OSCL-LXR |
|
|
|
|||
0001 /* gf128mul.h - GF(2^128) multiplication functions 0002 * 0003 * Copyright (c) 2003, Dr Brian Gladman, Worcester, UK. 0004 * Copyright (c) 2006 Rik Snel <rsnel@cube.dyndns.org> 0005 * 0006 * Based on Dr Brian Gladman's (GPL'd) work published at 0007 * http://fp.gladman.plus.com/cryptography_technology/index.htm 0008 * See the original copyright notice below. 0009 * 0010 * This program is free software; you can redistribute it and/or modify it 0011 * under the terms of the GNU General Public License as published by the Free 0012 * Software Foundation; either version 2 of the License, or (at your option) 0013 * any later version. 0014 */ 0015 /* 0016 --------------------------------------------------------------------------- 0017 Copyright (c) 2003, Dr Brian Gladman, Worcester, UK. All rights reserved. 0018 0019 LICENSE TERMS 0020 0021 The free distribution and use of this software in both source and binary 0022 form is allowed (with or without changes) provided that: 0023 0024 1. distributions of this source code include the above copyright 0025 notice, this list of conditions and the following disclaimer; 0026 0027 2. distributions in binary form include the above copyright 0028 notice, this list of conditions and the following disclaimer 0029 in the documentation and/or other associated materials; 0030 0031 3. the copyright holder's name is not used to endorse products 0032 built using this software without specific written permission. 0033 0034 ALTERNATIVELY, provided that this notice is retained in full, this product 0035 may be distributed under the terms of the GNU General Public License (GPL), 0036 in which case the provisions of the GPL apply INSTEAD OF those given above. 0037 0038 DISCLAIMER 0039 0040 This software is provided 'as is' with no explicit or implied warranties 0041 in respect of its properties, including, but not limited to, correctness 0042 and/or fitness for purpose. 0043 --------------------------------------------------------------------------- 0044 Issue Date: 31/01/2006 0045 0046 An implementation of field multiplication in Galois Field GF(2^128) 0047 */ 0048 0049 #ifndef _CRYPTO_GF128MUL_H 0050 #define _CRYPTO_GF128MUL_H 0051 0052 #include <asm/byteorder.h> 0053 #include <crypto/b128ops.h> 0054 #include <linux/slab.h> 0055 0056 /* Comment by Rik: 0057 * 0058 * For some background on GF(2^128) see for example: 0059 * http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf 0060 * 0061 * The elements of GF(2^128) := GF(2)[X]/(X^128-X^7-X^2-X^1-1) can 0062 * be mapped to computer memory in a variety of ways. Let's examine 0063 * three common cases. 0064 * 0065 * Take a look at the 16 binary octets below in memory order. The msb's 0066 * are left and the lsb's are right. char b[16] is an array and b[0] is 0067 * the first octet. 0068 * 0069 * 10000000 00000000 00000000 00000000 .... 00000000 00000000 00000000 0070 * b[0] b[1] b[2] b[3] b[13] b[14] b[15] 0071 * 0072 * Every bit is a coefficient of some power of X. We can store the bits 0073 * in every byte in little-endian order and the bytes themselves also in 0074 * little endian order. I will call this lle (little-little-endian). 0075 * The above buffer represents the polynomial 1, and X^7+X^2+X^1+1 looks 0076 * like 11100001 00000000 .... 00000000 = { 0xE1, 0x00, }. 0077 * This format was originally implemented in gf128mul and is used 0078 * in GCM (Galois/Counter mode) and in ABL (Arbitrary Block Length). 0079 * 0080 * Another convention says: store the bits in bigendian order and the 0081 * bytes also. This is bbe (big-big-endian). Now the buffer above 0082 * represents X^127. X^7+X^2+X^1+1 looks like 00000000 .... 10000111, 0083 * b[15] = 0x87 and the rest is 0. LRW uses this convention and bbe 0084 * is partly implemented. 0085 * 0086 * Both of the above formats are easy to implement on big-endian 0087 * machines. 0088 * 0089 * XTS and EME (the latter of which is patent encumbered) use the ble 0090 * format (bits are stored in big endian order and the bytes in little 0091 * endian). The above buffer represents X^7 in this case and the 0092 * primitive polynomial is b[0] = 0x87. 0093 * 0094 * The common machine word-size is smaller than 128 bits, so to make 0095 * an efficient implementation we must split into machine word sizes. 0096 * This implementation uses 64-bit words for the moment. Machine 0097 * endianness comes into play. The lle format in relation to machine 0098 * endianness is discussed below by the original author of gf128mul Dr 0099 * Brian Gladman. 0100 * 0101 * Let's look at the bbe and ble format on a little endian machine. 