1 /* _rabbit.c - An implementation of the Rabbit stream cipher
2 *
3 * This implementation of the Rabbit stream cipher is derived from the
4 * reference ANSI C code provided in the appendix of the paper,
5 * "Rabbit: A New High-Performance Stream Cipher", by Martin Boesgaard,
6 * Mette Vesterager, Thomas Pedersen, Jesper Christiansen, and
7 * Ove Scavenius of Cryptico A/S.
8 *
9 * For more information, please visit the Cryptico website at
10 * http://www.cryptico.com.
11 *
12 * Copyright (C) 2004 Julius C. Duque
13 * Copyright (C) 2003 Cryptico A/S
14 *
15 * This library is free software; you can redistribute it and/or modify
16 * it under the same terms as the GNU General Public License.
17 *
18 * The Rabbit stream cipher is the copyrighted work of Cryptico A/S,
19 * and use of Rabbit may only be used for non-commercial purposes. Any
20 * reproduction or redistribution of Rabbit not in accordance with
21 * Cryptico's license agreement is expressly prohibited by law, and may
22 * result in severe civil and criminal penalties. Violators will be
23 * prosecuted to the maximum extent possible.
24 *
25 * This copyright does not prohibit distribution of any version of Perl
26 * containing this extension under the terms of the GNU or Artistic
27 * licenses.
28 */
29
30 #include <stddef.h>
31 #include <stdio.h>
32 #include <stdlib.h>
33
34 /* Type declarations of 32-bit and 8-bit unsigned integers */
35 typedef unsigned int uint32;
36 typedef unsigned char byte;
37
38 /* Structure to store the instance data (internal state) */
39 typedef struct t_instance {
40 uint32 x[8];
41 uint32 c[8];
42 uint32 carry;
43 } t_instance;
44
45 void key_setup(t_instance *p_instance, const byte *p_key);
46 void cipher(t_instance *p_instance, const byte *p_src,
47 byte *p_dest, size_t data_size);
48
_rotl(uint32 x,int rot)49 uint32 _rotl(uint32 x, int rot) {
50 return (x << rot) | (x >> (32 - rot));
51 }
52
53 /* Square a 32-bit number to obtain the 64-bit result and return
54 the upper 32-bit XOR the lower 32-bit */
g_func(uint32 x)55 uint32 g_func(uint32 x) {
56
57 /* Construct high and low argument for squaring */
58 uint32 a = x & 0xffff;
59 uint32 b = x >> 16;
60
61 /* Calculate high and low result of squaring */
62 uint32 h = ((((a * a) >> 17) + (a * b)) >> 15) + (b * b);
63 uint32 l = x * x;
64
65 /* Return high XOR low */
66 return (h ^ l);
67 }
68
69 /* Calculate the next internal state */
next_state(t_instance * p_instance)70 void next_state(t_instance *p_instance) {
71 uint32 g[8], c_old[8], i;
72
73 /* Save old counter values */
74 for (i = 0; i < 8; i++)
75 c_old[i] = p_instance->c[i];
76
77 /* Calculate new counter values */
78 p_instance->c[0] += 0x4d34d34d + p_instance->carry;
79 p_instance->c[1] += 0xd34d34d3 + (p_instance->c[0] < c_old[0]);
80 p_instance->c[2] += 0x34d34d34 + (p_instance->c[1] < c_old[1]);
81 p_instance->c[3] += 0x4d34d34d + (p_instance->c[2] < c_old[2]);
82 p_instance->c[4] += 0xd34d34d3 + (p_instance->c[3] < c_old[3]);
83 p_instance->c[5] += 0x34d34d34 + (p_instance->c[4] < c_old[4]);
