Refactor of Grain128AEADEngine

gefeili · gefeili · commit f29c16ba00c4 · 2025-03-14T16:13:44.000+10:30
diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/Grain128AEADEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/Grain128AEADEngine.java
@@ -65,9 +65,7 @@ private void initGrain(int[] auth)
         {
             for (int remainder = 0; remainder < 32; ++remainder)
             {
-                int output = getOutput();
-                nfsr = shift(nfsr, (getOutputNFSR() ^ lfsr[0]) & 1);
-                lfsr = shift(lfsr, (getOutputLFSR()) & 1);
+                int output = getByteKeyStream();
                 auth[quotient] |= output << remainder;
             }
         }
@@ -176,6 +174,12 @@ private int[] shift(int[] array, int val)
         return array;
     }
 
+    private void shift()
+    {
+        nfsr = shift(nfsr, (getOutputNFSR() ^ lfsr[0]) & 1);
+        lfsr = shift(lfsr, (getOutputLFSR()) & 1);
+    }
+
     protected void reset(boolean clearMac)
     {
         this.aadOperator.reset();
@@ -208,59 +212,12 @@ private void updateInternalState(int input_i_j)
         int mask = -input_i_j;
         authAcc[0] ^= authSr[0] & mask;
         authAcc[1] ^= authSr[1] & mask;
-
-        authShift(getOutput());
-        nfsr = shift(nfsr, (getOutputNFSR() ^ lfsr[0]) & 1);
-        lfsr = shift(lfsr, (getOutputLFSR()) & 1);
-    }
-
-    private void doProcessAADBytes(byte[] input, int len)
-    {
-        byte[] ader;
-        int aderlen;
-        //encodeDer
-        if (len < 128)
-        {
-            ader = new byte[1 + len];
-            ader[0] = (byte)len;
-            aderlen = 0;
-        }
-        else
-        {
-            // aderlen is the highest bit position divided by 8
-            aderlen = len_length(len);
-            ader = new byte[1 + aderlen + len];
-            ader[0] = (byte)(0x80 | aderlen);
-            int tmp = len;
-            for (int i = 0; i < aderlen; ++i)
-            {
-                ader[1 + i] = (byte)tmp;
-                tmp >>>= 8;
-            }
-        }
-        System.arraycopy(input, 0, ader, 1 + aderlen, len);
-
-        for (int i = 0; i < ader.length; ++i)
-        {
-            byte ader_i = ader[i];
-            for (int j = 0; j < 8; ++j)
-            {
-                nfsr = shift(nfsr, (getOutputNFSR() ^ lfsr[0]) & 1);
-                lfsr = shift(lfsr, (getOutputLFSR()) & 1);
-
-                int ader_i_j = (ader_i >> j) & 1;
-
-                updateInternalState(ader_i_j);
-            }
-        }
-    }
-
-    private void authShift(int val)
-    {
+        int val = getByteKeyStream();
         authSr[0] = (authSr[0] >>> 1) | (authSr[1] << 31);
         authSr[1] = (authSr[1] >>> 1) | (val << 31);
     }
 
+
     public int getUpdateOutputSize(int len)
     {
         int total = processor.getUpdateOutputSize(len);
@@ -281,12 +238,6 @@ public int getUpdateOutputSize(int len)
         }
         return total;
     }
-//
-//    public int getOutputSize(int len)
-//    {
-//        //the last 8 bytes are from AD
-//        return len + MAC_SIZE;
-//    }
 
     @Override
     protected void finishAAD(State nextState, boolean isDoFinal)
@@ -327,7 +278,53 @@ protected void processBufferAAD(byte[] input, int inOff)
     @Override
     protected void processFinalAAD()
     {
-        doProcessAADBytes(((StreamAADOperator)aadOperator).getBytes(), aadOperator.getLen());
+        int len = aadOperator.getLen();
+        byte[] input = ((StreamAADOperator)aadOperator).getBytes();
+        byte[] ader;
+
+        //encodeDer
+        if (len < 128)
+        {
+            ader = new byte[1];
+            ader[0] = (byte)len;
+        }
+        else
+        {
+            // aderlen is the highest bit position divided by 8
+            int aderlen = len_length(len);
+            ader = new byte[1 + aderlen];
+            ader[0] = (byte)(0x80 | aderlen);
+            int tmp = len;
+            for (int i = 0; i < aderlen; ++i)
+            {
+                ader[1 + i] = (byte)tmp;
+                tmp >>>= 8;
+            }
+        }
+
+        absorbAadData(ader, ader.length);
+        absorbAadData(input, len);
+    }
+
+    private void absorbAadData(byte[] ader, int len)
+    {
+        for (int i = 0; i < len; ++i)
+        {
+            byte ader_i = ader[i];
+            for (int j = 0; j < 8; ++j)
+            {
+                shift();
+                int ader_i_j = (ader_i >> j) & 1;
+                updateInternalState(ader_i_j);
+            }
+        }
+    }
+
+    private int getByteKeyStream()
+    {
+        int rlt = getOutput();
+        shift();
+        return rlt;
     }
 
