217 lines
5.4 KiB
Go
217 lines
5.4 KiB
Go
// Copyright (c) 2016 Andreas Auernhammer. All rights reserved.
|
|
// Use of this source code is governed by a license that can be
|
|
// found in the LICENSE file.
|
|
|
|
package threefish
|
|
|
|
func (t *threefish256) Encrypt(dst, src []byte) {
|
|
var block [4]uint64
|
|
|
|
bytesToBlock256(&block, src)
|
|
|
|
Encrypt256(&block, &(t.keys), &(t.tweak))
|
|
|
|
block256ToBytes(dst, &block)
|
|
}
|
|
|
|
func (t *threefish256) Decrypt(dst, src []byte) {
|
|
var block [4]uint64
|
|
|
|
bytesToBlock256(&block, src)
|
|
|
|
Decrypt256(&block, &(t.keys), &(t.tweak))
|
|
|
|
block256ToBytes(dst, &block)
|
|
}
|
|
|
|
func newCipher256(tweak *[TweakSize]byte, key []byte) *threefish256 {
|
|
c := new(threefish256)
|
|
|
|
c.tweak[0] = uint64(tweak[0]) | uint64(tweak[1])<<8 | uint64(tweak[2])<<16 | uint64(tweak[3])<<24 |
|
|
uint64(tweak[4])<<32 | uint64(tweak[5])<<40 | uint64(tweak[6])<<48 | uint64(tweak[7])<<56
|
|
|
|
c.tweak[1] = uint64(tweak[8]) | uint64(tweak[9])<<8 | uint64(tweak[10])<<16 | uint64(tweak[11])<<24 |
|
|
uint64(tweak[12])<<32 | uint64(tweak[13])<<40 | uint64(tweak[14])<<48 | uint64(tweak[15])<<56
|
|
|
|
c.tweak[2] = c.tweak[0] ^ c.tweak[1]
|
|
|
|
for i := range c.keys[:4] {
|
|
j := i * 8
|
|
c.keys[i] = uint64(key[j]) | uint64(key[j+1])<<8 | uint64(key[j+2])<<16 | uint64(key[j+3])<<24 |
|
|
uint64(key[j+4])<<32 | uint64(key[j+5])<<40 | uint64(key[j+6])<<48 | uint64(key[j+7])<<56
|
|
}
|
|
c.keys[4] = C240 ^ c.keys[0] ^ c.keys[1] ^ c.keys[2] ^ c.keys[3]
|
|
|
|
return c
|
|
}
|
|
|
|
// Encrypt256 encrypts the 4 words of block using the expanded 256 bit key and
|
|
// the 128 bit tweak. The keys[4] must be keys[0] xor keys[1] xor ... keys[3] xor C240.
|
|
// The tweak[2] must be tweak[0] xor tweak[1].
|
|
func Encrypt256(block *[4]uint64, keys *[5]uint64, tweak *[3]uint64) {
|
|
b0, b1, b2, b3 := block[0], block[1], block[2], block[3]
|
|
|
|
for r := 0; r < 17; r++ {
|
|
b0 += keys[r%5]
|
|
b1 += keys[(r+1)%5] + tweak[r%3]
|
|
b2 += keys[(r+2)%5] + tweak[(r+1)%3]
|
|
b3 += keys[(r+3)%5] + uint64(r)
|
|
|
|
b0 += b1
|
|
b1 = ((b1 << 14) | (b1 >> (64 - 14))) ^ b0
|
|
b2 += b3
|
|
b3 = ((b3 << 16) | (b3 >> (64 - 16))) ^ b2
|
|
|
|
b0 += b3
|
|
b3 = ((b3 << 52) | (b3 >> (64 - 52))) ^ b0
|
|
b2 += b1
|
|
b1 = ((b1 << 57) | (b1 >> (64 - 57))) ^ b2
|
|
|
|
b0 += b1
|
|
b1 = ((b1 << 23) | (b1 >> (64 - 23))) ^ b0
|
|
b2 += b3
|
|
b3 = ((b3 << 40) | (b3 >> (64 - 40))) ^ b2
|
|
|
|
b0 += b3
|
|
b3 = ((b3 << 5) | (b3 >> (64 - 5))) ^ b0
|
|
b2 += b1
|
|
b1 = ((b1 << 37) | (b1 >> (64 - 37))) ^ b2
|
|
|
|
r++
|
|
|
|
b0 += keys[r%5]
|
|
b1 += keys[(r+1)%5] + tweak[r%3]
|
|
b2 += keys[(r+2)%5] + tweak[(r+1)%3]
|
|
b3 += keys[(r+3)%5] + uint64(r)
|
|
|
|
b0 += b1
|
|
b1 = ((b1 << 25) | (b1 >> (64 - 25))) ^ b0
|
|
b2 += b3
|
|
b3 = ((b3 << 33) | (b3 >> (64 - 33))) ^ b2
|
|
|
|
b0 += b3
|
|
b3 = ((b3 << 46) | (b3 >> (64 - 46))) ^ b0
|
|
b2 += b1
|
|
b1 = ((b1 << 12) | (b1 >> (64 - 12))) ^ b2
|
|
|
|
b0 += b1
|
|
b1 = ((b1 << 58) | (b1 >> (64 - 58))) ^ b0
|
|
b2 += b3
|
|
b3 = ((b3 << 22) | (b3 >> (64 - 22))) ^ b2
|
|
|
|
b0 += b3
|
|
b3 = ((b3 << 32) | (b3 >> (64 - 32))) ^ b0
|
|
b2 += b1
|
|
b1 = ((b1 << 32) | (b1 >> (64 - 32))) ^ b2
|
|
}
|
|
|
|
b0 += keys[3]
|
|
b1 += keys[4] + tweak[0]
|
|
b2 += keys[0] + tweak[1]
|
|
b3 += keys[1] + uint64(18)
|
|
|
|
block[0], block[1], block[2], block[3] = b0, b1, b2, b3
|
|
}
|
|
|
|
// Decrypt256 decrypts the 4 words of block using the expanded 256 bit key and
|
|
// the 128 bit tweak. The keys[4] must be keys[0] xor keys[1] xor ... keys[3] xor C240.