84 p_instance->c[6] += 0x4d34d34d + (p_instance->c[5] < c_old[5]);
85 p_instance->c[7] += 0xd34d34d3 + (p_instance->c[6] < c_old[6]);
86 p_instance->carry = (p_instance->c[7] < c_old[7]);
87
88 /* Calculate the g-functions */
89 for (i = 0; i < 8; i++)
90 g[i] = g_func(p_instance->x[i] + p_instance->c[i]);
91
92 /* Calculate new state values */
93 p_instance->x[0] = g[0] + _rotl(g[7], 16) + _rotl(g[6], 16);
94 p_instance->x[1] = g[1] + _rotl(g[0], 8) + g[7];
95 p_instance->x[2] = g[2] + _rotl(g[1], 16) + _rotl(g[0], 16);
96 p_instance->x[3] = g[3] + _rotl(g[2], 8) + g[1];
97 p_instance->x[4] = g[4] + _rotl(g[3], 16) + _rotl(g[2], 16);
98 p_instance->x[5] = g[5] + _rotl(g[4], 8) + g[3];
99 p_instance->x[6] = g[6] + _rotl(g[5], 16) + _rotl(g[4], 16);
100 p_instance->x[7] = g[7] + _rotl(g[6], 8) + g[5];
101 }
102
103 /* key_setup */
key_setup(t_instance * p_instance,const byte * p_key)104 void key_setup(t_instance *p_instance, const byte *p_key) {
105 uint32 k0, k1, k2, k3, i;
106
107 /* Generate four subkeys */
108 k0 = *(uint32*)(p_key + 0);
109 k1 = *(uint32*)(p_key + 4);
110 k2 = *(uint32*)(p_key + 8);
111 k3 = *(uint32*)(p_key + 12);
112
113 /* Generate initial state variables */
114 p_instance->x[0] = k0;
115 p_instance->x[2] = k1;
116 p_instance->x[4] = k2;
117 p_instance->x[6] = k3;
118 p_instance->x[1] = (k3 << 16) | (k2 >> 16);
119 p_instance->x[3] = (k0 << 16) | (k3 >> 16);
120 p_instance->x[5] = (k1 << 16) | (k0 >> 16);
121 p_instance->x[7] = (k2 << 16) | (k1 >> 16);
122
123 /* Generate initial counter values */
124 p_instance->c[0] = _rotl(k2, 16);
125 p_instance->c[2] = _rotl(k3, 16);
126 p_instance->c[4] = _rotl(k0, 16);
127 p_instance->c[6] = _rotl(k1, 16);
128 p_instance->c[1] = (k0 & 0xFFFF0000) | (k1 & 0xFFFF);
129 p_instance->c[3] = (k1 & 0xFFFF0000) | (k2 & 0xFFFF);
130 p_instance->c[5] = (k2 & 0xFFFF0000) | (k3 & 0xFFFF);
131 p_instance->c[7] = (k3 & 0xFFFF0000) | (k0 & 0xFFFF);
132
133 /* Reset carry flag */
134 p_instance->carry = 0;
135
136 /* Iterate the system four times */
137 for (i = 0; i < 4; i++)
138 next_state(p_instance);
139
140 /* Modify the counters */
141 for (i = 0; i < 8; i++)
142 p_instance->c[(i + 4) & 0x7] ^= p_instance->x[i];
143 }
144
145 /* Encrypt or decrypt a block of data */
cipher(t_instance * p_instance,const byte * p_src,byte * p_dest,size_t data_size)146 void cipher(t_instance *p_instance, const byte *p_src, byte *p_dest,
147 size_t data_size) {
148 uint32 i;
149
150 for (i = 0; i < data_size; i += 16) {
151 next_state(p_instance); /* Iterate the system */
152
153 /* Encrypt 16 bytes of data */
154 *(uint32*)(p_dest + 0) = *(uint32*)(p_src + 0) ^
155 (p_instance->x[0]) ^
156 (p_instance->x[5] >> 16) ^
157 (p_instance->x[3] << 16);
158
159 *(uint32*)(p_dest + 4) = *(uint32*)(p_src + 4) ^
160 (p_instance->x[2]) ^
161 (p_instance->x[7] >> 16) ^
162 (p_instance->x[5] << 16);
163
164 *(uint32*)(p_dest + 8) = *(uint32*)(p_src + 8) ^
165 (p_instance->x[4]) ^
166 (p_instance->x[1] >> 16) ^
167 (p_instance->x[7] << 16);
168
169 *(uint32*)(p_dest + 12) = *(uint32*)(p_src + 12) ^
