Refactor in Engines

gefeili · gefeili · commit 6cfa1c243c15 · 2025-01-29T17:45:25.000+10:30
diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/ISAPEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/ISAPEngine.java
@@ -2,7 +2,6 @@
 
 import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.Bytes;
-import org.bouncycastle.util.Longs;
 import org.bouncycastle.util.Pack;
 
 /**
diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/RomulusEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/RomulusEngine.java
@@ -182,10 +182,10 @@ else if (mlen == 0)
                 while (xlen > 0)
                 {
                     offset = mOff;
-                    xlen = ad_encryption(m, mOff, mac_s, k, xlen, mac_CNT, (byte)44);
+                    xlen = ad_encryption(m, mOff, mac_s, k, xlen, mac_CNT);
                     mOff = offset;
                 }
-                nonce_encryption(npub, mac_CNT, mac_s, k, w);
+                block_cipher(mac_s, k, npub, 0, mac_CNT, w);
                 // Tag generation
                 g8A(mac_s, mac, 0);
                 mOff -= mlen;
@@ -198,15 +198,15 @@ else if (mlen == 0)
             System.arraycopy(mac, 0, s, 0, AD_BLK_LEN_HALF);
             if (mlen > 0)
             {
-                nonce_encryption(npub, CNT, s, k, (byte)36);
+                block_cipher(s, k, npub, 0, CNT, (byte)36);
                 while (mlen > AD_BLK_LEN_HALF)
                 {
                     mlen = mlen - AD_BLK_LEN_HALF;
                     rho(m, mOff, output, outOff, s, AD_BLK_LEN_HALF);
                     outOff += AD_BLK_LEN_HALF;
                     mOff += AD_BLK_LEN_HALF;
                     lfsr_gf56(CNT);
-                    nonce_encryption(npub, CNT, s, k, (byte)36);
+                    block_cipher(s, k, npub, 0, CNT, (byte)36);
                 }
                 rho(m, mOff, output, outOff, s, mlen);
             }
@@ -229,18 +229,18 @@ else if (mlen == 0)
                 while (xlen > 0)
                 {
                     offset = mauth;
-                    xlen = ad_encryption(output, mauth, mac_s, k, xlen, mac_CNT, (byte)44);
+                    xlen = ad_encryption(output, mauth, mac_s, k, xlen, mac_CNT);
                     mauth = offset;
                 }
-                nonce_encryption(npub, mac_CNT, mac_s, k, w);
+                block_cipher(mac_s, k, npub, 0, mac_CNT, w);
                 // Tag generation
                 g8A(mac_s, mac, 0);
                 System.arraycopy(m, dataOperator.getLen() - MAC_SIZE, m_buf, 0, MAC_SIZE);
                 m_bufPos = 0;
             }
         }
 
