/* gf128mul.h - GF(2^128) multiplication functions1*2* Copyright (c) 2003, Dr Brian Gladman, Worcester, UK.3* Copyright (c) 2006 Rik Snel <[email protected]>4*5* Based on Dr Brian Gladman's (GPL'd) work published at6* http://fp.gladman.plus.com/cryptography_technology/index.htm7* See the original copyright notice below.8*9* This program is free software; you can redistribute it and/or modify it10* under the terms of the GNU General Public License as published by the Free11* Software Foundation; either version 2 of the License, or (at your option)12* any later version.13*/14/*15---------------------------------------------------------------------------16Copyright (c) 2003, Dr Brian Gladman, Worcester, UK. All rights reserved.1718LICENSE TERMS1920The free distribution and use of this software in both source and binary21form is allowed (with or without changes) provided that:22231. distributions of this source code include the above copyright24notice, this list of conditions and the following disclaimer;25262. distributions in binary form include the above copyright27notice, this list of conditions and the following disclaimer28in the documentation and/or other associated materials;29303. the copyright holder's name is not used to endorse products31built using this software without specific written permission.3233ALTERNATIVELY, provided that this notice is retained in full, this product34may be distributed under the terms of the GNU General Public License (GPL),35in which case the provisions of the GPL apply INSTEAD OF those given above.3637DISCLAIMER3839This software is provided 'as is' with no explicit or implied warranties40in respect of its properties, including, but not limited to, correctness41and/or fitness for purpose.42---------------------------------------------------------------------------43Issue Date: 31/01/20064445An implementation of field multiplication in Galois Field GF(2^128)46*/4748#ifndef _CRYPTO_GF128MUL_H49#define _CRYPTO_GF128MUL_H5051#include <asm/byteorder.h>52#include <crypto/b128ops.h>53#include <linux/slab.h>5455/* Comment by Rik:56*57* For some background on GF(2^128) see for example:58* http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf59*60* The elements of GF(2^128) := GF(2)[X]/(X^128-X^7-X^2-X^1-1) can61* be mapped to computer memory in a variety of ways. Let's examine62* three common cases.63*64* Take a look at the 16 binary octets below in memory order. The msb's65* are left and the lsb's are right. char b[16] is an array and b[0] is66* the first octet.67*68* 10000000 00000000 00000000 00000000 .... 00000000 00000000 0000000069* b[0] b[1] b[2] b[3] b[13] b[14] b[15]70*71* Every bit is a coefficient of some power of X. We can store the bits72* in every byte in little-endian order and the bytes themselves also in73* little endian order. I will call this lle (little-little-endian).74* The above buffer represents the polynomial 1, and X^7+X^2+X^1+1 looks75* like 11100001 00000000 .... 00000000 = { 0xE1, 0x00, }.76* This format was originally implemented in gf128mul and is used77* in GCM (Galois/Counter mode) and in ABL (Arbitrary Block Length).78*79* Another convention says: store the bits in bigendian order and the80* bytes also. This is bbe (big-big-endian). Now the buffer above81* represents X^127. X^7+X^2+X^1+1 looks like 00000000 .... 10000111,82* b[15] = 0x87 and the rest is 0. LRW uses this convention and bbe83* is partly implemented.84*85* Both of the above formats are easy to implement on big-endian86* machines.87*88* XTS and EME (the latter of which is patent encumbered) use the ble89* format (bits are stored in big endian order and the bytes in little90* endian). The above buffer represents X^7 in this case and the91* primitive polynomial is b[0] = 0x87.92*93* The common machine word-size is smaller than 128 bits, so to make94* an efficient implementation we must split into machine word sizes.95* This implementation uses 64-bit words for the moment. Machine96* endianness comes into play. The lle format in relation to machine97* endianness is discussed below by the original author of gf128mul Dr98* Brian Gladman.99*100* Let's look at the bbe and ble format on a little endian machine.101*102* bbe on a little endian machine u32 x[4]:103*104* MS x[0] LS MS x[1] LS105* ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls106* 103..96 111.104 119.112 127.120 71...64 79...72 87...80 95...88107*108* MS x[2] LS MS x[3] LS109* ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls110* 39...32 47...40 55...48 63...56 07...00 15...08 23...16 31...24111*112* ble