2 ---------------------------------------------------------------------------
\r
3 Copyright (c) 2003, Dr Brian Gladman < >, Worcester, UK.
\r
8 The free distribution and use of this software in both source and binary
\r
9 form is allowed (with or without changes) provided that:
\r
11 1. distributions of this source code include the above copyright
\r
12 notice, this list of conditions and the following disclaimer;
\r
14 2. distributions in binary form include the above copyright
\r
15 notice, this list of conditions and the following disclaimer
\r
16 in the documentation and/or other associated materials;
\r
18 3. the copyright holder's name is not used to endorse products
\r
19 built using this software without specific written permission.
\r
21 ALTERNATIVELY, provided that this notice is retained in full, this product
\r
22 may be distributed under the terms of the GNU General Public License (GPL),
\r
23 in which case the provisions of the GPL apply INSTEAD OF those given above.
\r
27 This software is provided 'as is' with no explicit or implied warranties
\r
28 in respect of its properties, including, but not limited to, correctness
\r
29 and/or fitness for purpose.
\r
30 ---------------------------------------------------------------------------
\r
31 Issue Date: 26/08/2003
\r
33 This file contains the code for implementing the key schedule for AES
\r
34 (Rijndael) for block and key sizes of 16, 24, and 32 bytes. See aesopt.h
\r
35 for further details including optimisation.
\r
40 /* Initialise the key schedule from the user supplied key. The key
\r
41 length can be specified in bytes, with legal values of 16, 24
\r
42 and 32, or in bits, with legal values of 128, 192 and 256. These
\r
43 values correspond with Nk values of 4, 6 and 8 respectively.
\r
45 The following macros implement a single cycle in the key
\r
46 schedule generation process. The number of cycles needed
\r
47 for each cx->n_col and nk value is:
\r
50 ------------------------------
\r
51 cx->n_col = 4 10 9 8 7 7
\r
52 cx->n_col = 5 14 11 10 9 9
\r
53 cx->n_col = 6 19 15 12 11 11
\r
54 cx->n_col = 7 21 19 16 13 14
\r
55 cx->n_col = 8 29 23 19 17 14
\r
59 { k[4*(i)+4] = ss[0] ^= ls_box(ss[3],3) ^ t_use(r,c)[i]; k[4*(i)+5] = ss[1] ^= ss[0]; \
\r
60 k[4*(i)+6] = ss[2] ^= ss[1]; k[4*(i)+7] = ss[3] ^= ss[2]; \
