Skip to content

Commit 1dc34f1

Browse files
author
gefeili
committed
Refactor on RomulusDigest and RomulusEngine
1 parent 4bb29fd commit 1dc34f1

File tree

2 files changed

+27
-202
lines changed

2 files changed

+27
-202
lines changed

core/src/main/java/org/bouncycastle/crypto/digests/RomulusDigest.java

Lines changed: 14 additions & 190 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
package org.bouncycastle.crypto.digests;
22

3+
import org.bouncycastle.crypto.engines.RomulusEngine;
34
import org.bouncycastle.util.Arrays;
45

56
/**
@@ -11,6 +12,15 @@
1112
public class RomulusDigest
1213
extends BufferBaseDigest
1314
{
15+
public static class Friend
16+
{
17+
private static final Friend INSTANCE = new Friend();
18+
19+
private Friend()
20+
{
21+
}
22+
}
23+
1424
byte[] h = new byte[16];
1525
byte[] g = new byte[16];
1626
/*
@@ -22,212 +32,26 @@ public class RomulusDigest
2232
// 8 9 10 11
2333
//12 13 14 15
2434

25-
// 8-bit Sbox
26-
private final byte[] sbox_8 =
27-
{
28-
(byte)0x65, (byte)0x4c, (byte)0x6a, (byte)0x42, (byte)0x4b, (byte)0x63, (byte)0x43, (byte)0x6b, (byte)0x55,
29-
(byte)0x75, (byte)0x5a, (byte)0x7a, (byte)0x53, (byte)0x73, (byte)0x5b, (byte)0x7b, (byte)0x35, (byte)0x8c,
30-
(byte)0x3a, (byte)0x81, (byte)0x89, (byte)0x33, (byte)0x80, (byte)0x3b, (byte)0x95, (byte)0x25, (byte)0x98,
31-
(byte)0x2a, (byte)0x90, (byte)0x23, (byte)0x99, (byte)0x2b, (byte)0xe5, (byte)0xcc, (byte)0xe8, (byte)0xc1,
32-
(byte)0xc9, (byte)0xe0, (byte)0xc0, (byte)0xe9, (byte)0xd5, (byte)0xf5, (byte)0xd8, (byte)0xf8, (byte)0xd0,
33-
(byte)0xf0, (byte)0xd9, (byte)0xf9, (byte)0xa5, (byte)0x1c, (byte)0xa8, (byte)0x12, (byte)0x1b, (byte)0xa0,
34-
(byte)0x13, (byte)0xa9, (byte)0x05, (byte)0xb5, (byte)0x0a, (byte)0xb8, (byte)0x03, (byte)0xb0, (byte)0x0b,
35-
(byte)0xb9, (byte)0x32, (byte)0x88, (byte)0x3c, (byte)0x85, (byte)0x8d, (byte)0x34, (byte)0x84, (byte)0x3d,
36-
(byte)0x91, (byte)0x22, (byte)0x9c, (byte)0x2c, (byte)0x94, (byte)0x24, (byte)0x9d, (byte)0x2d, (byte)0x62,
37-
(byte)0x4a, (byte)0x6c, (byte)0x45, (byte)0x4d, (byte)0x64, (byte)0x44, (byte)0x6d, (byte)0x52, (byte)0x72,
38-
(byte)0x5c, (byte)0x7c, (byte)0x54, (byte)0x74, (byte)0x5d, (byte)0x7d, (byte)0xa1, (byte)0x1a, (byte)0xac,
39-
(byte)0x15, (byte)0x1d, (byte)0xa4, (byte)0x14, (byte)0xad, (byte)0x02, (byte)0xb1, (byte)0x0c, (byte)0xbc,
40-
(byte)0x04, (byte)0xb4, (byte)0x0d, (byte)0xbd, (byte)0xe1, (byte)0xc8, (byte)0xec, (byte)0xc5, (byte)0xcd,
41-
(byte)0xe4, (byte)0xc4, (byte)0xed, (byte)0xd1, (byte)0xf1, (byte)0xdc, (byte)0xfc, (byte)0xd4, (byte)0xf4,