on a little endian machine113*114* MS x[0] LS MS x[1] LS115* ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls116* 31...24 23...16 15...08 07...00 63...56 55...48 47...40 39...32117*118* MS x[2] LS MS x[3] LS119* ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls120* 95...88 87...80 79...72 71...64 127.120 199.112 111.104 103..96121*122* Multiplications in GF(2^128) are mostly bit-shifts, so you see why123* ble (and lbe also) are easier to implement on a little-endian124* machine than on a big-endian machine. The converse holds for bbe125* and lle.126*127* Note: to have good alignment, it seems to me that it is sufficient128* to keep elements of GF(2^128) in type u64[2]. On 32-bit wordsize129* machines this will automatically aligned to wordsize and on a 64-bit130* machine also.131*/132/* Multiply a GF(2^128) field element by x. Field elements are133held in arrays of bytes in which field bits 8n..8n + 7 are held in134byte[n], with lower indexed bits placed in the more numerically135significant bit positions within bytes.136137On little endian machines the bit indexes translate into the bit138positions within four 32-bit words in the following way139140MS x[0] LS MS x[1] LS141ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls14224...31 16...23 08...15 00...07 56...63 48...55 40...47 32...39143144MS x[2] LS MS x[3] LS145ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls14688...95 80...87 72...79 64...71 120.127 112.119 104.111 96..103147148On big endian machines the bit indexes translate into the bit149positions within four 32-bit words in the following way150151MS x[0] LS MS x[1] LS152ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls15300...07 08...15 16...23 24...31 32...39 40...47 48...55 56...63154155MS x[2] LS MS x[3] LS156ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls15764...71 72...79 80...87 88...95 96..103 104.111 112.119 120.127158*/159160/* A slow generic version of gf_mul, implemented for lle161* It multiplies a and b and puts the result in a */162void gf128mul_lle(be128 *a, const be128 *b);163164/*165* The following functions multiply a field element by x in166* the polynomial field representation. They use 64-bit word operations167* to gain speed but compensate for machine endianness and hence work168* correctly on both styles of machine.169*170* They are defined here for performance.171*/172173static inline u64 gf128mul_mask_from_bit(u64 x, int which)174{175/* a constant-time version of 'x & ((u64)1 << which) ? (u64)-1 : 0' */176return ((s64)(x << (63 - which)) >> 63);177}178179static inline void gf128mul_x_lle(be128 *r, const be128 *x)180{181u64 a = be64_to_cpu(x->a);182u64 b = be64_to_cpu(x->b);183184/* equivalent to gf128mul_table_le[(b << 7) & 0xff] << 48185* (see crypto/gf128mul.c): */186u64 _tt = gf128mul_mask_from_bit(b, 0) & ((u64)0xe1 << 56);187188r->b = cpu_to_be64((b >> 1) | (a << 63));189r->a = cpu_to_be64((a >> 1) ^ _tt);190}191192static inline void gf128mul_x_bbe(be128 *r, const be128 *x)193{194u64 a = be64_to_cpu(x->a);195u64 b = be64_to_cpu(x->b);196197/* equivalent to gf128mul_table_be[a >> 63] (see crypto/gf128mul.c): */198u64 _tt = gf128mul_mask_from_bit(a, 63) & 0x87;199200r->a = cpu_to_be64((a << 1) | (b >> 63));201r->b = cpu_to_be64((b << 1) ^ _tt);202}203204/* needed by XTS */205static inline void gf128mul_x_ble(le128 *r, const le128 *x)206{207u64 a = le64_to_cpu(x->a);208u64 b = le64_to_cpu(x->b);209210/* equivalent to gf128mul_table_be[b >> 63] (see crypto/gf128mul.c): */211u64 _tt = gf128mul_mask_from_bit(a, 63) & 0x87;212213r->a = cpu_to_le64((a << 1) | (b >> 63));214r->b = cpu_to_le64((b << 1) ^ _tt);215}216217/* 4k table optimization */218219struct gf128mul_4k {220be128 t[256];221};222223struct gf128mul_4k *gf128mul_init_4k_lle(const be128 *g);224void gf128mul_4k_lle(be128 *a, const struct gf128mul_4k *t);225void gf128mul_x8_ble(le128 *r, const le128 *x);226static inline void gf128mul_free_4k(struct gf128mul_4k *t)227{228kfree_sensitive(t);229}230231232/* 64k table optimization, implemented for bbe */233234struct gf128mul_64k {235struct gf128mul_4k *t[16];236};237238/* First initialize with the constant factor with which you239* want to multiply and then call gf128mul_64k_bbe with the other240* factor in the first argument, and the table in the second.241* Afterwards, the result is stored in *a.242*/243struct gf128mul_64k *gf128mul_init_64k_bbe(const be128 *g);244void gf128mul_free_64k(struct gf128mul_64k *t);245void gf128mul_64k_bbe(be128 *a, const struct gf128mul_64k *t);246247#endif /* _CRYPTO_GF128MUL_H */248249250