     @Override
@@ -339,13 +336,8 @@ protected void processBufferEncrypt(byte[] input, int inOff, byte[] output, int
             byte cc = 0, input_i = input[inOff + i];
             for (int j = 0; j < 8; ++j)
             {
-                int rlt = getOutput();
-                nfsr = shift(nfsr, (getOutputNFSR() ^ lfsr[0]) & 1);
-                lfsr = shift(lfsr, (getOutputLFSR()) & 1);
-
                 int input_i_j = (input_i >> j) & 1;
-                cc |= (input_i_j ^ rlt) << j;
-
+                cc |= (input_i_j ^ getByteKeyStream()) << j;
                 updateInternalState(input_i_j);
             }
             output[outOff + i] = cc;
@@ -361,13 +353,7 @@ protected void processBufferDecrypt(byte[] input, int inOff, byte[] output, int
             byte cc = 0, input_i = input[inOff + i];
             for (int j = 0; j < 8; ++j)
             {
-                int rlt = getOutput();
-                nfsr = shift(nfsr, (getOutputNFSR() ^ lfsr[0]) & 1);
-                lfsr = shift(lfsr, (getOutputLFSR()) & 1);
-
-                int input_i_j = (input_i >> j) & 1;
-                cc |= (input_i_j ^ rlt) << j;
-
+                cc |= (((input_i >> j) & 1) ^ getByteKeyStream()) << j;
                 updateInternalState((cc >> j) & 1);
             }
             output[outOff + i] = cc;
diff --git a/core/src/test/java/org/bouncycastle/crypto/test/Grain128AEADTest.java b/core/src/test/java/org/bouncycastle/crypto/test/Grain128AEADTest.java
@@ -1,19 +1,12 @@
 package org.bouncycastle.crypto.test;
 
-import java.io.BufferedReader;
-import java.io.InputStream;
-import java.io.InputStreamReader;
 import java.security.SecureRandom;
-import java.util.HashMap;
 
-import org.bouncycastle.crypto.CipherParameters;
 import org.bouncycastle.crypto.InvalidCipherTextException;
 import org.bouncycastle.crypto.engines.Grain128AEADEngine;
-import org.bouncycastle.crypto.engines.XoodyakEngine;
 import org.bouncycastle.crypto.modes.AEADCipher;
 import org.bouncycastle.crypto.params.KeyParameter;
 import org.bouncycastle.crypto.params.ParametersWithIV;
-import org.bouncycastle.test.TestResourceFinder;
 import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.encoders.Hex;
 import org.bouncycastle.util.test.SimpleTest;
@@ -31,7 +24,7 @@ public String getName()
     public void performTest()
         throws Exception
     {
-
+        CipherTest.implTestVectorsEngine(new Grain128AEADEngine(), "crypto", "LWC_AEAD_KAT_128_96.txt", this);
         checkAEADCipherOutputSize(this, 16, 12, 8, new Grain128AEADEngine());
         CipherTest.checkCipher(32, 12, 100, 128, new CipherTest.Instance()
         {
@@ -43,7 +36,7 @@ public AEADCipher createInstance()
         });
         CipherTest.checkAEADCipherMultipleBlocks(this, 1024, 7, 100, 128, 12, new Grain128AEADEngine());
 
-        CipherTest.implTestVectorsEngine(new Grain128AEADEngine(), "crypto", "LWC_AEAD_KAT_128_96.txt", this);
+
         CipherTest.checkAEADParemeter(this, 16, 12, 8, 16, new Grain128AEADEngine());
         testSplitUpdate();
         testExceptions();