42-
(byte)0xdd, (byte)0xfd, (byte)0x36, (byte)0x8e, (byte)0x38, (byte)0x82, (byte)0x8b, (byte)0x30, (byte)0x83,
43-
(byte)0x39, (byte)0x96, (byte)0x26, (byte)0x9a, (byte)0x28, (byte)0x93, (byte)0x20, (byte)0x9b, (byte)0x29,
44-
(byte)0x66, (byte)0x4e, (byte)0x68, (byte)0x41, (byte)0x49, (byte)0x60, (byte)0x40, (byte)0x69, (byte)0x56,
45-
(byte)0x76, (byte)0x58, (byte)0x78, (byte)0x50, (byte)0x70, (byte)0x59, (byte)0x79, (byte)0xa6, (byte)0x1e,
46-
(byte)0xaa, (byte)0x11, (byte)0x19, (byte)0xa3, (byte)0x10, (byte)0xab, (byte)0x06, (byte)0xb6, (byte)0x08,
47-
(byte)0xba, (byte)0x00, (byte)0xb3, (byte)0x09, (byte)0xbb, (byte)0xe6, (byte)0xce, (byte)0xea, (byte)0xc2,
48-
(byte)0xcb, (byte)0xe3, (byte)0xc3, (byte)0xeb, (byte)0xd6, (byte)0xf6, (byte)0xda, (byte)0xfa, (byte)0xd3,
49-
(byte)0xf3, (byte)0xdb, (byte)0xfb, (byte)0x31, (byte)0x8a, (byte)0x3e, (byte)0x86, (byte)0x8f, (byte)0x37,
50-
(byte)0x87, (byte)0x3f, (byte)0x92, (byte)0x21, (byte)0x9e, (byte)0x2e, (byte)0x97, (byte)0x27, (byte)0x9f,
51-
(byte)0x2f, (byte)0x61, (byte)0x48, (byte)0x6e, (byte)0x46, (byte)0x4f, (byte)0x67, (byte)0x47, (byte)0x6f,
52-
(byte)0x51, (byte)0x71, (byte)0x5e, (byte)0x7e, (byte)0x57, (byte)0x77, (byte)0x5f, (byte)0x7f, (byte)0xa2,
53-
(byte)0x18, (byte)0xae, (byte)0x16, (byte)0x1f, (byte)0xa7, (byte)0x17, (byte)0xaf, (byte)0x01, (byte)0xb2,
54-
(byte)0x0e, (byte)0xbe, (byte)0x07, (byte)0xb7, (byte)0x0f, (byte)0xbf, (byte)0xe2, (byte)0xca, (byte)0xee,
55-
(byte)0xc6, (byte)0xcf, (byte)0xe7, (byte)0xc7, (byte)0xef, (byte)0xd2, (byte)0xf2, (byte)0xde, (byte)0xfe,
56-
(byte)0xd7, (byte)0xf7, (byte)0xdf, (byte)0xff
57-
};
58-
// Tweakey permutation
59-
private final byte[] TWEAKEY_P = {9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7};
60-
61-
// round constants
62-
private final byte[] RC = {
63-
(byte)0x01, (byte)0x03, (byte)0x07, (byte)0x0F, (byte)0x1F, (byte)0x3E, (byte)0x3D, (byte)0x3B, (byte)0x37, (byte)0x2F,
64-
(byte)0x1E, (byte)0x3C, (byte)0x39, (byte)0x33, (byte)0x27, (byte)0x0E, (byte)0x1D, (byte)0x3A, (byte)0x35, (byte)0x2B,
65-
(byte)0x16, (byte)0x2C, (byte)0x18, (byte)0x30, (byte)0x21, (byte)0x02, (byte)0x05, (byte)0x0B, (byte)0x17, (byte)0x2E,
66-
(byte)0x1C, (byte)0x38, (byte)0x31, (byte)0x23, (byte)0x06, (byte)0x0D, (byte)0x1B, (byte)0x36, (byte)0x2D, (byte)0x1A};
67-
6835
public RomulusDigest()
6936
{
7037
super(ProcessingBufferType.Immediate, 32);
7138
DigestSize = 32;
7239
algorithmName = "Romulus Hash";
7340
}
7441

