2 ---------------------------------------------------------------------------
3 Copyright (c) 2003, Dr Brian Gladman <brg@gladman.me.uk>, Worcester, UK.
8 The free distribution and use of this software in both source and binary
9 form is allowed (with or without changes) provided that:
11 1. distributions of this source code include the above copyright
12 notice, this list of conditions and the following disclaimer;
14 2. distributions in binary form include the above copyright
15 notice, this list of conditions and the following disclaimer
16 in the documentation and/or other associated materials;
18 3. the copyright holder's name is not used to endorse products
19 built using this software without specific written permission.
21 ALTERNATIVELY, provided that this notice is retained in full, this product
22 may be distributed under the terms of the GNU General Public License (GPL),
23 in which case the provisions of the GPL apply INSTEAD OF those given above.
27 This software is provided 'as is' with no explicit or implied warranties
28 in respect of its properties, including, but not limited to, correctness
29 and/or fitness for purpose.
30 ---------------------------------------------------------------------------
31 Issue Date: 26/08/2003
37 * \brief This file contains the code for implementing the key schedule for AES
38 * (Rijndael) for block and key sizes of 16, 24, and 32 bytes. See aesopt.h
39 * for further details including optimisation.
41 * \author Dr Brian Gladman <brg@gladman.me.uk>
44 #if defined(__cplusplus)
53 /* Initialise the key schedule from the user supplied key. The key
54 length can be specified in bytes, with legal values of 16, 24
55 and 32, or in bits, with legal values of 128, 192 and 256. These
56 values correspond with Nk values of 4, 6 and 8 respectively.
58 The following macros implement a single cycle in the key
59 schedule generation process. The number of cycles needed
60 for each cx->n_col and nk value is:
63 ------------------------------
64 cx->n_col = 4 10 9 8 7 7
65 cx->n_col = 5 14 11 10 9 9
66 cx->n_col = 6 19 15 12 11 11
67 cx->n_col = 7 21 19 16 13 14
68 cx->n_col = 8 29 23 19 17 14
72 { k[4*(i)+4] = ss[0] ^= ls_box(ss[3],3) ^ t_use(r,c)[i]; k[4*(i)+5] = ss[1] ^= ss[0]; \
73 k[4*(i)+6] = ss[2] ^= ss[1]; k[4*(i)+7] = ss[3] ^= ss[2]; \
76 { k[4*(i)+4] = ss[0] ^= ls_box(ss[3],3) ^ t_use(r,c)[i]; k[4*(i)+5] = ss[1] ^= ss[0]; \
77 k[4*(i)+6] = ss[2] ^= ss[1]; k[4*(i)+7] = ss[3] ^= ss[2]; \
81 { k[6*(i)+ 6] = ss[0] ^= ls_box(ss[5],3) ^ t_use(r,c)[i]; k[6*(i)+ 7] = ss[1] ^= ss[0]; \
82 k[6*(i)+ 8] = ss[2] ^= ss[1]; k[6*(i)+ 9] = ss[3] ^= ss[2]; \