\r
63 { k[4*(i)+4] = ss[0] ^= ls_box(ss[3],3) ^ t_use(r,c)[i]; k[4*(i)+5] = ss[1] ^= ss[0]; \
\r
64 k[4*(i)+6] = ss[2] ^= ss[1]; k[4*(i)+7] = ss[3] ^= ss[2]; \
\r
68 { k[6*(i)+ 6] = ss[0] ^= ls_box(ss[5],3) ^ t_use(r,c)[i]; k[6*(i)+ 7] = ss[1] ^= ss[0]; \
\r
69 k[6*(i)+ 8] = ss[2] ^= ss[1]; k[6*(i)+ 9] = ss[3] ^= ss[2]; \
\r
70 k[6*(i)+10] = ss[4] ^= ss[3]; k[6*(i)+11] = ss[5] ^= ss[4]; \
\r
73 { k[6*(i)+ 6] = ss[0] ^= ls_box(ss[5],3) ^ t_use(r,c)[i]; k[6*(i)+ 7] = ss[1] ^= ss[0]; \
\r
74 k[6*(i)+ 8] = ss[2] ^= ss[1]; k[6*(i)+ 9] = ss[3] ^= ss[2]; \
\r
78 { k[8*(i)+ 8] = ss[0] ^= ls_box(ss[7],3) ^ t_use(r,c)[i]; k[8*(i)+ 9] = ss[1] ^= ss[0]; \
\r
79 k[8*(i)+10] = ss[2] ^= ss[1]; k[8*(i)+11] = ss[3] ^= ss[2]; \
\r
80 k[8*(i)+12] = ss[4] ^= ls_box(ss[3],0); k[8*(i)+13] = ss[5] ^= ss[4]; \
\r
81 k[8*(i)+14] = ss[6] ^= ss[5]; k[8*(i)+15] = ss[7] ^= ss[6]; \
\r
84 { k[8*(i)+ 8] = ss[0] ^= ls_box(ss[7],3) ^ t_use(r,c)[i]; k[8*(i)+ 9] = ss[1] ^= ss[0]; \
\r
85 k[8*(i)+10] = ss[2] ^= ss[1]; k[8*(i)+11] = ss[3] ^= ss[2]; \
\r
88 #if defined(ENCRYPTION_KEY_SCHEDULE)
\r
90 #if defined(AES_128) || defined(AES_VAR)
\r
92 aes_rval aes_encrypt_key128(const void *in_key, aes_encrypt_ctx cx[1])
\r
95 cx->ks[0] = ss[0] = word_in(in_key, 0);
\r
96 cx->ks[1] = ss[1] = word_in(in_key, 1);
\r
97 cx->ks[2] = ss[2] = word_in(in_key, 2);
\r
98 cx->ks[3] = ss[3] = word_in(in_key, 3);
\r
100 #if ENC_UNROLL == NONE
\r
103 for(i = 0; i < ((11 * N_COLS - 1) / 4); ++i)
\r
107 ke4(cx->ks, 0); ke4(cx->ks, 1);
\r
108 ke4(cx->ks, 2); ke4(cx->ks, 3);
\r
109 ke4(cx->ks, 4); ke4(cx->ks, 5);
\r
110 ke4(cx->ks, 6); ke4(cx->ks, 7);
\r
111 ke4(cx->ks, 8); kel4(cx->ks, 9);
\r
114 /* cx->ks[45] ^ cx->ks[52] ^ cx->ks[53] is zero for a 256 bit */
\r
115 /* key and must be non-zero for 128 and 192 bits keys */
\r
116 cx->ks[53] = cx->ks[45] = 0;
\r
125 #if defined(AES_192) || defined(AES_VAR)
\r
127 aes_rval aes_encrypt_key192(const void *in_key, aes_encrypt_ctx cx[1])
\r
130 cx->ks[0] = ss[0] = word_in(in_key, 0);
\r
131 cx->ks[1] = ss[1] = word_in(in_key, 1);
\r
132 cx->ks[2] = ss[2] = word_in(in_key, 2);
\r
133 cx->ks[3] = ss[3] = word_in(in_key, 3);
\r
134 cx->ks[4] = ss[4] = word_in(in_key, 4);
\r
135 cx->ks[5] = ss[5] = word_in(in_key, 5);
\r
137 #if ENC_UNROLL == NONE
\r
