twofish.go 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342
  1. // Copyright 2011 The Go Authors. All rights reserved.
  2. // Use of this source code is governed by a BSD-style
  3. // license that can be found in the LICENSE file.
  4. // Package twofish implements Bruce Schneier's Twofish encryption algorithm.
  5. package twofish // import "golang.org/x/crypto/twofish"
  6. // Twofish is defined in http://www.schneier.com/paper-twofish-paper.pdf [TWOFISH]
  7. // This code is a port of the LibTom C implementation.
  8. // See http://libtom.org/?page=features&newsitems=5&whatfile=crypt.
  9. // LibTomCrypt is free for all purposes under the public domain.
  10. // It was heavily inspired by the go blowfish package.
  11. import "strconv"
  12. // BlockSize is the constant block size of Twofish.
  13. const BlockSize = 16
  14. const mdsPolynomial = 0x169 // x^8 + x^6 + x^5 + x^3 + 1, see [TWOFISH] 4.2
  15. const rsPolynomial = 0x14d // x^8 + x^6 + x^3 + x^2 + 1, see [TWOFISH] 4.3
  16. // A Cipher is an instance of Twofish encryption using a particular key.
  17. type Cipher struct {
  18. s [4][256]uint32
  19. k [40]uint32
  20. }
  21. type KeySizeError int
  22. func (k KeySizeError) Error() string {
  23. return "crypto/twofish: invalid key size " + strconv.Itoa(int(k))
  24. }
  25. // NewCipher creates and returns a Cipher.
  26. // The key argument should be the Twofish key, 16, 24 or 32 bytes.
  27. func NewCipher(key []byte) (*Cipher, error) {
  28. keylen := len(key)
  29. if keylen != 16 && keylen != 24 && keylen != 32 {
  30. return nil, KeySizeError(keylen)
  31. }
  32. // k is the number of 64 bit words in key
  33. k := keylen / 8
  34. // Create the S[..] words
  35. var S [4 * 4]byte
  36. for i := 0; i < k; i++ {
  37. // Computes [y0 y1 y2 y3] = rs . [x0 x1 x2 x3 x4 x5 x6 x7]
  38. for j, rsRow := range rs {
  39. for k, rsVal := range rsRow {
  40. S[4*i+j] ^= gfMult(key[8*i+k], rsVal, rsPolynomial)
  41. }
  42. }
  43. }
  44. // Calculate subkeys
  45. c := new(Cipher)
  46. var tmp [4]byte
  47. for i := byte(0); i < 20; i++ {
  48. // A = h(p * 2x, Me)
  49. for j := range tmp {
  50. tmp[j] = 2 * i
  51. }
  52. A := h(tmp[:], key, 0)
  53. // B = rolc(h(p * (2x + 1), Mo), 8)
  54. for j := range tmp {
  55. tmp[j] = 2*i + 1
  56. }
  57. B := h(tmp[:], key, 1)
  58. B = rol(B, 8)
  59. c.k[2*i] = A + B
  60. // K[2i+1] = (A + 2B) <<< 9
  61. c.k[2*i+1] = rol(2*B+A, 9)
  62. }
  63. // Calculate sboxes
  64. switch k {
  65. case 2:
  66. for i := range c.s[0] {
  67. c.s[0][i] = mdsColumnMult(sbox[1][sbox[0][sbox[0][byte(i)]^S[0]]^S[4]], 0)
  68. c.s[1][i] = mdsColumnMult(sbox[0][sbox[0][sbox[1][byte(i)]^S[1]]^S[5]], 1)
  69. c.s[2][i] = mdsColumnMult(sbox[1][sbox[1][sbox[0][byte(i)]^S[2]]^S[6]], 2)
  70. c.s[3][i] = mdsColumnMult(sbox[0][sbox[1][sbox[1][byte(i)]^S[3]]^S[7]], 3)
  71. }
  72. case 3:
  73. for i := range c.s[0] {
  74. c.s[0][i] = mdsColumnMult(sbox[1][sbox[0][sbox[0][sbox[1][byte(i)]^S[0]]^S[4]]^S[8]], 0)
  75. c.s[1][i] = mdsColumnMult(sbox[0][sbox[0][sbox[1][sbox[1][byte(i)]^S[1]]^S[5]]^S[9]], 1)
  76. c.s[2][i] = mdsColumnMult(sbox[1][sbox[1][sbox[0][sbox[0][byte(i)]^S[2]]^S[6]]^S[10]], 2)
  77. c.s[3][i] = mdsColumnMult(sbox[0][sbox[1][sbox[1][sbox[0][byte(i)]^S[3]]^S[7]]^S[11]], 3)
  78. }
  79. default:
  80. for i := range c.s[0] {
  81. c.s[0][i] = mdsColumnMult(sbox[1][sbox[0][sbox[0][sbox[1][sbox[1][byte(i)]^S[0]]^S[4]]^S[8]]^S[12]], 0)
  82. c.s[1][i] = mdsColumnMult(sbox[0][sbox[0][sbox[1][sbox[1][sbox[0][byte(i)]^S[1]]^S[5]]^S[9]]^S[13]], 1)
  83. c.s[2][i] = mdsColumnMult(sbox[1][sbox[1][sbox[0][sbox[0][sbox[0][byte(i)]^S[2]]^S[6]]^S[10]]^S[14]], 2)
  84. c.s[3][i] = mdsColumnMult(sbox[0][sbox[1][sbox[1][sbox[0][sbox[1][byte(i)]^S[3]]^S[7]]^S[11]]^S[15]], 3)
  85. }
  86. }
  87. return c, nil
  88. }
  89. // BlockSize returns the Twofish block size, 16 bytes.