170 (p_instance->x[6]) ^
171 (p_instance->x[3] >> 16) ^
172 (p_instance->x[1] << 16);
173
174 /* Increment pointers to source and destination data */
175 p_src += 16;
176 p_dest += 16;
177 }
178 }
179
180 #ifdef TEST
181
182 #define LEN 512
183
main(void)184 int main(void)
185 {
186 int i, flag, s;
187 t_instance state;
188
189 byte key[16] = {
190 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
191 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
192 };
193
194 byte key2[16] = {
195 0xc2, 0x1f, 0xcf, 0x38, 0x81, 0xcd, 0x5e, 0xe8,
196 0x62, 0x8a, 0xcc, 0xb0, 0xa9, 0x89, 0x0d, 0xf8
197 };
198
199 byte key3[16] = {
200 0x1d, 0x27, 0x2c, 0x6a, 0x2d, 0x8e, 0x3d, 0xfc,
201 0xac, 0x14, 0x05, 0x6b, 0x78, 0xd6, 0x33, 0xa0
202 };
203
204 byte ciphertext[LEN], plaintext[LEN], plaintext2[LEN];
205
206 for (i = 0; i < LEN; i++)
207 plaintext[i] = 0x00;
208
209 printf("Test vectors from the Rabbit paper\n\n");
210
211 key_setup(&state, key);
212 cipher(&state, plaintext, ciphertext, sizeof(plaintext));
213
214 key_setup(&state, key);
215 cipher(&state, ciphertext, plaintext2, sizeof(ciphertext));
216
217 flag = 0;
218 for (i = 0; i < LEN; i++)
219 if (plaintext2[i] != plaintext[i]) {
220 flag = 1;
221 break;
222 }
223
224 printf("Decryption ");
225 (flag) ? printf("failed\n") : printf("succeeded\n");
226
227 printf("key = ");
228 for (i = 0; i < 16; i++)
229 printf("%02X ", key[i]);
230
231 printf("\n");
232
233 s = 0;
234 for (i = 0; i < LEN; i++) {
235 if ((i % 16) == 0) {
236 printf("\n[s=%02d] ", s);
237 s++;
238 }
239
240 printf(" %02X", ciphertext[i]);
241 }
242
243 printf("\n\n");
244
245 key_setup(&state, key2);
246 cipher(&state, plaintext, ciphertext, sizeof(plaintext));
247
248 key_setup(&state, key2);
249 cipher(&state, ciphertext, plaintext2, sizeof(ciphertext));
250
251 flag = 0;
252 for (i = 0; i < LEN; i++)
253 if (plaintext2[i] != plaintext[i]) {
254 flag = 1;
255 break;
256 }
257
258 printf("Decryption ");
259 (flag) ? printf("failed\n") : printf("succeeded\n");
260
261 printf("key = ");
262 for (i = 0; i < 16; i++)
263 printf("%02X ", key2[i]);
264
265 printf("\n");
266
267 s = 0;
268 for (i = 0; i < LEN; i++) {
269 if ((i % 16) == 0) {
270 printf("\n[s=%02d] ", s);
271 s++;
272 }
273
274 printf(" %02X", ciphertext[i]);
275 }
276
277 printf("\n\n");
278
279 key_setup(&state, key3);
280 cipher(&state, plaintext, ciphertext, sizeof(plaintext));
281
282 key_setup(&state, key3);
283 cipher(&state, ciphertext, plaintext2, sizeof(ciphertext));
284
285 flag = 0;
286 for (i = 0; i < LEN; i++)
287 if (plaintext2[i] != plaintext[i]) {
288 flag = 1;
289 break;
290 }
291
292 printf("Decryption ");
293 (flag) ? printf("failed\n") : printf("succeeded\n");
294
295 printf("key = ");
296 for (i = 0; i < 16; i++)
297 printf("%02X ", key3[i]);
298
299 printf("\n");
300
301 s = 0;
302 for (i = 0; i < LEN; i++) {
303 if ((i % 16) == 0) {
304 printf("\n[s=%02d] ", s);
305 s++;
306 }
307
308 printf(" %02X", ciphertext[i]);
309 }
310
311 printf("\n");
312
313 return 0;
314 }
315
316 #endif
317
318