1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
/*
* cifra - embedded cryptography library
* Written in 2014 by Joseph Birr-Pixton <jpixton@gmail.com>
*
* To the extent possible under law, the author(s) have dedicated all
* copyright and related and neighboring rights to this software to the
* public domain worldwide. This software is distributed without any
* warranty.
*
* You should have received a copy of the CC0 Public Domain Dedication
* along with this software. If not, see
* <http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#include "cf_config.h"
#include "gf128.h"
#include "bitops.h"
#include <string.h>
void cf_gf128_tobytes_be(const cf_gf128 in, uint8_t out[16])
{
write32_be(in[0], out + 0);
write32_be(in[1], out + 4);
write32_be(in[2], out + 8);
write32_be(in[3], out + 12);
}
void cf_gf128_frombytes_be(const uint8_t in[16], cf_gf128 out)
{
out[0] = read32_be(in + 0);
out[1] = read32_be(in + 4);
out[2] = read32_be(in + 8);
out[3] = read32_be(in + 12);
}
/* out = 2 * in. Arguments may alias. */
void cf_gf128_double(const cf_gf128 in, cf_gf128 out)
{
uint8_t table[2] = { 0x00, 0x87 };
uint32_t borrow = 0;
uint32_t inword;
inword = in[3]; out[3] = (inword << 1) | borrow; borrow = inword >> 31;
inword = in[2]; out[2] = (inword << 1) | borrow; borrow = inword >> 31;
inword = in[1]; out[1] = (inword << 1) | borrow; borrow = inword >> 31;
inword = in[0]; out[0] = (inword << 1) | borrow; borrow = inword >> 31;
#if CF_CACHE_SIDE_CHANNEL_PROTECTION
out[3] ^= select_u8(borrow, table, 2);
#else
out[3] ^= table[borrow];
#endif
}
/* out = 2 * in. Arguments may alias. */
void cf_gf128_double_le(const cf_gf128 in, cf_gf128 out)
{
uint8_t table[2] = { 0x00, 0xe1 };
uint32_t borrow = 0;
uint32_t inword;
inword = in[0]; out[0] = (inword >> 1) | (borrow << 31); borrow = inword & 1;
inword = in[1]; out[1] = (inword >> 1) | (borrow << 31); borrow = inword & 1;
inword = in[2]; out[2] = (inword >> 1) | (borrow << 31); borrow = inword & 1;
inword = in[3]; out[3] = (inword >> 1) | (borrow << 31); borrow = inword & 1;
#if CF_CACHE_SIDE_CHANNEL_PROTECTION
out[0] ^= select_u8(borrow, table, 2) << 24;
#else
out[0] ^= table[borrow] << 24;
#endif
}
/* out = x + y. Arguments may alias. */
void cf_gf128_add(const cf_gf128 x, const cf_gf128 y, cf_gf128 out)
{
out[0] = x[0] ^ y[0];
out[1] = x[1] ^ y[1];
out[2] = x[2] ^ y[2];
out[3] = x[3] ^ y[3];
}
/* out = xy. Arguments may alias. */
void cf_gf128_mul(const cf_gf128 x, const cf_gf128 y, cf_gf128 out)
{
#if CF_TIME_SIDE_CHANNEL_PROTECTION
cf_gf128 zero = { 0 };
#endif
/* Z_0 = 0^128
* V_0 = Y */
cf_gf128 Z, V;
memset(Z, 0, sizeof Z);
memcpy(V, y, sizeof V);
int i;
for (i = 0; i < 128; i++)
{
uint32_t word = x[i >> 5];
uint8_t bit = (word >> (31 - (i & 31))) & 1;
#if CF_TIME_SIDE_CHANNEL_PROTECTION
select_xor128(Z, zero, V, bit);
#else
if (bit)
xor_words(Z, V, 4);
#endif
cf_gf128_double_le(V, V);
}
memcpy(out, Z, sizeof Z);
}
|