-        int ad_encryption(byte[] A, int AOff, byte[] s, byte[] k, int adlen, byte[] CNT, byte D)
+        int ad_encryption(byte[] A, int AOff, byte[] s, byte[] k, int adlen, byte[] CNT)
         {
             byte[] T = new byte[16];
             byte[] mp = new byte[16];
@@ -259,7 +259,7 @@ int ad_encryption(byte[] A, int AOff, byte[] s, byte[] k, int adlen, byte[] CNT,
                 adlen -= len8;
                 pad(A, AOff, T, n, len8);
                 offset = AOff + len8;
-                block_cipher(s, k, T, 0, CNT, D);
+                block_cipher(s, k, T, 0, CNT, (byte)44);
                 lfsr_gf56(CNT);
             }
             return adlen;
@@ -345,14 +345,14 @@ public void processFinalBlock(byte[] output, int outOff)
             if (messegeLen == 0)
             {
                 lfsr_gf56(CNT);
-                nonce_encryption(npub, CNT, s, k, (byte)0x15);
+                block_cipher(s, k, npub, 0, CNT, (byte)0x15);
             }
             else if (m_bufPos != 0)
             {
                 int len8 = Math.min(m_bufPos, AD_BLK_LEN_HALF);
                 rho(m_buf, 0, output, outOff, s, len8);
                 lfsr_gf56(CNT);
-                nonce_encryption(npub, CNT, s, k, m_bufPos == AD_BLK_LEN_HALF ? (byte)0x14 : (byte)0x15);
+                block_cipher(s, k, npub, 0, CNT, m_bufPos == AD_BLK_LEN_HALF ? (byte)0x14 : (byte)0x15);
             }
             g8A(s, mac, 0);
         }
@@ -393,15 +393,15 @@ public void processFinalAAD()
             if (aadOperator.getLen() == 0)
             {
                 lfsr_gf56(CNT);
-                nonce_encryption(npub, CNT, s, k, (byte)0x1a);
+                block_cipher(s, k, npub, 0, CNT, (byte)0x1a);
             }
             else if ((m_aadPos & 15) != 0)
             {
-                nonce_encryption(npub, CNT, s, k, (byte)0x1a);
+                block_cipher(s, k, npub, 0, CNT, (byte)0x1a);
             }
             else
             {
-                nonce_encryption(npub, CNT, s, k, (byte)0x18);
+                block_cipher(s, k, npub, 0, CNT, (byte)0x18);
             }
             reset_lfsr_gf56(CNT);
         }
@@ -416,7 +416,7 @@ public void processBufferEncrypt(byte[] input, int inOff, byte[] output, int out
                 output[i + outOff] ^= input[i + inOff];
             }
             lfsr_gf56(CNT);
-            nonce_encryption(npub, CNT, s, k, (byte)0x04);
+            block_cipher(s, k, npub, 0, CNT, (byte)0x04);
         }
 
         @Override
@@ -425,12 +425,11 @@ public void processBufferDecrypt(byte[] input, int inOff, byte[] output, int out
             g8A(s, output, outOff);
             for (int i = 0; i < AD_BLK_LEN_HALF; i++)
             {
-                s[i] ^= input[i + inOff];
-                s[i] ^= output[i + outOff];
                 output[i + outOff] ^= input[i + inOff];
+                s[i] ^= output[i + outOff];
             }
             lfsr_gf56(CNT);
-            nonce_encryption(npub, CNT, s, k, (byte)0x04);
+            block_cipher(s, k, npub, 0, CNT, (byte)0x04);
         }
 
         @Override
@@ -562,8 +561,7 @@ else if ((m_aadPos >= 0) && (aadOperator.getLen() != 0))
             }
         }
 
-        @Override
-        public void processBufferEncrypt(byte[] input, int inOff, byte[] output, int outOff)
+        private void processBuffer(byte[] input, int inOff, byte[] output, int outOff)
         {
             System.arraycopy(npub, 0, S, 0, 16);
             block_cipher(S, Z, T, 0, CNT, (byte)64);
@@ -572,44 +570,38 @@ public void processBufferEncrypt(byte[] input, int inOff, byte[] output, int out
             block_cipher(S, Z, T, 0, CNT, (byte)65);
             System.arraycopy(S, 0, Z, 0, 16);
             lfsr_gf56(CNT);
-            // ipad_256(ipad*_128(A)||ipad*_128(C)||N|| CNT
-            System.arraycopy(output, outOff, m_aad, m_aadPos, BlockSize);
+        }
+
+        private void processAfterAbsorbCiphertext()
+        {
             if (m_aadPos == BlockSize)
             {
                 hirose_128_128_256(h, g, m_aad, 0);
                 m_aadPos = 0;
-                lfsr_gf56(CNT_Z);
             }
             else
             {
                 m_aadPos = BlockSize;
-                lfsr_gf56(CNT_Z);
             }
+            lfsr_gf56(CNT_Z);
+        }
+
+        @Override
+        public void processBufferEncrypt(byte[] input, int inOff, byte[] output, int outOff)
+        {
+            processBuffer(input, inOff, output, outOff);
+            // ipad_256(ipad*_128(A)||ipad*_128(C)||N|| CNT
+            System.arraycopy(output, outOff, m_aad, m_aadPos, BlockSize);
+            processAfterAbsorbCiphertext();
         }
 