75-
void skinny_128_384_plus_enc(byte[] input, byte[] userkey)
76-
{
77-
byte[][] state = new byte[4][4];
78-
byte[][][] keyCells = new byte[3][4][4];
79-
int i, j, q, r;
80-
byte pos, tmp;
81-
byte[][][] keyCells_tmp = new byte[3][4][4];
82-
for (i = 0; i < 4; ++i)
83-
{
84-
q = i << 2;
85-
System.arraycopy(input, q, state[i], 0, 4);
86-
System.arraycopy(userkey, q, keyCells[0][i], 0, 4);
87-
System.arraycopy(userkey, q + 16, keyCells[1][i], 0, 4);
88-
System.arraycopy(userkey, q + 32, keyCells[2][i], 0, 4);
89-
}
90-
for (int round = 0; round < 40; round++)
91-
{
92-
//SubCell8;
93-
for (i = 0; i < 4; i++)
94-
{
95-
for (j = 0; j < 4; j++)
96-
{
97-
state[i][j] = sbox_8[state[i][j] & 0xFF];
98-
}
99-
}
100-
//AddConstants
101-
state[0][0] ^= (RC[round] & 0xf);
102-
state[1][0] ^= ((RC[round] >>> 4) & 0x3);
103-
state[2][0] ^= 0x2;
104-
//AddKey
105-
// apply the subtweakey to the internal state
106-
for (i = 0; i <= 1; i++)
107-
{
108-
for (j = 0; j < 4; j++)
109-
{
110-
state[i][j] ^= keyCells[0][i][j] ^ keyCells[1][i][j] ^ keyCells[2][i][j];
111-
}
112-
}
113-
for (i = 0; i < 4; i++)
114-
{
115-
for (j = 0; j < 4; j++)
116-
{
117-
//application of the TWEAKEY permutation
118-
pos = TWEAKEY_P[j + (i << 2)];
119-
q = pos >>> 2;
120-
r = pos & 3;
121-
keyCells_tmp[0][i][j] = keyCells[0][q][r];
122-
keyCells_tmp[1][i][j] = keyCells[1][q][r];
123-
keyCells_tmp[2][i][j] = keyCells[2][q][r];
124-
}
125-
}
126-
// update the subtweakey states with the LFSRs
127-
for (i = 0; i <= 1; i++)
128-
{
129-
for (j = 0; j < 4; j++)
130-
{
131-
//application of LFSRs for TK updates
132-
keyCells[0][i][j] = keyCells_tmp[0][i][j];
133-
tmp = keyCells_tmp[1][i][j];
134-
keyCells[1][i][j] = (byte)(((tmp << 1) & 0xFE) ^ ((tmp >>> 7) & 0x01) ^ ((tmp >>> 5) & 0x01));
135-
tmp = keyCells_tmp[2][i][j];
136-
keyCells[2][i][j] = (byte)(((tmp >>> 1) & 0x7F) ^ ((tmp << 7) & 0x80) ^ ((tmp << 1) & 0x80));
137-
}
138-
}
139-
for (; i < 4; ++i)
140-
{
141-
for (j = 0; j < 4; j++)
142-
{
143-
keyCells[0][i][j] = keyCells_tmp[0][i][j];
144-
keyCells[1][i][j] = keyCells_tmp[1][i][j];
145-
keyCells[2][i][j] = keyCells_tmp[2][i][j];
146-
}
147-
}
148-
//ShiftRows(state);
149-
tmp = state[1][3];
150-
state[1][3] = state[1][2];
151-
state[1][2] = state[1][1];
152-
state[1][1] = state[1][0];
153-
state[1][0] = tmp;
154-
tmp = state[2][0];
155-
state[2][0] = state[2][2];
156-
state[2][2] = tmp;
157-
tmp = state[2][1];
158-
state[2][1] = state[2][3];
159-
state[2][3] = tmp;
160-
tmp = state[3][0];
161-
state[3][0] = state[3][1];
162-
state[3][1] = state[3][2];
163-
state[3][2] = state[3][3];
164-
state[3][3] = tmp;
165-
//MixColumn(state);
166-
for (j = 0; j < 4; j++)
167-
{
168-
state[1][j] ^= state[2][j];
169-
state[2][j] ^= state[0][j];
170-
state[3][j] ^= state[2][j];
171-
tmp = state[3][j];
172-
state[3][j] = state[2][j];
173-
state[2][j] = state[1][j];
174-
state[1][j] = state[0][j];
175-
state[0][j] = tmp;
176-
}
177-
} //The last subtweakey should not be added
178-
for (i = 0; i < 16; i++)
179-
{
180-
input[i] = (byte)(state[i >>> 2][i & 0x3] & 0xFF);
181-
}
182-
}
183-
184-
185-
// The hirose double-block length (DBL) compression function.
186-
void hirose_128_128_256(byte[] h, byte[] g, byte[] m, int mOff)
187-
{
188-
byte[] key = new byte[48];
189-
byte[] hh = new byte[16];
190-
int i;
191-
// assign the key for the hirose compresison function
192-
System.arraycopy(g, 0, key, 0, 16);
193-
System.arraycopy(h, 0, g, 0, 16);
194-
System.arraycopy(h, 0, hh, 0, 16);
195-
g[0] ^= 0x01;
196-
System.arraycopy(m, mOff, key, 16, 32);
197-
skinny_128_384_plus_enc(h, key);
198-
skinny_128_384_plus_enc(g, key);
199-
for (i = 0; i < 16; i++)
200-
{
201-
h[i] ^= hh[i];
202-
g[i] ^= hh[i];
203-
}
204-
g[0] ^= 0x01;
205-
}
206-
207-
// Padding function: pads the byte length of the message mod 32 to the last incomplete block.
208-
// For complete blocks it returns the same block. For an empty block it returns a 0^2n string.
209-
// The function is called for full block messages to add a 0^2n block. This and the modulus are
210-
// the only differences compared to the use in Romulus-N
211-
void ipad_256(byte[] m, int inOff, byte[] mp, int len8)
212-
{
213-
System.arraycopy(m, inOff, mp, 0, len8);
214-
Arrays.fill(mp, len8, 31, (byte)0);
215-
mp[31] = (byte)(len8 & 0x1f);
216-
}
217-
21842
@Override
21943
protected void processBytes(byte[] input, int inOff)
22044
{
221-
hirose_128_128_256(h, g, input, inOff);
45+
RomulusEngine.hirose_128_128_256(Friend.INSTANCE, h, g, input, inOff);
22246
}
22347

