Fix rounding issue with FF1

Author: peterdettman

core/src/main/java/org/bouncycastle/crypto/fpe/SP80038G.java

@@ -6,6 +6,7 @@
 import org.bouncycastle.crypto.util.RadixConverter;
 import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.BigIntegers;
+import org.bouncycastle.util.Integers;
 import org.bouncycastle.util.Pack;
 
 /*
@@ -64,8 +65,8 @@ static short[] decFF1(BlockCipher cipher, RadixConverter radixConverter, byte[]
     {
         int radix = radixConverter.getRadix();
         int t = T.length;
-        int b = ((int)Math.ceil(Math.log((double)radix) * (double)v / LOG2) + 7) / 8;
-        int d = (((b + 3) / 4) * 4) + 4;
+        int b = calculateB_FF1(radix, v);
+        int d = (b + 7) & ~3;
 
         byte[] P = calculateP_FF1(radix, (byte)u, n, t);
 
@@ -172,8 +173,8 @@ private static short[] encFF1(BlockCipher cipher, RadixConverter radixConverter,
         int radix = radixConverter.getRadix();
         int t = T.length;
 
-        int b = ((int)Math.ceil(Math.log((double)radix) * (double)v / LOG2) + 7) / 8;
-        int d = (((b + 3) / 4) * 4) + 4;
+        int b = calculateB_FF1(radix, v);
+        int d = (b + 7) & ~3;
 
         byte[] P = calculateP_FF1(radix, (byte)u, n, t);
 
@@ -256,6 +257,26 @@ static byte[] encryptFF3_1(BlockCipher cipher, RadixConverter radixConverter, by
         return encryptFF3(cipher, radixConverter, tweak64, buf, off, len);
     }
 
+    protected static int calculateB_FF1(int radix, int v)
+    {
+//        return (BigInteger.valueOf(radix).pow(v).subtract(BigInteger.ONE).bitLength() + 7) / 8;
+
+        int powersOfTwo = Integers.numberOfTrailingZeros(radix); 
+        int bits = powersOfTwo * v;
+
+        int oddPart = radix >>> powersOfTwo;
+        if (oddPart != 1)
+        {
+            // Old version with rounding issues, especially for power of 2 radix, but maybe others.
+//            bits += (int)Math.ceil(Math.log((double)oddPart) * (double)v / LOG2);
+
+            // Exact calculation, with possible performance issues if v is too large.
+            bits += BigInteger.valueOf(oddPart).pow(v).bitLength();
+        }
+
+        return (bits + 7) / 8;
+    }
+
     protected static BigInteger[] calculateModUV(BigInteger bigRadix, int u, int v)
     {
         BigInteger[] modUV = new BigInteger[2];

core/src/test/java/org/bouncycastle/crypto/test/SP80038GTest.java

@@ -496,6 +496,28 @@ public void testFF1Bounds()
         }
     }
 
+    public void testFF1Rounding()
+    {
+        int radix = 256;
+        byte[] key = Hex.decodeStrict("000102030405060708090a0b0c0d0e0f");
+        byte[] tweak = Hex.decodeStrict("0001020304050607");
+        byte[] asciiPT = Hex.decodeStrict("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738");
+        byte[] asciiCT = Hex.decodeStrict("dc18bef8b7d23aa77d1daf7a50c2253c4bacb772129f70805ecd413775bc3bdf7927ce70f455dacf4fdf61b61ac73a5c90fd3d1759dca0bf27");
+        byte[] result = new byte[asciiPT.length];
+
+        FPEEngine fpeEngine = new FPEFF1Engine();
+        FPEParameters fpeParameters = new FPEParameters(new KeyParameter(key), radix, tweak);
+
+        fpeEngine.init(true, fpeParameters);
+        fpeEngine.processBlock(asciiPT, 0, asciiPT.length, result, 0);
+        isTrue("Failed FF1 rounding test (encryption)", areEqual(asciiCT, result));
+
+        fpeEngine.init(false, fpeParameters);
+        fpeEngine.processBlock(asciiCT, 0, asciiCT.length, result, 0);
+
+        isTrue("Failed FF1 rounding test (decryption)", areEqual(asciiPT, result));
+    }
+
     private void testFF3_1Bounds()
         throws IOException
     {
@@ -598,6 +620,7 @@ public void performTest()
         testFF1();
         testFF1w();
         testFF1Bounds();
+        testFF1Rounding();
         testFF3_1();
         testFF3_1w();
         testFF3_1_255();