         @Override
         public void processBufferDecrypt(byte[] input, int inOff, byte[] output, int outOff)
         {
-            System.arraycopy(npub, 0, S, 0, 16);
-            block_cipher(S, Z, T, 0, CNT, (byte)64);
-            Bytes.xor(AD_BLK_LEN_HALF, S, input, inOff, output, outOff);
-            System.arraycopy(npub, 0, S, 0, 16);
-            block_cipher(S, Z, T, 0, CNT, (byte)65);
-            System.arraycopy(S, 0, Z, 0, 16);
-            lfsr_gf56(CNT);
+            processBuffer(input, inOff, output, outOff);
             // ipad_256(ipad*_128(A)||ipad*_128(C)||N|| CNT
             System.arraycopy(input, inOff, m_aad, m_aadPos, BlockSize);
-            if (m_aadPos == BlockSize)
-            {
-                hirose_128_128_256(h, g, m_aad, 0);
-                m_aadPos = 0;
-                lfsr_gf56(CNT_Z);
-            }
-            else
-            {
-                m_aadPos = BlockSize;
-                lfsr_gf56(CNT_Z);
-            }
+            processAfterAbsorbCiphertext();
         }
 
         @Override
@@ -825,18 +817,10 @@ void block_cipher(byte[] s, byte[] K, byte[] T, int tOff, byte[] CNT, byte D)
         skinny_128_384_plus_enc(s, KT);
     }
 
-    // Calls the TBC using the nonce as part of the tweakey
-    void nonce_encryption(byte[] N, byte[] CNT, byte[] s, byte[] k, byte D)
-    {
-        byte[] T = new byte[16];
-        System.arraycopy(N, 0, T, 0, 16);
-        block_cipher(s, k, T, 0, CNT, D);
-    }
-
     private void reset_lfsr_gf56(byte[] CNT)
     {
         CNT[0] = 0x01;
-        Arrays.fill(CNT, 1, 7, (byte) 0);
+        Arrays.fill(CNT, 1, 7, (byte)0);
     }
 
     public static void hirose_128_128_256(RomulusDigest.Friend friend, byte[] h, byte[] g, byte[] m, int mOff)
diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/SparkleEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/SparkleEngine.java
@@ -2,7 +2,6 @@
 
 import org.bouncycastle.crypto.digests.SparkleDigest;
 import org.bouncycastle.util.Arrays;
-import org.bouncycastle.util.Bytes;
 import org.bouncycastle.util.Integers;
 import org.bouncycastle.util.Pack;
 