140 for(i = 0; i < (13 * N_COLS - 1) / 6; ++i)
\r
144 ke6(cx->ks, 0); ke6(cx->ks, 1);
\r
145 ke6(cx->ks, 2); ke6(cx->ks, 3);
\r
146 ke6(cx->ks, 4); ke6(cx->ks, 5);
\r
147 ke6(cx->ks, 6); kel6(cx->ks, 7);
\r
150 /* cx->ks[45] ^ cx->ks[52] ^ cx->ks[53] is zero for a 256 bit */
\r
151 /* key and must be non-zero for 128 and 192 bits keys */
\r
152 cx->ks[53] = cx->ks[45];
\r
161 #if defined(AES_256) || defined(AES_VAR)
\r
163 aes_rval aes_encrypt_key256(const void *in_key, aes_encrypt_ctx cx[1])
\r
166 cx->ks[0] = ss[0] = word_in(in_key, 0);
\r
167 cx->ks[1] = ss[1] = word_in(in_key, 1);
\r
168 cx->ks[2] = ss[2] = word_in(in_key, 2);
\r
169 cx->ks[3] = ss[3] = word_in(in_key, 3);
\r
170 cx->ks[4] = ss[4] = word_in(in_key, 4);
\r
171 cx->ks[5] = ss[5] = word_in(in_key, 5);
\r
172 cx->ks[6] = ss[6] = word_in(in_key, 6);
\r
173 cx->ks[7] = ss[7] = word_in(in_key, 7);
\r
175 #if ENC_UNROLL == NONE
\r
178 for(i = 0; i < (15 * N_COLS - 1) / 8; ++i)
\r
182 ke8(cx->ks, 0); ke8(cx->ks, 1);
\r
183 ke8(cx->ks, 2); ke8(cx->ks, 3);
\r
184 ke8(cx->ks, 4); ke8(cx->ks, 5);
\r
194 #if defined(AES_VAR)
\r
196 aes_rval aes_encrypt_key(const void *in_key, int key_len, aes_encrypt_ctx cx[1])
\r
201 case 16: case 128: return aes_encrypt_key128(in_key, cx);
\r
202 case 24: case 192: return aes_encrypt_key192(in_key, cx);
\r
203 case 32: case 256: return aes_encrypt_key256(in_key, cx);
\r
204 default: return aes_error;
\r
206 case 16: case 128: aes_encrypt_key128(in_key, cx); return;
\r
207 case 24: case 192: aes_encrypt_key192(in_key, cx); return;
\r
208 case 32: case 256: aes_encrypt_key256(in_key, cx); return;
\r
217 #if defined(DECRYPTION_KEY_SCHEDULE)
\r
219 #if DEC_ROUND == NO_TABLES
\r
222 #define ff(x) inv_mcol(x)
\r
224 #define d_vars dec_imvars
\r
229 #define kdf4(k,i) \
\r
230 { ss[0] = ss[0] ^ ss[2] ^ ss[1] ^ ss[3]; ss[1] = ss[1] ^ ss[3]; ss[2] = ss[2] ^ ss[3]; ss[3] = ss[3]; \
\r
231 ss[4] = ls_box(ss[(i+3) % 4], 3) ^ t_use(r,c)[i]; ss[i % 4] ^= ss[4]; \
\r
232 ss[4] ^= k[4*(i)]; k[4*(i)+4] = ff(ss[4]); ss[4] ^= k[4*(i)+1]; k[4*(i)+5] = ff(ss[4]); \
\r
233 ss[4] ^= k[4*(i)+2]; k[4*(i)+6] = ff(ss[4]); ss[4] ^= k[4*(i)+3]; k[4*(i)+7] = ff(ss[4]); \
\r
236 { ss[4] = ls_box(ss[(i+3) % 4], 3) ^ t_use(r,c)[i]; ss[i % 4] ^= ss[4]; ss[4] = ff(ss[4]); \
\r