  90. func (c *Cipher) BlockSize() int { return BlockSize }
  91. // store32l stores src in dst in little-endian form.
  92. func store32l(dst []byte, src uint32) {
  93. dst[0] = byte(src)
  94. dst[1] = byte(src >> 8)
  95. dst[2] = byte(src >> 16)
  96. dst[3] = byte(src >> 24)
  97. return
  98. }
  99. // load32l reads a little-endian uint32 from src.
  100. func load32l(src []byte) uint32 {
  101. return uint32(src[0]) | uint32(src[1])<<8 | uint32(src[2])<<16 | uint32(src[3])<<24
  102. }
  103. // rol returns x after a left circular rotation of y bits.
  104. func rol(x, y uint32) uint32 {
  105. return (x << (y & 31)) | (x >> (32 - (y & 31)))
  106. }
  107. // ror returns x after a right circular rotation of y bits.
  108. func ror(x, y uint32) uint32 {
  109. return (x >> (y & 31)) | (x << (32 - (y & 31)))
  110. }
  111. // The RS matrix. See [TWOFISH] 4.3
  112. var rs = [4][8]byte{
  113. {0x01, 0xA4, 0x55, 0x87, 0x5A, 0x58, 0xDB, 0x9E},
  114. {0xA4, 0x56, 0x82, 0xF3, 0x1E, 0xC6, 0x68, 0xE5},
  115. {0x02, 0xA1, 0xFC, 0xC1, 0x47, 0xAE, 0x3D, 0x19},
  116. {0xA4, 0x55, 0x87, 0x5A, 0x58, 0xDB, 0x9E, 0x03},
  117. }
  118. // sbox tables
  119. var sbox = [2][256]byte{
  120. {
  121. 0xa9, 0x67, 0xb3, 0xe8, 0x04, 0xfd, 0xa3, 0x76, 0x9a, 0x92, 0x80, 0x78, 0xe4, 0xdd, 0xd1, 0x38,
  122. 0x0d, 0xc6, 0x35, 0x98, 0x18, 0xf7, 0xec, 0x6c, 0x43, 0x75, 0x37, 0x26, 0xfa, 0x13, 0x94, 0x48,
  123. 0xf2, 0xd0, 0x8b, 0x30, 0x84, 0x54, 0xdf, 0x23, 0x19, 0x5b, 0x3d, 0x59, 0xf3, 0xae, 0xa2, 0x82,
  124. 0x63, 0x01, 0x83, 0x2e, 0xd9, 0x51, 0x9b, 0x7c, 0xa6, 0xeb, 0xa5, 0xbe, 0x16, 0x0c, 0xe3, 0x61,
  125. 0xc0, 0x8c, 0x3a, 0xf5, 0x73, 0x2c, 0x25, 0x0b, 0xbb, 0x4e, 0x89, 0x6b, 0x53, 0x6a, 0xb4, 0xf1,
  126. 0xe1, 0xe6, 0xbd, 0x45, 0xe2, 0xf4, 0xb6, 0x66, 0xcc, 0x95, 0x03, 0x56, 0xd4, 0x1c, 0x1e, 0xd7,
  127. 0xfb, 0xc3, 0x8e, 0xb5, 0xe9, 0xcf, 0xbf, 0xba, 0xea, 0x77, 0x39, 0xaf, 0x33, 0xc9, 0x62, 0x71,
  128. 0x81, 0x79, 0x09, 0xad, 0x24, 0xcd, 0xf9, 0xd8, 0xe5, 0xc5, 0xb9, 0x4d, 0x44, 0x08, 0x86, 0xe7,
  129. 0xa1, 0x1d, 0xaa, 0xed, 0x06, 0x70, 0xb2, 0xd2, 0x41, 0x7b, 0xa0, 0x11, 0x31, 0xc2, 0x27, 0x90,
  130. 0x20, 0xf6, 0x60, 0xff, 0x96, 0x5c, 0xb1, 0xab, 0x9e, 0x9c, 0x52, 0x1b, 0x5f, 0x93, 0x0a, 0xef,
  131. 0x91, 0x85, 0x49, 0xee, 0x2d, 0x4f, 0x8f, 0x3b, 0x47, 0x87, 0x6d, 0x46, 0xd6, 0x3e, 0x69, 0x64,