Original file line number	Diff line number	Diff line change
`@@ -182,10 +182,10 @@ else if (mlen == 0)`
`182`	`182`	`while (xlen > 0)`
`183`	`183`	`{`
`184`	`184`	`offset = mOff;`
`185`		`- xlen = ad_encryption(m, mOff, mac_s, k, xlen, mac_CNT, (byte)44);`
	`185`	`+ xlen = ad_encryption(m, mOff, mac_s, k, xlen, mac_CNT);`
`186`	`186`	`mOff = offset;`
`187`	`187`	`}`
`188`		`- nonce_encryption(npub, mac_CNT, mac_s, k, w);`
	`188`	`+ block_cipher(mac_s, k, npub, 0, mac_CNT, w);`
`189`	`189`	`// Tag generation`
`190`	`190`	`g8A(mac_s, mac, 0);`
`191`	`191`	`mOff -= mlen;`
`@@ -198,15 +198,15 @@ else if (mlen == 0)`
`198`	`198`	`System.arraycopy(mac, 0, s, 0, AD_BLK_LEN_HALF);`
`199`	`199`	`if (mlen > 0)`
`200`	`200`	`{`
`201`		`- nonce_encryption(npub, CNT, s, k, (byte)36);`
	`201`	`+ block_cipher(s, k, npub, 0, CNT, (byte)36);`
`202`	`202`	`while (mlen > AD_BLK_LEN_HALF)`
`203`	`203`	`{`
`204`	`204`	`mlen = mlen - AD_BLK_LEN_HALF;`
`205`	`205`	`rho(m, mOff, output, outOff, s, AD_BLK_LEN_HALF);`
`206`	`206`	`outOff += AD_BLK_LEN_HALF;`
`207`	`207`	`mOff += AD_BLK_LEN_HALF;`
`208`	`208`	`lfsr_gf56(CNT);`
`209`		`- nonce_encryption(npub, CNT, s, k, (byte)36);`
	`209`	`+ block_cipher(s, k, npub, 0, CNT, (byte)36);`
`210`	`210`	`}`
`211`	`211`	`rho(m, mOff, output, outOff, s, mlen);`
`212`	`212`	`}`
`@@ -229,18 +229,18 @@ else if (mlen == 0)`
`229`	`229`	`while (xlen > 0)`
`230`	`230`	`{`
`231`	`231`	`offset = mauth;`
`232`		`- xlen = ad_encryption(output, mauth, mac_s, k, xlen, mac_CNT, (byte)44);`
	`232`	`+ xlen = ad_encryption(output, mauth, mac_s, k, xlen, mac_CNT);`
`233`	`233`	`mauth = offset;`
`234`	`234`	`}`
`235`		`- nonce_encryption(npub, mac_CNT, mac_s, k, w);`
	`235`	`+ block_cipher(mac_s, k, npub, 0, mac_CNT, w);`
`236`	`236`	`// Tag generation`
`237`	`237`	`g8A(mac_s, mac, 0);`
`238`	`238`	`System.arraycopy(m, dataOperator.getLen() - MAC_SIZE, m_buf, 0, MAC_SIZE);`
`239`	`239`	`m_bufPos = 0;`
`240`	`240`	`}`
`241`	`241`	`}`
`242`	`242`
`243`		`- int ad_encryption(byte[] A, int AOff, byte[] s, byte[] k, int adlen, byte[] CNT, byte D)`
	`243`	`+ int ad_encryption(byte[] A, int AOff, byte[] s, byte[] k, int adlen, byte[] CNT)`
`244`	`244`	`{`
`245`	`245`	`byte[] T = new byte[16];`
`246`	`246`	`byte[] mp = new byte[16];`
`@@ -259,7 +259,7 @@ int ad_encryption(byte[] A, int AOff, byte[] s, byte[] k, int adlen, byte[] CNT,`
`259`	`259`	`adlen -= len8;`
`260`	`260`	`pad(A, AOff, T, n, len8);`
`261`	`261`	`offset = AOff + len8;`
`262`		`- block_cipher(s, k, T, 0, CNT, D);`
	`262`	`+ block_cipher(s, k, T, 0, CNT, (byte)44);`
`263`	`263`	`lfsr_gf56(CNT);`
`264`	`264`	`}`
`265`	`265`	`return adlen;`
`@@ -345,14 +345,14 @@ public void processFinalBlock(byte[] output, int outOff)`
`345`	`345`	`if (messegeLen == 0)`
`346`	`346`	`{`
`347`	`347`	`lfsr_gf56(CNT);`
`348`		`- nonce_encryption(npub, CNT, s, k, (byte)0x15);`