237 k[4*(i)+4] = ss[4] ^= k[4*(i)]; k[4*(i)+5] = ss[4] ^= k[4*(i)+1]; \
\r
238 k[4*(i)+6] = ss[4] ^= k[4*(i)+2]; k[4*(i)+7] = ss[4] ^= k[4*(i)+3]; \
\r
240 #define kdl4(k,i) \
\r
241 { ss[4] = ls_box(ss[(i+3) % 4], 3) ^ t_use(r,c)[i]; ss[i % 4] ^= ss[4]; \
\r
242 k[4*(i)+4] = (ss[0] ^= ss[1]) ^ ss[2] ^ ss[3]; k[4*(i)+5] = ss[1] ^ ss[3]; \
\r
243 k[4*(i)+6] = ss[0]; k[4*(i)+7] = ss[1]; \
\r
246 #define kdf4(k,i) \
\r
247 { ss[0] ^= ls_box(ss[3],3) ^ t_use(r,c)[i]; k[4*(i)+ 4] = ff(ss[0]); ss[1] ^= ss[0]; k[4*(i)+ 5] = ff(ss[1]); \
\r
248 ss[2] ^= ss[1]; k[4*(i)+ 6] = ff(ss[2]); ss[3] ^= ss[2]; k[4*(i)+ 7] = ff(ss[3]); \
\r
251 { ss[4] = ls_box(ss[3],3) ^ t_use(r,c)[i]; \
\r
252 ss[0] ^= ss[4]; ss[4] = ff(ss[4]); k[4*(i)+ 4] = ss[4] ^= k[4*(i)]; \
\r
253 ss[1] ^= ss[0]; k[4*(i)+ 5] = ss[4] ^= k[4*(i)+ 1]; \
\r
254 ss[2] ^= ss[1]; k[4*(i)+ 6] = ss[4] ^= k[4*(i)+ 2]; \
\r
255 ss[3] ^= ss[2]; k[4*(i)+ 7] = ss[4] ^= k[4*(i)+ 3]; \
\r
257 #define kdl4(k,i) \
\r
258 { ss[0] ^= ls_box(ss[3],3) ^ t_use(r,c)[i]; k[4*(i)+ 4] = ss[0]; ss[1] ^= ss[0]; k[4*(i)+ 5] = ss[1]; \
\r
259 ss[2] ^= ss[1]; k[4*(i)+ 6] = ss[2]; ss[3] ^= ss[2]; k[4*(i)+ 7] = ss[3]; \
\r
263 #define kdf6(k,i) \
\r
264 { ss[0] ^= ls_box(ss[5],3) ^ t_use(r,c)[i]; k[6*(i)+ 6] = ff(ss[0]); ss[1] ^= ss[0]; k[6*(i)+ 7] = ff(ss[1]); \
\r
265 ss[2] ^= ss[1]; k[6*(i)+ 8] = ff(ss[2]); ss[3] ^= ss[2]; k[6*(i)+ 9] = ff(ss[3]); \
\r
266 ss[4] ^= ss[3]; k[6*(i)+10] = ff(ss[4]); ss[5] ^= ss[4]; k[6*(i)+11] = ff(ss[5]); \
\r
269 { ss[6] = ls_box(ss[5],3) ^ t_use(r,c)[i]; \
\r
270 ss[0] ^= ss[6]; ss[6] = ff(ss[6]); k[6*(i)+ 6] = ss[6] ^= k[6*(i)]; \
\r
271 ss[1] ^= ss[0]; k[6*(i)+ 7] = ss[6] ^= k[6*(i)+ 1]; \
\r
272 ss[2] ^= ss[1]; k[6*(i)+ 8] = ss[6] ^= k[6*(i)+ 2]; \
\r
273 ss[3] ^= ss[2]; k[6*(i)+ 9] = ss[6] ^= k[6*(i)+ 3]; \
\r
274 ss[4] ^= ss[3]; k[6*(i)+10] = ss[6] ^= k[6*(i)+ 4]; \
\r
275 ss[5] ^= ss[4]; k[6*(i)+11] = ss[6] ^= k[6*(i)+ 5]; \
\r
277 #define kdl6(k,i) \
\r
278 { ss[0] ^= ls_box(ss[5],3) ^ t_use(r,c)[i]; k[6*(i)+ 6] = ss[0]; ss[1] ^= ss[0]; k[6*(i)+ 7] = ss[1]; \
\r
279 ss[2] ^= ss[1]; k[6*(i)+ 8] = ss[2]; ss[3] ^= ss[2]; k[6*(i)+ 9] = ss[3]; \
\r
282 #define kdf8(k,i) \
\r
283 { ss[0] ^= ls_box(ss[7],3) ^ t_use(r,c)[i]; k[8*(i)+ 8] = ff(ss[0]); ss[1] ^= ss[0]; k[8*(i)+ 9] = ff(ss[1]); \
\r
