Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/contrib/bearssl/src/symcipher/aes_ct_dec.c
39482 views
1
/*

2
 * Copyright (c) 2016 Thomas Pornin <[email protected]>

3
 *

4
 * Permission is hereby granted, free of charge, to any person obtaining 

5
 * a copy of this software and associated documentation files (the

6
 * "Software"), to deal in the Software without restriction, including

7
 * without limitation the rights to use, copy, modify, merge, publish,

8
 * distribute, sublicense, and/or sell copies of the Software, and to

9
 * permit persons to whom the Software is furnished to do so, subject to

10
 * the following conditions:

11
 *

12
 * The above copyright notice and this permission notice shall be 

13
 * included in all copies or substantial portions of the Software.

14
 *

15
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 

16
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF

17
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 

18
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS

19
 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN

20
 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN

21
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

22
 * SOFTWARE.

23
 */

24


25
#include "inner.h"

26


27
/* see inner.h */

28
void

29
br_aes_ct_bitslice_invSbox(uint32_t *q)

30
{

31
	/*

32
	 * AES S-box is:

33
	 *   S(x) = A(I(x)) ^ 0x63

34
	 * where I() is inversion in GF(256), and A() is a linear

35
	 * transform (0 is formally defined to be its own inverse).

36
	 * Since inversion is an involution, the inverse S-box can be

37
	 * computed from the S-box as:

38
	 *   iS(x) = B(S(B(x ^ 0x63)) ^ 0x63)

39
	 * where B() is the inverse of A(). Indeed, for any y in GF(256):

40
	 *   iS(S(y)) = B(A(I(B(A(I(y)) ^ 0x63 ^ 0x63))) ^ 0x63 ^ 0x63) = y

41
	 *

42
	 * Note: we reuse the implementation of the forward S-box,

43
	 * instead of duplicating it here, so that total code size is

44
	 * lower. By merging the B() transforms into the S-box circuit

45
	 * we could make faster CBC decryption, but CBC decryption is

46
	 * already quite faster than CBC encryption because we can

47
	 * process two blocks in parallel.

48
	 */

49
	uint32_t q0, q1, q2, q3, q4, q5, q6, q7;

50


51
	q0 = ~q[0];

52
	q1 = ~q[1];

53
	q2 = q[2];

54
	q3 = q[3];

55
	q4 = q[4];

56
	q5 = ~q[5];

57
	q6 = ~q[6];

58
	q7 = q[7];

59
	q[7] = q1 ^ q4 ^ q6;

60
	q[6] = q0 ^ q3 ^ q5;

61
	q[5] = q7 ^ q2 ^ q4;

62
	q[4] = q6 ^ q1 ^ q3;

63
	q[3] = q5 ^ q0 ^ q2;

64
	q[2] = q4 ^ q7 ^ q1;

65
	q[1] = q3 ^ q6 ^ q0;

66
	q[0] = q2 ^ q5 ^ q7;

67


68
	br_aes_ct_bitslice_Sbox(q);

69


70
	q0 = ~q[0];

71
	q1 = ~q[1];

72
	q2 = q[2];

73
	q3 = q[3];

74
	q4 = q[4];

75
	q5 = ~q[5];

76
	q6 = ~q[6];

77
	q7 = q[7];

78
	q[7] = q1 ^ q4 ^ q6;

79
	q[6] = q0 ^ q3 ^ q5;

80
	q[5] = q7 ^ q2 ^ q4;

81
	q[4] = q6 ^ q1 ^ q3;

82
	q[3] = q5 ^ q0 ^ q2;

83
	q[2] = q4 ^ q7 ^ q1;

84
	q[1] = q3 ^ q6 ^ q0;

85
	q[0] = q2 ^ q5 ^ q7;

86
}

87


88
static void

89
add_round_key(uint32_t *q, const uint32_t *sk)

90
{

91
	int i;

92


93
	for (i = 0; i < 8; i ++) {

94
		q[i] ^= sk[i];

95
	}

96
}

97


98
static void

99
inv_shift_rows(uint32_t *q)

100
{

101
	int i;

102


103
	for (i = 0; i < 8; i ++) {

104
		uint32_t x;

105


106
		x = q[i];

107
		q[i] = (x & 0x000000FF)