  132. 0x2a, 0xce, 0xcb, 0x2f, 0xfc, 0x97, 0x05, 0x7a, 0xac, 0x7f, 0xd5, 0x1a, 0x4b, 0x0e, 0xa7, 0x5a,
  133. 0x28, 0x14, 0x3f, 0x29, 0x88, 0x3c, 0x4c, 0x02, 0xb8, 0xda, 0xb0, 0x17, 0x55, 0x1f, 0x8a, 0x7d,
  134. 0x57, 0xc7, 0x8d, 0x74, 0xb7, 0xc4, 0x9f, 0x72, 0x7e, 0x15, 0x22, 0x12, 0x58, 0x07, 0x99, 0x34,
  135. 0x6e, 0x50, 0xde, 0x68, 0x65, 0xbc, 0xdb, 0xf8, 0xc8, 0xa8, 0x2b, 0x40, 0xdc, 0xfe, 0x32, 0xa4,
  136. 0xca, 0x10, 0x21, 0xf0, 0xd3, 0x5d, 0x0f, 0x00, 0x6f, 0x9d, 0x36, 0x42, 0x4a, 0x5e, 0xc1, 0xe0,
  137. },
  138. {
  139. 0x75, 0xf3, 0xc6, 0xf4, 0xdb, 0x7b, 0xfb, 0xc8, 0x4a, 0xd3, 0xe6, 0x6b, 0x45, 0x7d, 0xe8, 0x4b,
  140. 0xd6, 0x32, 0xd8, 0xfd, 0x37, 0x71, 0xf1, 0xe1, 0x30, 0x0f, 0xf8, 0x1b, 0x87, 0xfa, 0x06, 0x3f,
  141. 0x5e, 0xba, 0xae, 0x5b, 0x8a, 0x00, 0xbc, 0x9d, 0x6d, 0xc1, 0xb1, 0x0e, 0x80, 0x5d, 0xd2, 0xd5,
  142. 0xa0, 0x84, 0x07, 0x14, 0xb5, 0x90, 0x2c, 0xa3, 0xb2, 0x73, 0x4c, 0x54, 0x92, 0x74, 0x36, 0x51,
  143. 0x38, 0xb0, 0xbd, 0x5a, 0xfc, 0x60, 0x62, 0x96, 0x6c, 0x42, 0xf7, 0x10, 0x7c, 0x28, 0x27, 0x8c,
  144. 0x13, 0x95, 0x9c, 0xc7, 0x24, 0x46, 0x3b, 0x70, 0xca, 0xe3, 0x85, 0xcb, 0x11, 0xd0, 0x93, 0xb8,
  145. 0xa6, 0x83, 0x20, 0xff, 0x9f, 0x77, 0xc3, 0xcc, 0x03, 0x6f, 0x08, 0xbf, 0x40, 0xe7, 0x2b, 0xe2,
  146. 0x79, 0x0c, 0xaa, 0x82, 0x41, 0x3a, 0xea, 0xb9, 0xe4, 0x9a, 0xa4, 0x97, 0x7e, 0xda, 0x7a, 0x17,
  147. 0x66, 0x94, 0xa1, 0x1d, 0x3d, 0xf0, 0xde, 0xb3, 0x0b, 0x72, 0xa7, 0x1c, 0xef, 0xd1, 0x53, 0x3e,
  148. 0x8f, 0x33, 0x26, 0x5f, 0xec, 0x76, 0x2a, 0x49, 0x81, 0x88, 0xee, 0x21, 0xc4, 0x1a, 0xeb, 0xd9,
  149. 0xc5, 0x39, 0x99, 0xcd, 0xad, 0x31, 0x8b, 0x01, 0x18, 0x23, 0xdd, 0x1f, 0x4e, 0x2d, 0xf9, 0x48,
  150. 0x4f, 0xf2, 0x65, 0x8e, 0x78, 0x5c, 0x58, 0x19, 0x8d, 0xe5, 0x98, 0x57, 0x67, 0x7f, 0x05, 0x64,
  151. 0xaf, 0x63, 0xb6, 0xfe, 0xf5, 0xb7, 0x3c, 0xa5, 0xce, 0xe9, 0x68, 0x44, 0xe0, 0x4d, 0x43, 0x69,
  152. 0x29, 0x2e, 0xac, 0x15, 0x59, 0xa8, 0x0a, 0x9e, 0x6e, 0x47, 0xdf, 0x34, 0x35, 0x6a, 0xcf, 0xdc,
  153. 0x22, 0xc9, 0xc0, 0x9b, 0x89, 0xd4, 0xed, 0xab, 0x12, 0xa2, 0x0d, 0x52, 0xbb, 0x02, 0x2f, 0xa9,
  154. 0xd7, 0x61, 0x1e, 0xb4, 0x50, 0x04, 0xf6, 0xc2, 0x16, 0x25, 0x86, 0x56, 0x55, 0x09, 0xbe, 0x91,
  155. },
  156. }
  157. // gfMult returns a·b in GF(2^8)/p
  158. func gfMult(a, b byte, p uint32) byte {
  159. B := [2]uint32{0, uint32(b)}
