4byte  ks8[8] = 
{   0xda06c80a, 0xbb1185eb, 0x4f7c7b57, 0x57f59584, 
    0x90cfd47d, 0x7c19bb42, 0x158d9554, 0xf7b46bce,
};

u4byte l_key[32];

#define lo(x)   ((x) & 0x0000ffff)
#define hi(x)   ((x) >> 16)

#define mult_64(r,x,y)                                          \
    x0 = lo(x[1]); x1 = hi(x[1]); x2 = lo(x[0]); x3 = hi(x[0]); \
    y0 = lo(y[1]); y1 = hi(y[1]); y2 = lo(y[0]); y3 = hi(y[0]); \
    t0 = x0 * y0; r[0] = lo(t0); c = hi(t0);                    \
    t0 = x0 * y1; t1 = x1 * y0; c += lo(t0) + lo(t1);           \
    r[0] += (c << 16); c = hi(c) + hi(t0) + hi(t1);             \
    t0 = x0 * y2; t1 = x1 * y1; t2 = x2 * y0;                   \
    c += lo(t0) + lo(t1) + lo(t2); r[1] = lo(c);                \