83 k[6*(i)+10] = ss[4] ^= ss[3]; k[6*(i)+11] = ss[5] ^= ss[4]; \
86 { k[6*(i)+ 6] = ss[0] ^= ls_box(ss[5],3) ^ t_use(r,c)[i]; k[6*(i)+ 7] = ss[1] ^= ss[0]; \
87 k[6*(i)+ 8] = ss[2] ^= ss[1]; k[6*(i)+ 9] = ss[3] ^= ss[2]; \
91 { k[8*(i)+ 8] = ss[0] ^= ls_box(ss[7],3) ^ t_use(r,c)[i]; k[8*(i)+ 9] = ss[1] ^= ss[0]; \
92 k[8*(i)+10] = ss[2] ^= ss[1]; k[8*(i)+11] = ss[3] ^= ss[2]; \
93 k[8*(i)+12] = ss[4] ^= ls_box(ss[3],0); k[8*(i)+13] = ss[5] ^= ss[4]; \
94 k[8*(i)+14] = ss[6] ^= ss[5]; k[8*(i)+15] = ss[7] ^= ss[6]; \
97 { k[8*(i)+ 8] = ss[0] ^= ls_box(ss[7],3) ^ t_use(r,c)[i]; k[8*(i)+ 9] = ss[1] ^= ss[0]; \
98 k[8*(i)+10] = ss[2] ^= ss[1]; k[8*(i)+11] = ss[3] ^= ss[2]; \
101 #if defined(ENCRYPTION_KEY_SCHEDULE)
103 #if defined(AES_128) || defined(AES_VAR)
105 aes_rval
aes_encrypt_key128(const void *in_key
, aes_encrypt_ctx cx
[1])
108 cx
->ks
[0] = ss
[0] = word_in(in_key
, 0);
109 cx
->ks
[1] = ss
[1] = word_in(in_key
, 1);
110 cx
->ks
[2] = ss
[2] = word_in(in_key
, 2);
111 cx
->ks
[3] = ss
[3] = word_in(in_key
, 3);
113 #if ENC_UNROLL == NONE
116 for(i
= 0; i
< ((11 * N_COLS
- 1) / 4); ++i
)
120 ke4(cx
->ks
, 0); ke4(cx
->ks
, 1);
121 ke4(cx
->ks
, 2); ke4(cx
->ks
, 3);
122 ke4(cx
->ks
, 4); ke4(cx
->ks
, 5);
123 ke4(cx
->ks
, 6); ke4(cx
->ks
, 7);
124 ke4(cx
->ks
, 8); kel4(cx
->ks
, 9);
127 /* cx->ks[45] ^ cx->ks[52] ^ cx->ks[53] is zero for a 256 bit */
128 /* key and must be non-zero for 128 and 192 bits keys */
129 cx
->ks
[53] = cx
->ks
[45] = 0;
138 #if defined(AES_192) || defined(AES_VAR)
140 aes_rval
aes_encrypt_key192(const void *in_key
, aes_encrypt_ctx cx
[1])
143 cx
->ks
[0] = ss
[0] = word_in(in_key
, 0);
144 cx
->ks
[1] = ss
[1] = word_in(in_key
, 1);
145 cx
->ks
[2] = ss
[2] = word_in(in_key
, 2);
146 cx
->ks
[3] = ss
[3] = word_in(in_key
, 3);
147 cx
->ks
[4] = ss
[4] = word_in(in_key
, 4);
148 cx
->ks
[5] = ss
[5] = word_in(in_key
, 5);
150 #if ENC_UNROLL == NONE
153 for(i
= 0; i
< (13 * N_COLS
- 1) / 6; ++i
)
157 ke6(cx
->ks
, 0); ke6(cx
->ks
, 1);
158 ke6(cx
->ks
, 2); ke6(cx
->ks
, 3);
159 ke6(cx
->ks
, 4); ke6(cx
->ks
, 5);
160 ke6(cx
->ks
, 6); kel6(cx
->ks
, 7);
163 /* cx->ks[45] ^ cx->ks[52] ^ cx->ks[53] is zero for a 256 bit */
164 /* key and must be non-zero for 128 and 192 bits keys */
165 cx
->ks
[53] = cx
->ks
[45];
174 #if defined(AES_256) || defined(AES_VAR)
176 aes_rval
aes_encrypt_key256(const void *in_key
, aes_encrypt_ctx cx
[1])
179 cx
->ks
[0] = ss
[0] = word_in(in_key
, 0);
180 cx
->ks
[1] = ss
[1] = word_in(in_key
, 1);
181 cx
->ks
[2] = ss
[2] = word_in(in_key
, 2);
182 cx
->ks
[3] = ss
[3] = word_in(in_key
, 3);
183 cx
->ks
[4] = ss
[4] = word_in(in_key
, 4);
184 cx
->ks
[5] = ss
