3 The serpent block cipher.
5 For more details on this algorithm, see the Serpent website at
6 http://www.cl.cam.ac.uk/~rja14/serpent.html
8 Copyright (C) 2011, 2014 Niels Möller
9 Copyright (C) 2010, 2011 Simon Josefsson
10 Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc.
12 This file is part of GNU Nettle.
14 GNU Nettle is free software: you can redistribute it and/or
15 modify it under the terms of either:
17 * the GNU Lesser General Public License as published by the Free
18 Software Foundation; either version 3 of the License, or (at your
19 option) any later version.
23 * the GNU General Public License as published by the Free
24 Software Foundation; either version 2 of the License, or (at your
25 option) any later version.
27 or both in parallel, as here.
29 GNU Nettle is distributed in the hope that it will be useful,
30 but WITHOUT ANY WARRANTY; without even the implied warranty of
31 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
32 General Public License for more details.
34 You should have received copies of the GNU General Public License and
35 the GNU Lesser General Public License along with this program. If
36 not, see http://www.gnu.org/licenses/.
39 /* This file is derived from cipher/serpent.c in Libgcrypt v1.4.6.
40 The adaption to Nettle was made by Simon Josefsson on 2010-12-07
41 with final touches on 2011-05-30. Changes include replacing
42 libgcrypt with nettle in the license template, renaming
43 serpent_context to serpent_ctx, renaming u32 to uint32_t, removing
44 libgcrypt stubs and selftests, modifying entry function prototypes,
45 using FOR_BLOCKS to iterate through data in encrypt/decrypt, using
46 LE_READ_UINT32 and LE_WRITE_UINT32 to access data in
47 encrypt/decrypt, and running indent on the code. */
59 #include "serpent-internal.h"
61 /* Magic number, used during generating of the subkeys. */
62 #define PHI 0x9E3779B9
64 /* These are the S-Boxes of Serpent. They are copied from Serpents
65 reference implementation (the optimized one, contained in
66 `floppy2') and are therefore:
68 Copyright (C) 1998 Ross Anderson, Eli Biham, Lars Knudsen.
70 To quote the Serpent homepage
71 (http://www.cl.cam.ac.uk/~rja14/serpent.html):
73 "Serpent is now completely in the public domain, and we impose no
74 restrictions on its use. This was announced on the 21st August at
75 the First AES Candidate Conference. The optimised implementations
76 in the submission package are now under the GNU PUBLIC LICENSE
77 (GPL), although some comments in the code still say otherwise. You
78 are welcome to use Serpent for any application." */
80 /* FIXME: Except when used within the key schedule, the inputs are not
81 used after the substitution, and hence we could allow them to be
82 destroyed. Can this freedom be used to optimize the sboxes? */
83 #define SBOX0(type, a, b, c, d, w, x, y, z) \
85 type t02, t03, t05, t06, t07, t08, t09; \
86 type t11, t12, t13, t14, t15, t17, t01; \
107 #define SBOX1(type, a, b, c, d, w, x, y, z) \
109 type t02, t03, t04, t05, t06, t07, t08; \
110 type t10, t11, t12, t13, t16, t17, t01; \
131 #define SBOX2(type, a, b, c, d, w, x, y, z) \
133 type t02, t03, t05, t06, t07, t08; \
134 type t09, t10, t12, t13, t14, t01; \
153 #define SBOX3(type, a, b, c, d, w, x, y, z) \
155 type t02, t03, t04, t05, t06, t07, t08; \
156 type t09, t10, t11, t13, t14, t15, t01; \
177 #define SBOX4(type, a, b, c, d, w, x, y, z) \
179 type t02, t03, t04, t05, t06, t08, t09; \
180 type t10, t11, t12, t13, t14, t15, t16, t01; \
202 #define SBOX5(type, a, b, c, d, w, x, y, z) \
204 type t02, t03, t04, t05, t07, t08, t09; \
205 type t10, t11, t12, t13, t14, t01; \
225 #define SBOX6(type, a, b, c, d, w, x, y, z) \
227 type t02, t03, t04, t05, t07, t08, t09, t10; \
228 type t11, t12, t13, t15, t17, t18, t01; \
250 #define SBOX7(type, a, b, c, d, w, x, y, z) \
252 type t02, t03, t04, t05, t06, t08, t09, t10; \
253 type t11, t13, t14, t15, t16, t17, t01; \
276 /* Note: Increments k */
277 #define KS_RECURRENCE(w, i, k) \
279 uint32_t _wn = (w)[(i)] ^ (w)[((i)+3)&7] ^ w[((i)+5)&7] \
280 ^ w[((i)+7)&7] ^ PHI ^ (k)++; \
281 ((w)[(i)] = ROTL32(11, _wn)); \
284 /* Note: Increments k four times and keys once */
285 #define KS(keys, s, w, i, k) \
287 KS_RECURRENCE(w, (i), (k)); \
288 KS_RECURRENCE(w, (i)+1, (k)); \
289 KS_RECURRENCE(w, (i)+2, (k)); \
290 KS_RECURRENCE(w, (i)+3, (k)); \
291 SBOX##s(uint32_t, w[(i)],w[(i)+1],w[(i)+2],w[(i)+3], \
292 (*keys)[0],(*keys)[1],(*keys)[2],(*keys)[3]); \
296 /* Pad user key and convert to an array of 8 uint32_t. */
298 serpent_key_pad (const uint8_t *key, unsigned int key_length,
303 assert (key_length <= SERPENT_MAX_KEY_SIZE);
305 for (i = 0; key_length >= 4; key_length -=4, key += 4)
306 w[i++] = LE_READ_UINT32(key);
310 /* Key must be padded according to the Serpent specification.
311 "aabbcc" -> "aabbcc0100...00" -> 0x01ccbbaa. */
314 while (key_length > 0)
315 pad = pad << 8 | key[--key_length];
324 /* Initialize CONTEXT with the key KEY of LENGTH bytes. */
326 serpent_set_key (struct serpent_ctx *ctx,
327 size_t length, const uint8_t * key)
333 serpent_key_pad (key, length, w);
335 /* Derive the 33 subkeys from KEY and store them in SUBKEYS. We do
336 the recurrence in the key schedule using W as a circular buffer
337 of just 8 uint32_t. */
339 /* FIXME: Would be better to invoke SBOX with scalar variables as
340 arguments, no arrays. To do that, unpack w into separate
341 variables, use temporary variables as the SBOX destination. */
347 KS(keys, 3, w, 0, k);
350 KS(keys, 2, w, 4, k);
351 KS(keys, 1, w, 0, k);
352 KS(keys, 0, w, 4, k);
353 KS(keys, 7, w, 0, k);
354 KS(keys, 6, w, 4, k);
355 KS(keys, 5, w, 0, k);
356 KS(keys, 4, w, 4, k);
358 assert (keys == ctx->keys + 33);
362 serpent128_set_key (struct serpent_ctx *ctx, const uint8_t *key)
364 serpent_set_key (ctx, SERPENT128_KEY_SIZE, key);
368 serpent192_set_key (struct serpent_ctx *ctx, const uint8_t *key)
370 serpent_set_key (ctx, SERPENT192_KEY_SIZE, key);
374 serpent256_set_key (struct serpent_ctx *ctx, const uint8_t *key)
376 serpent_set_key (ctx, SERPENT256_KEY_SIZE, key);