|
|
// The tweak[2] must be tweak[0] xor tweak[1].
|
|
func Decrypt256(block *[4]uint64, keys *[5]uint64, tweak *[3]uint64) {
|
|
b0, b1, b2, b3 := block[0], block[1], block[2], block[3]
|
|
|
|
var tmp uint64
|
|
for r := 18; r > 1; r-- {
|
|
b0 -= keys[r%5]
|
|
b1 -= keys[(r+1)%5] + tweak[r%3]
|
|
b2 -= keys[(r+2)%5] + tweak[(r+1)%3]
|
|
b3 -= keys[(r+3)%5] + uint64(r)
|
|
|
|
tmp = b1 ^ b2
|
|
b1 = (tmp >> 32) | (tmp << (64 - 32))
|
|
b2 -= b1
|
|
tmp = b3 ^ b0
|
|
b3 = (tmp >> 32) | (tmp << (64 - 32))
|
|
b0 -= b3
|
|
|
|
tmp = b3 ^ b2
|
|
b3 = (tmp >> 22) | (tmp << (64 - 22))
|
|
b2 -= b3
|
|
tmp = b1 ^ b0
|
|
b1 = (tmp >> 58) | (tmp << (64 - 58))
|
|
b0 -= b1
|
|
|
|
tmp = b1 ^ b2
|
|
b1 = (tmp >> 12) | (tmp << (64 - 12))
|
|
b2 -= b1
|
|
tmp = b3 ^ b0
|
|
b3 = (tmp >> 46) | (tmp << (64 - 46))
|
|
b0 -= b3
|
|
|
|
tmp = b3 ^ b2
|
|
b3 = (tmp >> 33) | (tmp << (64 - 33))
|
|
b2 -= b3
|
|
tmp = b1 ^ b0
|
|
b1 = (tmp >> 25) | (tmp << (64 - 25))
|
|
b0 -= b1
|
|
|
|
r--
|
|
|
|
b0 -= keys[r%5]
|
|
b1 -= keys[(r+1)%5] + tweak[r%3]
|
|
b2 -= keys[(r+2)%5] + tweak[(r+1)%3]
|
|
b3 -= keys[(r+3)%5] + uint64(r)
|
|
|
|
tmp = b1 ^ b2
|
|
b1 = (tmp >> 37) | (tmp << (64 - 37))
|
|
b2 -= b1
|
|
tmp = b3 ^ b0
|
|
b3 = (tmp >> 5) | (tmp << (64 - 5))
|
|
b0 -= b3
|
|
|
|
tmp = b3 ^ b2
|
|
b3 = (tmp >> 40) | (tmp << (64 - 40))
|
|
b2 -= b3
|
|
tmp = b1 ^ b0
|
|
b1 = (tmp >> 23) | (tmp << (64 - 23))
|
|
b0 -= b1
|
|
|
|
tmp = b1 ^ b2
|
|
b1 = (tmp >> 57) | (tmp << (64 - 57))
|
|
b2 -= b1
|
|
tmp = b3 ^ b0
|
|
b3 = (tmp >> 52) | (tmp << (64 - 52))
|
|
b0 -= b3
|
|
|
|
tmp = b3 ^ b2
|
|
b3 = (tmp >> 16) | (tmp << (64 - 16))
|
|
b2 -= b3
|
|
tmp = b1 ^ b0
|
|
b1 = (tmp >> 14) | (tmp << (64 - 14))
|
|
b0 -= b1
|
|
}
|
|
|
|
b0 -= keys[0]
|
|
b1 -= keys[1] + tweak[0]
|
|
b2 -= keys[2] + tweak[1]
|
|
b3 -= keys[3]
|
|
|
|
block[0], block[1], block[2], block[3] = b0, b1, b2, b3
|
|
}
|
|
|
|
// UBI256 does a Threefish256 encryption of the given block using
|
|
// the chain values hVal and the tweak.
|
|
// The chain values are updated through hVal[i] = block[i] ^ Enc(block)[i]
|
|
func UBI256(block *[4]uint64, hVal *[5]uint64, tweak *[3]uint64) {
|
|
b0, b1, b2, b3 := block[0], block[1], block[2], block[3]
|
|
|
|
hVal[4] = C240 ^ hVal[0] ^ hVal[1] ^ hVal[2] ^ hVal[3]
|
|
tweak[2] = tweak[0] ^ tweak[1]
|
|
|
|
Encrypt256(block, hVal, tweak)
|
|
|
|
hVal[0] = block[0] ^ b0
|
|
hVal[1] = block[1] ^ b1
|
|
hVal[2] = block[2] ^ b2
|
|
hVal[3] = block[3] ^ b3
|
|
}
|