[5] = word_in(in_key
, 5);
185 cx
->ks
[6] = ss
[6] = word_in(in_key
, 6);
186 cx
->ks
[7] = ss
[7] = word_in(in_key
, 7);
188 #if ENC_UNROLL == NONE
191 for(i
= 0; i
< (15 * N_COLS
- 1) / 8; ++i
)
195 ke8(cx
->ks
, 0); ke8(cx
->ks
, 1);
196 ke8(cx
->ks
, 2); ke8(cx
->ks
, 3);
197 ke8(cx
->ks
, 4); ke8(cx
->ks
, 5);
209 aes_rval
aes_encrypt_key(const void *in_key
, int key_len
, aes_encrypt_ctx cx
[1])
214 case 16: case 128: return aes_encrypt_key128(in_key
, cx
);
215 case 24: case 192: return aes_encrypt_key192(in_key
, cx
);
216 case 32: case 256: return aes_encrypt_key256(in_key
, cx
);
217 default: return aes_error
;
219 case 16: case 128: aes_encrypt_key128(in_key
, cx
); return;
220 case 24: case 192: aes_encrypt_key192(in_key
, cx
); return;
221 case 32: case 256: aes_encrypt_key256(in_key
, cx
); return;
230 #if defined(DECRYPTION_KEY_SCHEDULE)
232 #if DEC_ROUND == NO_TABLES
235 #define ff(x) inv_mcol(x)
237 #define d_vars dec_imvars
243 { ss[0] = ss[0] ^ ss[2] ^ ss[1] ^ ss[3]; ss[1] = ss[1] ^ ss[3]; ss[2] = ss[2] ^ ss[3]; ss[3] = ss[3]; \
244 ss[4] = ls_box(ss[(i+3) % 4], 3) ^ t_use(r,c)[i]; ss[i % 4] ^= ss[4]; \
245 ss[4] ^= k[4*(i)]; k[4*(i)+4] = ff(ss[4]); ss[4] ^= k[4*(i)+1]; k[4*(i)+5] = ff(ss[4]); \
246 ss[4] ^= k[4*(i)+2]; k[4*(i)+6] = ff(ss[4]); ss[4] ^= k[4*(i)+3]; k[4*(i)+7] = ff(ss[4]); \
249 { ss[4] = ls_box(ss[(i+3) % 4], 3) ^ t_use(r,c)[i]; ss[i % 4] ^= ss[4]; ss[4] = ff(ss[4]); \
250 k[4*(i)+4] = ss[4] ^= k[4*(i)]; k[4*(i)+5] = ss[4] ^= k[4*(i)+1]; \
251 k[4*(i)+6] = ss[4] ^= k[4*(i)+2]; k[4*(i)+7] = ss[4] ^= k[4*(i)+3]; \
254 { ss[4] = ls_box(ss[(i+3) % 4], 3) ^ t_use(r,c)[i]; ss[i % 4] ^= ss[4]; \
255 k[4*(i)+4] = (ss[0] ^= ss[1]) ^ ss[2] ^ ss[3]; k[4*(i)+5] = ss[1] ^ ss[3]; \
256 k[4*(i)+6] = ss[0]; k[4*(i)+7] = ss[1]; \
260 { ss[0] ^= ls_box(ss[3],3) ^ t_use(r,c)[i]; k[4*(i)+ 4] = ff(ss[0]); ss[1] ^= ss[0]; k[4*(i)+ 5] = ff(ss[1]); \
261 ss[2] ^= ss[1]; k[4*(i)+ 6] = ff(ss[2]); ss[3] ^= ss[2]; k[4*(i)+ 7] = ff(ss[3]); \
264 { ss[4] = ls_box(ss[3],3) ^ t_use(r,c)[i]; \
265 ss[0] ^= ss[4]; ss[4] = ff(ss[4]); k[4*(i)+ 4] = ss[4] ^= k[4*(i)]; \
266 ss[1] ^= ss[0]; k[4*(i)+ 5] = ss[4] ^= k[4*(i)+ 1]; \
267 ss[2] ^= ss[1]; k[4*(i)+ 6] = ss[4] ^= k[4*(i)+ 2]; \
268 ss[3] ^= ss[2]; k[4*(i)+ 7] = ss[4] ^= k[4*(i)+ 3]; \
271 { ss[0] ^= ls_box(ss[3],3) ^ t_use(r,c)[i]; k[4*(i)+ 4] = ss[0]; ss[1] ^= ss[0]; k[4*(i)+ 5] = ss[1]; \
272 ss[2] ^= ss[1]; k[4*(i)+ 6] = ss[2]; ss[3] ^= ss[2]; k[4*(i)+ 7] = ss[3]; \
277 { ss[0] ^= ls_box(ss[5],3) ^ t_use(r,c)[i]; k[6*(i)+ 6] = ff(ss[0]); ss[1] ^= ss[0]; k[6*(i)+ 7] = ff(ss[1]); \
278 ss[2] ^= ss[1]; k[6*(i)+ 8] = ff(ss[2]); ss[3] ^= ss[2]; k[6*(i)+ 9] = ff(ss[3]); \