  160. P := [2]uint32{0, p}
  161. var result uint32
  162. // branchless GF multiplier
  163. for i := 0; i < 7; i++ {
  164. result ^= B[a&1]
  165. a >>= 1
  166. B[1] = P[B[1]>>7] ^ (B[1] << 1)
  167. }
  168. result ^= B[a&1]
  169. return byte(result)
  170. }
  171. // mdsColumnMult calculates y{col} where [y0 y1 y2 y3] = MDS · [x0]
  172. func mdsColumnMult(in byte, col int) uint32 {
  173. mul01 := in
  174. mul5B := gfMult(in, 0x5B, mdsPolynomial)
  175. mulEF := gfMult(in, 0xEF, mdsPolynomial)
  176. switch col {
  177. case 0:
  178. return uint32(mul01) | uint32(mul5B)<<8 | uint32(mulEF)<<16 | uint32(mulEF)<<24
  179. case 1:
  180. return uint32(mulEF) | uint32(mulEF)<<8 | uint32(mul5B)<<16 | uint32(mul01)<<24
  181. case 2:
  182. return uint32(mul5B) | uint32(mulEF)<<8 | uint32(mul01)<<16 | uint32(mulEF)<<24
  183. case 3:
  184. return uint32(mul5B) | uint32(mul01)<<8 | uint32(mulEF)<<16 | uint32(mul5B)<<24
  185. }
  186. panic("unreachable")
  187. }
  188. // h implements the S-box generation function. See [TWOFISH] 4.3.5
  189. func h(in, key []byte, offset int) uint32 {
  190. var y [4]byte
  191. for x := range y {
  192. y[x] = in[x]
  193. }
  194. switch len(key) / 8 {
  195. case 4:
  196. y[0] = sbox[1][y[0]] ^ key[4*(6+offset)+0]
  197. y[1] = sbox[0][y[1]] ^ key[4*(6+offset)+1]
  198. y[2] = sbox[0][y[2]] ^ key[4*(6+offset)+2]
  199. y[3] = sbox[1][y[3]] ^ key[4*(6+offset)+3]
  200. fallthrough
  201. case 3:
  202. y[0] = sbox[1][y[0]] ^ key[4*(4+offset)+0]
  203. y[1] = sbox[1][y[1]] ^ key[4*(4+offset)+1]
  204. y[2] = sbox[0][y[2]] ^ key[4*(4+offset)+2]
  205. y[3] = sbox[0][y[3]] ^ key[4*(4+offset)+3]
  206. fallthrough
  207. case 2:
  208. y[0] = sbox[1][sbox[0][sbox[0][y[0]]^key[4*(2+offset)+0]]^key[4*(0+offset)+0]]
  209. y[1] = sbox[0][sbox[0][sbox[1][y[1]]^key[4*(2+offset)+1]]^key[4*(0+offset)+1]]
  210. y[2] = sbox[1][sbox[1][sbox[0][y[2]]^key[4*(2+offset)+2]]^key[4*(0+offset)+2]]
  211. y[3] = sbox[0][sbox[1][sbox[1][y[3]]^key[4*(2+offset)+3]]^key[4*(0+offset)+3]]
  212. }
  213. // [y0 y1 y2 y3] = MDS . [x0 x1 x2 x3]
  214. var mdsMult uint32
  215. for i := range y {
  216. mdsMult ^= mdsColumnMult(y[i], i)
  217. }
  218. return mdsMult
  219. }
  220. // Encrypt encrypts a 16-byte block from src to dst, which may overlap.