22448
@Override
22549
protected void finish(byte[] output, int outOff)
22650
{
227-
byte[] p = new byte[32];
228-
ipad_256(m_buf, 0, p, m_bufPos);
51+
Arrays.fill(m_buf, m_bufPos, 31, (byte)0);
52+
m_buf[31] = (byte)(m_bufPos & 0x1f);
22953
h[0] ^= 2;
230-
hirose_128_128_256(h, g, p, 0);
54+
RomulusEngine.hirose_128_128_256(Friend.INSTANCE, h, g, m_buf, 0);
23155
// Assign the output tag
23256
System.arraycopy(h, 0, output, outOff, 16);
23357
System.arraycopy(g, 0, output, 16 + outOff, 16);

core/src/main/java/org/bouncycastle/crypto/engines/RomulusEngine.java

Lines changed: 13 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
package org.bouncycastle.crypto.engines;
22

3+
import org.bouncycastle.crypto.digests.RomulusDigest;
34
import org.bouncycastle.util.Arrays;
45
import org.bouncycastle.util.Bytes;
56

@@ -525,11 +526,14 @@ else if (messegeLen > 0)
525526
// Pad the nonce and counter
526527
System.arraycopy(npub, 0, m_aad, 0, 16);
527528
System.arraycopy(CNT, 0, m_aad, 16, 7);
528-
ipad_256(m_aad, m_aad, 23);
529+
Arrays.fill(m_aad, 23, 31, (byte)0);
530+
m_aad[31] = (byte)(23 & 0x1f);
529531
}
530532
else
531533
{
532-
ipad_256(CNT_Z, m_aad, 7);
534+
System.arraycopy(CNT_Z, 0, m_aad, 0, 7);
535+
Arrays.fill(m_aad, 7, 31, (byte)0);
536+
m_aad[31] = (byte)(7 & 0x1f);
533537
}
534538
h[0] ^= 2;
535539
hirose_128_128_256(h, g, m_aad, 0);
@@ -850,20 +854,17 @@ private void reset_lfsr_gf56(byte[] CNT)
850854
CNT[6] = 0x00;
851855
}
852856

853-
854-
// Padding function: pads the byte length of the message mod 32 to the last incomplete block.
855-
// For complete blocks it returns the same block. For an empty block it returns a 0^2n string.
856-
// The function is called for full block messages to add a 0^2n block. This and the modulus are
857-
// the only differences compared to the use in Romulus-N
858-
void ipad_256(byte[] m, byte[] mp, int len8)
857+
public static void hirose_128_128_256(RomulusDigest.Friend friend, byte[] h, byte[] g, byte[] m, int mOff)
859858
{
860-
System.arraycopy(m, 0, mp, 0, len8);
861-
Arrays.fill(mp, len8, 31, (byte)0);
862-
mp[31] = (byte)(len8 & 0x1f);
859+
if (null == friend)
860+
{
861+
throw new NullPointerException("This method is only for use by RomulusDigest");
862+
}
863+
hirose_128_128_256(h, g, m, mOff);
863864
}
864865

865866
// The hirose double-block length (DBL) compression function.
866-
void hirose_128_128_256(byte[] h, byte[] g, byte[] m, int mOff)
867+
static void hirose_128_128_256(byte[] h, byte[] g, byte[] m, int mOff)
867868
{
868869
byte[] key = new byte[48];
869870
byte[] hh = new byte[16];

0 commit comments

Comments
 (0)