279 ss[4] ^= ss[3]; k[6*(i)+10] = ff(ss[4]); ss[5] ^= ss[4]; k[6*(i)+11] = ff(ss[5]); \
282 { ss[6] = ls_box(ss[5],3) ^ t_use(r,c)[i]; \
283 ss[0] ^= ss[6]; ss[6] = ff(ss[6]); k[6*(i)+ 6] = ss[6] ^= k[6*(i)]; \
284 ss[1] ^= ss[0]; k[6*(i)+ 7] = ss[6] ^= k[6*(i)+ 1]; \
285 ss[2] ^= ss[1]; k[6*(i)+ 8] = ss[6] ^= k[6*(i)+ 2]; \
286 ss[3] ^= ss[2]; k[6*(i)+ 9] = ss[6] ^= k[6*(i)+ 3]; \
287 ss[4] ^= ss[3]; k[6*(i)+10] = ss[6] ^= k[6*(i)+ 4]; \
288 ss[5] ^= ss[4]; k[6*(i)+11] = ss[6] ^= k[6*(i)+ 5]; \
291 { ss[0] ^= ls_box(ss[5],3) ^ t_use(r,c)[i]; k[6*(i)+ 6] = ss[0]; ss[1] ^= ss[0]; k[6*(i)+ 7] = ss[1]; \
292 ss[2] ^= ss[1]; k[6*(i)+ 8] = ss[2]; ss[3] ^= ss[2]; k[6*(i)+ 9] = ss[3]; \
296 { ss[0] ^= ls_box(ss[7],3) ^ t_use(r,c)[i]; k[8*(i)+ 8] = ff(ss[0]); ss[1] ^= ss[0]; k[8*(i)+ 9] = ff(ss[1]); \
297 ss[2] ^= ss[1]; k[8*(i)+10] = ff(ss[2]); ss[3] ^= ss[2]; k[8*(i)+11] = ff(ss[3]); \
298 ss[4] ^= ls_box(ss[3],0); k[8*(i)+12] = ff(ss[4]); ss[5] ^= ss[4]; k[8*(i)+13] = ff(ss[5]); \
299 ss[6] ^= ss[5]; k[8*(i)+14] = ff(ss[6]); ss[7] ^= ss[6]; k[8*(i)+15] = ff(ss[7]); \
302 { aes_32t g = ls_box(ss[7],3) ^ t_use(r,c)[i]; \
303 ss[0] ^= g; g = ff(g); k[8*(i)+ 8] = g ^= k[8*(i)]; \
304 ss[1] ^= ss[0]; k[8*(i)+ 9] = g ^= k[8*(i)+ 1]; \
305 ss[2] ^= ss[1]; k[8*(i)+10] = g ^= k[8*(i)+ 2]; \
306 ss[3] ^= ss[2]; k[8*(i)+11] = g ^= k[8*(i)+ 3]; \
307 g = ls_box(ss[3],0); \
308 ss[4] ^= g; g = ff(g); k[8*(i)+12] = g ^= k[8*(i)+ 4]; \
309 ss[5] ^= ss[4]; k[8*(i)+13] = g ^= k[8*(i)+ 5]; \
310 ss[6] ^= ss[5]; k[8*(i)+14] = g ^= k[8*(i)+ 6]; \
311 ss[7] ^= ss[6]; k[8*(i)+15] = g ^= k[8*(i)+ 7]; \
314 { ss[0] ^= ls_box(ss[7],3) ^ t_use(r,c)[i]; k[8*(i)+ 8] = ss[0]; ss[1] ^= ss[0]; k[8*(i)+ 9] = ss[1]; \
315 ss[2] ^= ss[1]; k[8*(i)+10] = ss[2]; ss[3] ^= ss[2]; k[8*(i)+11] = ss[3]; \
318 #if defined(AES_128) || defined(AES_VAR)
320 aes_rval
aes_decrypt_key128(const void *in_key
, aes_decrypt_ctx cx
[1])
325 cx
->ks
[0] = ss
[0] = word_in(in_key
, 0);
326 cx
->ks
[1] = ss
[1] = word_in(in_key
, 1);
327 cx
->ks
[2] = ss
[2] = word_in(in_key
, 2);
328 cx
->ks
[3] = ss
[3] = word_in(in_key
, 3);
330 #if DEC_UNROLL == NONE
333 for(i
= 0; i
< (11 * N_COLS
- 1) / 4; ++i
)
335 #if !(DEC_ROUND == NO_TABLES)
336 for(i
= N_COLS
; i
< 10 * N_COLS
; ++i
)
337 cx
->ks
[i
] = inv_mcol(cx
->ks
[i
]);
341 kdf4(cx
->ks
, 0); kd4(cx
->ks
, 1);
342 kd4(cx
->ks
, 2); kd4(cx
->ks
, 3);
343 kd4(cx
->ks
, 4); kd4(cx
->ks
, 5);
344 kd4(cx
->ks
, 6); kd4(cx
->ks
, 7);
345 kd4(cx
->ks
, 8); kdl4(cx
->ks
, 9);
348 /* cx->ks[45] ^ cx->ks[52] ^ cx->ks[53] is zero for a 256 bit */
349 /* key and must be non-zero for 128 and 192 bits keys */
350 cx
->ks