	`348`	`+ block_cipher(s, k, npub, 0, CNT, (byte)0x15);`
`349`	`349`	`}`
`350`	`350`	`else if (m_bufPos != 0)`
`351`	`351`	`{`
`352`	`352`	`int len8 = Math.min(m_bufPos, AD_BLK_LEN_HALF);`
`353`	`353`	`rho(m_buf, 0, output, outOff, s, len8);`
`354`	`354`	`lfsr_gf56(CNT);`
`355`		`- nonce_encryption(npub, CNT, s, k, m_bufPos == AD_BLK_LEN_HALF ? (byte)0x14 : (byte)0x15);`
	`355`	`+ block_cipher(s, k, npub, 0, CNT, m_bufPos == AD_BLK_LEN_HALF ? (byte)0x14 : (byte)0x15);`
`356`	`356`	`}`
`357`	`357`	`g8A(s, mac, 0);`
`358`	`358`	`}`
`@@ -393,15 +393,15 @@ public void processFinalAAD()`
`393`	`393`	`if (aadOperator.getLen() == 0)`
`394`	`394`	`{`
`395`	`395`	`lfsr_gf56(CNT);`
`396`		`- nonce_encryption(npub, CNT, s, k, (byte)0x1a);`
	`396`	`+ block_cipher(s, k, npub, 0, CNT, (byte)0x1a);`
`397`	`397`	`}`
`398`	`398`	`else if ((m_aadPos & 15) != 0)`
`399`	`399`	`{`
`400`		`- nonce_encryption(npub, CNT, s, k, (byte)0x1a);`
	`400`	`+ block_cipher(s, k, npub, 0, CNT, (byte)0x1a);`
`401`	`401`	`}`
`402`	`402`	`else`
`403`	`403`	`{`
`404`		`- nonce_encryption(npub, CNT, s, k, (byte)0x18);`
	`404`	`+ block_cipher(s, k, npub, 0, CNT, (byte)0x18);`
`405`	`405`	`}`
`406`	`406`	`reset_lfsr_gf56(CNT);`
`407`	`407`	`}`
`@@ -416,7 +416,7 @@ public void processBufferEncrypt(byte[] input, int inOff, byte[] output, int out`
`416`	`416`	`output[i + outOff] ^= input[i + inOff];`
`417`	`417`	`}`
`418`	`418`	`lfsr_gf56(CNT);`
`419`		`- nonce_encryption(npub, CNT, s, k, (byte)0x04);`
	`419`	`+ block_cipher(s, k, npub, 0, CNT, (byte)0x04);`
`420`	`420`	`}`
`421`	`421`
`422`	`422`	`@Override`
`@@ -425,12 +425,11 @@ public void processBufferDecrypt(byte[] input, int inOff, byte[] output, int out`
`425`	`425`	`g8A(s, output, outOff);`
`426`	`426`	`for (int i = 0; i < AD_BLK_LEN_HALF; i++)`
`427`	`427`	`{`
`428`		`- s[i] ^= input[i + inOff];`
`429`		`- s[i] ^= output[i + outOff];`
`430`	`428`	`output[i + outOff] ^= input[i + inOff];`
	`429`	`+ s[i] ^= output[i + outOff];`
`431`	`430`	`}`
`432`	`431`	`lfsr_gf56(CNT);`
`433`		`- nonce_encryption(npub, CNT, s, k, (byte)0x04);`
	`432`	`+ block_cipher(s, k, npub, 0, CNT, (byte)0x04);`
`434`	`433`	`}`
`435`	`434`
`436`	`435`	`@Override`
`@@ -562,8 +561,7 @@ else if ((m_aadPos >= 0) && (aadOperator.getLen() != 0))`
`562`	`561`	`}`
`563`	`562`	`}`
`564`	`563`
`565`		`- @Override`
`566`		`- public void processBufferEncrypt(byte[] input, int inOff, byte[] output, int outOff)`
	`564`	`+ private void processBuffer(byte[] input, int inOff, byte[] output, int outOff)`
`567`	`565`	`{`
`568`	`566`	`System.arraycopy(npub, 0, S, 0, 16);`
`569`	`567`	`block_cipher(S, Z, T, 0, CNT, (byte)64);`
`@@ -572,44 +570,38 @@ public void processBufferEncrypt(byte[] input, int inOff, byte[] output, int out`
`572`	`570`	`block_cipher(S, Z, T, 0, CNT, (byte)65);`
`573`	`571`	`System.arraycopy(S, 0, Z, 0, 16);`