  221. // Note that for amounts of data larger than a block,
  222. // it is not safe to just call Encrypt on successive blocks;
  223. // instead, use an encryption mode like CBC (see crypto/cipher/cbc.go).
  224. func (c *Cipher) Encrypt(dst, src []byte) {
  225. S1 := c.s[0]
  226. S2 := c.s[1]
  227. S3 := c.s[2]
  228. S4 := c.s[3]
  229. // Load input
  230. ia := load32l(src[0:4])
  231. ib := load32l(src[4:8])
  232. ic := load32l(src[8:12])
  233. id := load32l(src[12:16])
  234. // Pre-whitening
  235. ia ^= c.k[0]
  236. ib ^= c.k[1]
  237. ic ^= c.k[2]
  238. id ^= c.k[3]
  239. for i := 0; i < 8; i++ {
  240. k := c.k[8+i*4 : 12+i*4]
  241. t2 := S2[byte(ib)] ^ S3[byte(ib>>8)] ^ S4[byte(ib>>16)] ^ S1[byte(ib>>24)]
  242. t1 := S1[byte(ia)] ^ S2[byte(ia>>8)] ^ S3[byte(ia>>16)] ^ S4[byte(ia>>24)] + t2
  243. ic = ror(ic^(t1+k[0]), 1)
  244. id = rol(id, 1) ^ (t2 + t1 + k[1])
  245. t2 = S2[byte(id)] ^ S3[byte(id>>8)] ^ S4[byte(id>>16)] ^ S1[byte(id>>24)]
  246. t1 = S1[byte(ic)] ^ S2[byte(ic>>8)] ^ S3[byte(ic>>16)] ^ S4[byte(ic>>24)] + t2
  247. ia = ror(ia^(t1+k[2]), 1)
  248. ib = rol(ib, 1) ^ (t2 + t1 + k[3])
  249. }
  250. // Output with "undo last swap"
  251. ta := ic ^ c.k[4]
  252. tb := id ^ c.k[5]
  253. tc := ia ^ c.k[6]
  254. td := ib ^ c.k[7]
  255. store32l(dst[0:4], ta)
  256. store32l(dst[4:8], tb)
  257. store32l(dst[8:12], tc)
  258. store32l(dst[12:16], td)
  259. }
  260. // Decrypt decrypts a 16-byte block from src to dst, which may overlap.
  261. func (c *Cipher) Decrypt(dst, src []byte) {
  262. S1 := c.s[0]
  263. S2 := c.s[1]
  264. S3 := c.s[2]
  265. S4 := c.s[3]
  266. // Load input
  267. ta := load32l(src[0:4])
  268. tb := load32l(src[4:8])
  269. tc := load32l(src[8:12])
  270. td := load32l(src[12:16])
  271. // Undo undo final swap
  272. ia := tc ^ c.k[6]
  273. ib := td ^ c.k[7]
  274. ic := ta ^ c.k[4]
  275. id := tb ^ c.k[5]
  276. for i := 8; i > 0; i-- {
  277. k := c.k[4+i*4 : 8+i*4]
  278. t2 := S2[byte(id)] ^ S3[byte(id>>8)] ^ S4[byte(id>>16)] ^ S1[byte(id>>24)]
  279. t1 := S1[byte(ic)] ^ S2[byte(ic>>8)] ^ S3[byte(ic>>16)] ^ S4[byte(ic>>24)] + t2
  280. ia = rol(ia, 1) ^ (t1 + k[2])
  281. ib = ror(ib^(t2+t1+k[3]), 1)
  282. t2 = S2[byte(ib)] ^ S3[byte(ib>>8)] ^ S4[byte(ib>>16)] ^ S1[byte(ib>>24)]
  283. t1 = S1[byte(ia)] ^ S2[byte(ia>>8)] ^ S3[byte(ia>>16)] ^ S4[byte(ia>>24)] + t2
  284. ic = rol(ic, 1) ^ (t1 + k[0])
  285. id = ror(id^(t2+t1+k[1]), 1)
  286. }
  287. // Undo pre-whitening
  288. ia ^= c.k[0]
  289. ib ^= c.k[1]
  290. ic ^= c.k[2]
  291. id ^= c.k[3]
  292. store32l(dst[0:4], ia)
  293. store32l(dst[4:8], ib)
  294. store32l(dst[8:12], ic)
  295. store32l(dst[12:16], id)
  296. }