[53] = cx
->ks
[45] = 0;
359 #if defined(AES_192) || defined(AES_VAR)
361 aes_rval
aes_decrypt_key192(const void *in_key
, aes_decrypt_ctx cx
[1])
366 cx
->ks
[0] = ss
[0] = word_in(in_key
, 0);
367 cx
->ks
[1] = ss
[1] = word_in(in_key
, 1);
368 cx
->ks
[2] = ss
[2] = word_in(in_key
, 2);
369 cx
->ks
[3] = ss
[3] = word_in(in_key
, 3);
371 #if DEC_UNROLL == NONE
372 cx
->ks
[4] = ss
[4] = word_in(in_key
, 4);
373 cx
->ks
[5] = ss
[5] = word_in(in_key
, 5);
376 for(i
= 0; i
< (13 * N_COLS
- 1) / 6; ++i
)
378 #if !(DEC_ROUND == NO_TABLES)
379 for(i
= N_COLS
; i
< 12 * N_COLS
; ++i
)
380 cx
->ks
[i
] = inv_mcol(cx
->ks
[i
]);
384 cx
->ks
[4] = ff(ss
[4] = word_in(in_key
, 4));
385 cx
->ks
[5] = ff(ss
[5] = word_in(in_key
, 5));
386 kdf6(cx
->ks
, 0); kd6(cx
->ks
, 1);
387 kd6(cx
->ks
, 2); kd6(cx
->ks
, 3);
388 kd6(cx
->ks
, 4); kd6(cx
->ks
, 5);
389 kd6(cx
->ks
, 6); kdl6(cx
->ks
, 7);
392 /* cx->ks[45] ^ cx->ks[52] ^ cx->ks[53] is zero for a 256 bit */
393 /* key and must be non-zero for 128 and 192 bits keys */
394 cx
->ks
[53] = cx
->ks
[45];
403 #if defined(AES_256) || defined(AES_VAR)
405 aes_rval
aes_decrypt_key256(const void *in_key
, aes_decrypt_ctx cx
[1])
410 cx
->ks
[0] = ss
[0] = word_in(in_key
, 0);
411 cx
->ks
[1] = ss
[1] = word_in(in_key
, 1);
412 cx
->ks
[2] = ss
[2] = word_in(in_key
, 2);
413 cx
->ks
[3] = ss
[3] = word_in(in_key
, 3);
415 #if DEC_UNROLL == NONE
416 cx
->ks
[4] = ss
[4] = word_in(in_key
, 4);
417 cx
->ks
[5] = ss
[5] = word_in(in_key
, 5);
418 cx
->ks
[6] = ss
[6] = word_in(in_key
, 6);
419 cx
->ks
[7] = ss
[7] = word_in(in_key
, 7);
422 for(i
= 0; i
< (15 * N_COLS
- 1) / 8; ++i
)
424 #if !(DEC_ROUND == NO_TABLES)
425 for(i
= N_COLS
; i
< 14 * N_COLS
; ++i
)
426 cx
->ks
[i
] = inv_mcol(cx
->ks
[i
]);
430 cx
->ks
[4] = ff(ss
[4] = word_in(in_key
, 4));
431 cx
->ks
[5] = ff(ss
[5] = word_in(in_key
, 5));
432 cx
->ks
[6] = ff(ss
[6] = word_in(in_key
, 6));
433 cx
->ks
[7] = ff(ss
[7] = word_in(in_key
, 7));
434 kdf8(cx
->ks
, 0); kd8(cx
->ks
, 1);
435 kd8(cx
->ks
, 2); kd8(cx
->ks
, 3);
436 kd8(cx
->ks
, 4); kd8(cx
->ks
, 5);
448 aes_rval
aes_decrypt_key(const void *in_key
, int key_len
, aes_decrypt_ctx cx
[1])
453 case 16: case 128: return aes_decrypt_key128(in_key
, cx
);
454 case 24: case 192: return aes_decrypt_key192(in_key
, cx
);
455 case 32: case 256: return aes_decrypt_key256(in_key
, cx
);
456 default: return aes_error
;
458 case 16: case 128: aes_decrypt_key128(in_key
, cx
); return;
459 case 24: case 192: aes_decrypt_key192(in_key
, cx
); return;
460 case 32: case 256: aes_decrypt_key256(in_key
, cx
); return;
469 #endif /* !HAVE_CRYPTO */
471 #if defined(__cplusplus)