284 ss[2] ^= ss[1]; k[8*(i)+10] = ff(ss[2]); ss[3] ^= ss[2]; k[8*(i)+11] = ff(ss[3]); \
\r
285 ss[4] ^= ls_box(ss[3],0); k[8*(i)+12] = ff(ss[4]); ss[5] ^= ss[4]; k[8*(i)+13] = ff(ss[5]); \
\r
286 ss[6] ^= ss[5]; k[8*(i)+14] = ff(ss[6]); ss[7] ^= ss[6]; k[8*(i)+15] = ff(ss[7]); \
\r
289 { aes_32t g = ls_box(ss[7],3) ^ t_use(r,c)[i]; \
\r
290 ss[0] ^= g; g = ff(g); k[8*(i)+ 8] = g ^= k[8*(i)]; \
\r
291 ss[1] ^= ss[0]; k[8*(i)+ 9] = g ^= k[8*(i)+ 1]; \
\r
292 ss[2] ^= ss[1]; k[8*(i)+10] = g ^= k[8*(i)+ 2]; \
\r
293 ss[3] ^= ss[2]; k[8*(i)+11] = g ^= k[8*(i)+ 3]; \
\r
294 g = ls_box(ss[3],0); \
\r
295 ss[4] ^= g; g = ff(g); k[8*(i)+12] = g ^= k[8*(i)+ 4]; \
\r
296 ss[5] ^= ss[4]; k[8*(i)+13] = g ^= k[8*(i)+ 5]; \
\r
297 ss[6] ^= ss[5]; k[8*(i)+14] = g ^= k[8*(i)+ 6]; \
\r
298 ss[7] ^= ss[6]; k[8*(i)+15] = g ^= k[8*(i)+ 7]; \
\r
300 #define kdl8(k,i) \
\r
301 { ss[0] ^= ls_box(ss[7],3) ^ t_use(r,c)[i]; k[8*(i)+ 8] = ss[0]; ss[1] ^= ss[0]; k[8*(i)+ 9] = ss[1]; \
\r
302 ss[2] ^= ss[1]; k[8*(i)+10] = ss[2]; ss[3] ^= ss[2]; k[8*(i)+11] = ss[3]; \
\r
305 #if defined(AES_128) || defined(AES_VAR)
\r
307 aes_rval aes_decrypt_key128(const void *in_key, aes_decrypt_ctx cx[1])
\r
312 cx->ks[0] = ss[0] = word_in(in_key, 0);
\r
313 cx->ks[1] = ss[1] = word_in(in_key, 1);
\r
314 cx->ks[2] = ss[2] = word_in(in_key, 2);
\r
315 cx->ks[3] = ss[3] = word_in(in_key, 3);
\r
317 #if DEC_UNROLL == NONE
\r
320 for(i = 0; i < (11 * N_COLS - 1) / 4; ++i)
\r
322 #if !(DEC_ROUND == NO_TABLES)
\r
323 for(i = N_COLS; i < 10 * N_COLS; ++i)
\r
324 cx->ks[i] = inv_mcol(cx->ks[i]);
\r
328 kdf4(cx->ks, 0); kd4(cx->ks, 1);
\r
329 kd4(cx->ks, 2); kd4(cx->ks, 3);
\r
330 kd4(cx->ks, 4); kd4(cx->ks, 5);
\r
331 kd4(cx->ks, 6); kd4(cx->ks, 7);
\r
332 kd4(cx->ks, 8); kdl4(cx->ks, 9);
\r
335 /* cx->ks[45] ^ cx->ks[52] ^ cx->ks[53] is zero for a 256 bit */
\r
336 /* key and must be non-zero for 128 and 192 bits keys */
\r
337 cx->ks[53] = cx->ks[45] = 0;
\r
346 #if defined(AES_192) || defined(AES_VAR)
\r
348 aes_rval aes_decrypt_key192(const void *in_key, aes_decrypt_ctx cx[1])
\r
353 cx->ks[0] = ss[0] = word_in(in_key, 0);
\r
354 cx->ks[1] = ss[1] = word_in(in_key, 1);
\r
355 cx->ks[2] = ss[2] = word_in(in_key, 2);
\r
356 cx->ks[3] = ss[3] = word_in(in_key, 3);
\r
358 #if DEC_UNROLL == NONE
\r
359 cx->ks[4] = ss[4] = word_in(in_key, 4);
\r