`574`	`572`	`lfsr_gf56(CNT);`
`575`		`- // ipad_256(ipad_128(A)\|\|ipad_128(C)\|\|N\|\| CNT`
`576`		`- System.arraycopy(output, outOff, m_aad, m_aadPos, BlockSize);`
	`573`	`+ }`
	`574`	`+`
	`575`	`+ private void processAfterAbsorbCiphertext()`
	`576`	`+ {`
`577`	`577`	`if (m_aadPos == BlockSize)`
`578`	`578`	`{`
`579`	`579`	`hirose_128_128_256(h, g, m_aad, 0);`
`580`	`580`	`m_aadPos = 0;`
`581`		`- lfsr_gf56(CNT_Z);`
`582`	`581`	`}`
`583`	`582`	`else`
`584`	`583`	`{`
`585`	`584`	`m_aadPos = BlockSize;`
`586`		`- lfsr_gf56(CNT_Z);`
`587`	`585`	`}`
	`586`	`+ lfsr_gf56(CNT_Z);`
	`587`	`+ }`
	`588`	`+`
	`589`	`+ @Override`
	`590`	`+ public void processBufferEncrypt(byte[] input, int inOff, byte[] output, int outOff)`
	`591`	`+ {`
	`592`	`+ processBuffer(input, inOff, output, outOff);`
	`593`	`+ // ipad_256(ipad_128(A)\|\|ipad_128(C)\|\|N\|\| CNT`
	`594`	`+ System.arraycopy(output, outOff, m_aad, m_aadPos, BlockSize);`
	`595`	`+ processAfterAbsorbCiphertext();`
`588`	`596`	`}`
`589`	`597`
`590`	`598`	`@Override`
`591`	`599`	`public void processBufferDecrypt(byte[] input, int inOff, byte[] output, int outOff)`
`592`	`600`	`{`
`593`		`- System.arraycopy(npub, 0, S, 0, 16);`
`594`		`- block_cipher(S, Z, T, 0, CNT, (byte)64);`
`595`		`- Bytes.xor(AD_BLK_LEN_HALF, S, input, inOff, output, outOff);`
`596`		`- System.arraycopy(npub, 0, S, 0, 16);`
`597`		`- block_cipher(S, Z, T, 0, CNT, (byte)65);`
`598`		`- System.arraycopy(S, 0, Z, 0, 16);`
`599`		`- lfsr_gf56(CNT);`
	`601`	`+ processBuffer(input, inOff, output, outOff);`
`600`	`602`	`// ipad_256(ipad_128(A)\|\|ipad_128(C)\|\|N\|\| CNT`
`601`	`603`	`System.arraycopy(input, inOff, m_aad, m_aadPos, BlockSize);`
`602`		`- if (m_aadPos == BlockSize)`
`603`		`- {`
`604`		`- hirose_128_128_256(h, g, m_aad, 0);`
`605`		`- m_aadPos = 0;`
`606`		`- lfsr_gf56(CNT_Z);`
`607`		`- }`
`608`		`- else`
`609`		`- {`
`610`		`- m_aadPos = BlockSize;`
`611`		`- lfsr_gf56(CNT_Z);`
`612`		`- }`
	`604`	`+ processAfterAbsorbCiphertext();`
`613`	`605`	`}`
`614`	`606`
`615`	`607`	`@Override`
`@@ -825,18 +817,10 @@ void block_cipher(byte[] s, byte[] K, byte[] T, int tOff, byte[] CNT, byte D)`
`825`	`817`	`skinny_128_384_plus_enc(s, KT);`
`826`	`818`	`}`
`827`	`819`
`828`		`- // Calls the TBC using the nonce as part of the tweakey`
`829`		`- void nonce_encryption(byte[] N, byte[] CNT, byte[] s, byte[] k, byte D)`
`830`		`- {`
`831`		`- byte[] T = new byte[16];`
`832`		`- System.arraycopy(N, 0, T, 0, 16);`
`833`		`- block_cipher(s, k, T, 0, CNT, D);`
`834`		`- }`
`835`		`-`
`836`	`820`	`private void reset_lfsr_gf56(byte[] CNT)`
`837`	`821`	`{`
`838`	`822`	`CNT[0] = 0x01;`
`839`		`- Arrays.fill(CNT, 1, 7, (byte) 0);`
	`823`	`+ Arrays.fill(CNT, 1, 7, (byte)0);`
`840`	`824`	`}`
`841`	`825`
`842`	`826`	`public static void hirose_128_128_256(RomulusDigest.Friend friend, byte[] h, byte[] g, byte[] m, int mOff)`