108
			| ((x & 0x00003F00) << 2) | ((x & 0x0000C000) >> 6)

109
			| ((x & 0x000F0000) << 4) | ((x & 0x00F00000) >> 4)

110
			| ((x & 0x03000000) << 6) | ((x & 0xFC000000) >> 2);

111
	}

112
}

113


114
static inline uint32_t

115
rotr16(uint32_t x)

116
{

117
	return (x << 16) | (x >> 16);

118
}

119


120
static void

121
inv_mix_columns(uint32_t *q)

122
{

123
	uint32_t q0, q1, q2, q3, q4, q5, q6, q7;

124
	uint32_t r0, r1, r2, r3, r4, r5, r6, r7;

125


126
	q0 = q[0];

127
	q1 = q[1];

128
	q2 = q[2];

129
	q3 = q[3];

130
	q4 = q[4];

131
	q5 = q[5];

132
	q6 = q[6];

133
	q7 = q[7];

134
	r0 = (q0 >> 8) | (q0 << 24);

135
	r1 = (q1 >> 8) | (q1 << 24);

136
	r2 = (q2 >> 8) | (q2 << 24);

137
	r3 = (q3 >> 8) | (q3 << 24);

138
	r4 = (q4 >> 8) | (q4 << 24);

139
	r5 = (q5 >> 8) | (q5 << 24);

140
	r6 = (q6 >> 8) | (q6 << 24);

141
	r7 = (q7 >> 8) | (q7 << 24);

142


143
	q[0] = q5 ^ q6 ^ q7 ^ r0 ^ r5 ^ r7 ^ rotr16(q0 ^ q5 ^ q6 ^ r0 ^ r5);

144
	q[1] = q0 ^ q5 ^ r0 ^ r1 ^ r5 ^ r6 ^ r7 ^ rotr16(q1 ^ q5 ^ q7 ^ r1 ^ r5 ^ r6);

145
	q[2] = q0 ^ q1 ^ q6 ^ r1 ^ r2 ^ r6 ^ r7 ^ rotr16(q0 ^ q2 ^ q6 ^ r2 ^ r6 ^ r7);

146
	q[3] = q0 ^ q1 ^ q2 ^ q5 ^ q6 ^ r0 ^ r2 ^ r3 ^ r5 ^ rotr16(q0 ^ q1 ^ q3 ^ q5 ^ q6 ^ q7 ^ r0 ^ r3 ^ r5 ^ r7);

147
	q[4] = q1 ^ q2 ^ q3 ^ q5 ^ r1 ^ r3 ^ r4 ^ r5 ^ r6 ^ r7 ^ rotr16(q1 ^ q2 ^ q4 ^ q5 ^ q7 ^ r1 ^ r4 ^ r5 ^ r6);

148
	q[5] = q2 ^ q3 ^ q4 ^ q6 ^ r2 ^ r4 ^ r5 ^ r6 ^ r7 ^ rotr16(q2 ^ q3 ^ q5 ^ q6 ^ r2 ^ r5 ^ r6 ^ r7);

149
	q[6] = q3 ^ q4 ^ q5 ^ q7 ^ r3 ^ r5 ^ r6 ^ r7 ^ rotr16(q3 ^ q4 ^ q6 ^ q7 ^ r3 ^ r6 ^ r7);

150
	q[7] = q4 ^ q5 ^ q6 ^ r4 ^ r6 ^ r7 ^ rotr16(q4 ^ q5 ^ q7 ^ r4 ^ r7);

151
}

152


153
/* see inner.h */

154
void

155
br_aes_ct_bitslice_decrypt(unsigned num_rounds,

156
	const uint32_t *skey, uint32_t *q)

157
{

158
	unsigned u;

159


160
	add_round_key(q, skey + (num_rounds << 3));

161
	for (u = num_rounds - 1; u > 0; u --) {

162
		inv_shift_rows(q);

163
		br_aes_ct_bitslice_invSbox(q);

164
		add_round_key(q, skey + (u << 3));

165
		inv_mix_columns(q);

166
	}

167
	inv_shift_rows(q);

168
	br_aes_ct_bitslice_invSbox(q);

169
	add_round_key(q, skey);

170
}

171


172