360 cx->ks[5] = ss[5] = word_in(in_key, 5);
\r
363 for(i = 0; i < (13 * N_COLS - 1) / 6; ++i)
\r
365 #if !(DEC_ROUND == NO_TABLES)
\r
366 for(i = N_COLS; i < 12 * N_COLS; ++i)
\r
367 cx->ks[i] = inv_mcol(cx->ks[i]);
\r
371 ss[4] = word_in(in_key, 4);
\r
372 cx->ks[4] = ff(ss[4]);
\r
373 ss[5] = word_in(in_key, 5);
\r
374 cx->ks[5] = ff(ss[5]);
\r
375 kdf6(cx->ks, 0); kd6(cx->ks, 1);
\r
376 kd6(cx->ks, 2); kd6(cx->ks, 3);
\r
377 kd6(cx->ks, 4); kd6(cx->ks, 5);
\r
378 kd6(cx->ks, 6); kdl6(cx->ks, 7);
\r
381 /* cx->ks[45] ^ cx->ks[52] ^ cx->ks[53] is zero for a 256 bit */
\r
382 /* key and must be non-zero for 128 and 192 bits keys */
\r
383 cx->ks[53] = cx->ks[45];
\r
392 #if defined(AES_256) || defined(AES_VAR)
\r
394 aes_rval aes_decrypt_key256(const void *in_key, aes_decrypt_ctx cx[1])
\r
399 cx->ks[0] = ss[0] = word_in(in_key, 0);
\r
400 cx->ks[1] = ss[1] = word_in(in_key, 1);
\r
401 cx->ks[2] = ss[2] = word_in(in_key, 2);
\r
402 cx->ks[3] = ss[3] = word_in(in_key, 3);
\r
404 #if DEC_UNROLL == NONE
\r
405 cx->ks[4] = ss[4] = word_in(in_key, 4);
\r
406 cx->ks[5] = ss[5] = word_in(in_key, 5);
\r
407 cx->ks[6] = ss[6] = word_in(in_key, 6);
\r
408 cx->ks[7] = ss[7] = word_in(in_key, 7);
\r
411 for(i = 0; i < (15 * N_COLS - 1) / 8; ++i)
\r
413 #if !(DEC_ROUND == NO_TABLES)
\r
414 for(i = N_COLS; i < 14 * N_COLS; ++i)
\r
415 cx->ks[i] = inv_mcol(cx->ks[i]);
\r
419 ss[4] = word_in(in_key, 4);
\r
420 cx->ks[4] = ff(ss[4]);
\r
421 ss[5] = word_in(in_key, 5);
\r
422 cx->ks[5] = ff(ss[5]);
\r
423 ss[6] = word_in(in_key, 6);
\r
424 cx->ks[6] = ff(ss[6]);
\r
425 ss[7] = word_in(in_key, 7);
\r
426 cx->ks[7] = ff(ss[7]);
\r
427 kdf8(cx->ks, 0); kd8(cx->ks, 1);
\r
428 kd8(cx->ks, 2); kd8(cx->ks, 3);
\r
429 kd8(cx->ks, 4); kd8(cx->ks, 5);
\r
439 #if defined(AES_VAR)
\r
441 aes_rval aes_decrypt_key(const void *in_key, int key_len, aes_decrypt_ctx cx[1])
\r
446 case 16: case 128: return aes_decrypt_key128(in_key, cx);
\r
447 case 24: case 192: return aes_decrypt_key192(in_key, cx);
\r
448 case 32: case 256: return aes_decrypt_key256(in_key, cx);
\r
449 default: return aes_error;
\r
451 case 16: case 128: aes_decrypt_key128(in_key, cx); return;
\r
452 case 24: case 192: aes_decrypt_key192(in_key, cx); return;
\r
453 case 32: case 256: aes_decrypt_key256(in_key, cx); return;
\r