0102 * 0103 * bbe on a little endian machine u32 x[4]: 0104 * 0105 * MS x[0] LS MS x[1] LS 0106 * ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls 0107 * 103..96 111.104 119.112 127.120 71...64 79...72 87...80 95...88 0108 * 0109 * MS x[2] LS MS x[3] LS 0110 * ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls 0111 * 39...32 47...40 55...48 63...56 07...00 15...08 23...16 31...24 0112 * 0113 * ble on a little endian machine 0114 * 0115 * MS x[0] LS MS x[1] LS 0116 * ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls 0117 * 31...24 23...16 15...08 07...00 63...56 55...48 47...40 39...32 0118 * 0119 * MS x[2] LS MS x[3] LS 0120 * ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls 0121 * 95...88 87...80 79...72 71...64 127.120 199.112 111.104 103..96 0122 * 0123 * Multiplications in GF(2^128) are mostly bit-shifts, so you see why 0124 * ble (and lbe also) are easier to implement on a little-endian 0125 * machine than on a big-endian machine. The converse holds for bbe 0126 * and lle. 0127 * 0128 * Note: to have good alignment, it seems to me that it is sufficient 0129 * to keep elements of GF(2^128) in type u64[2]. On 32-bit wordsize 0130 * machines this will automatically aligned to wordsize and on a 64-bit 0131 * machine also. 0132 */ 0133 /* Multiply a GF(2^128) field element by x. Field elements are 0134 held in arrays of bytes in which field bits 8n..8n + 7 are held in 0135 byte[n], with lower indexed bits placed in the more numerically 0136 significant bit positions within bytes. 0137 0138 On little endian machines the bit indexes translate into the bit 0139 positions within four 32-bit words in the following way 0140 0141 MS x[0] LS MS x[1] LS 0142 ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls 0143 24...31 16...23 08...15 00...07 56...63 48...55 40...47 32...39 0144 0145 MS x[2] LS MS x[3] LS 0146 ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls 0147 88...95 80...87 72...79 64...71 120.127 112.119 104.111 96..103 0148 0149 On big endian machines the bit indexes translate into the bit 0150 positions within four 32-bit words in the following way 0151 0152 MS x[0] LS MS x[1] LS 0153 ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls 0154 00...07 08...15 16...23 24...31 32...39 40...47 48...55 56...63 0155 0156 MS x[2] LS MS x[3] LS 0157 ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls 0158 64...71 72...79 80...87 88...95 96..103 104.111 112.119 120.127 0159 */ 0160 0161 /* A slow generic version of gf_mul, implemented for lle and bbe 0162 * It multiplies a and b and puts the result in a */ 0163 void gf128mul_lle(be128 *a, const be128 *b); 0164 0165 void gf128mul_bbe(be128 *a, const be128 *b); 0166 0167 /* 0168 * The following functions multiply a field element by x in 0169 * the polynomial field representation. They use 64-bit word operations 0170 * to gain speed but compensate for machine endianness and hence work 0171 * correctly on both styles of machine. 0172 * 0173 * They are defined here for performance. 0174 */ 0175 0176 static inline u64 gf128mul_mask_from_bit(u64 x, int which) 0177 { 0178 /* a constant-time version of 'x & ((u64)1 << which) ? (u64)-1 : 0' */ 0179 return ((s64)(x << (63 - which)) >> 63); 0180 } 0181 0182 static inline void gf128mul_x_lle(be128 *r, const be128 *x) 0183 { 0184 u64 a = be64_to_cpu(x->a); 0185 u64 b = be64_to_cpu(x->b); 0186 0187 /* equivalent to gf128mul_table_le[(b << 7) & 0xff] << 48 0188 * (see crypto/gf128mul.c): */ 0189 u64 _tt = gf128mul_mask_from_bit(b, 0) & ((u64)0xe1 << 56); 0190 0191 r->b = cpu_to_be64((b >> 1) | (a << 63)); 0192 r->a = cpu_to_be64((a >> 1) ^ _tt); 0193 } 0194 0195 static inline void gf128mul_x_bbe(be128 *r, const be128 *x) 0196 { 0197 u64 a = be64_to_cpu(x->a); 0198 u64 b = be64_to_cpu(x->b); 0199 0200 /* equivalent to gf128mul_table_be[a >> 63] (see crypto/gf128mul.c): */ 0201 u64 _tt = gf128mul_mask_from_bit(a, 63) & 0x87; 0202 0203 r->a = cpu_to_be64((a << 1) | (b >> 63)); 0204 r->b = cpu_to_be64((b << 1) ^ _tt); 0205 } 0206 0207 /* needed by XTS */ 0208 static inline void gf128mul_x_ble(le128 *r, const le128 *x) 0209 { 0210 u64 a = le64_to_cpu(x->a); 0211 u64 b = le64_to_cpu(x->b); 0212 0213 /* equivalent to gf128mul_table_be[b >> 63] (see crypto/gf128mul.c): */ 0214 u64 _tt = gf128mul_mask_from_bit(a, 63) & 0x87; 0215 0216 r->a = cpu_to_le64((a << 1) | (b >> 63)); 0217 r->b = cpu_to_le64((b << 1) ^ _tt); 0218 } 0219 0220 /* 4k table optimization */ 0221 0222 struct gf128mul_4k { 0223 be128 t[256]; 0224 }; 0225 0226 struct gf128mul_4k *gf128mul_init_4k_lle(const be128 *g); 0227 struct gf128mul_4k *gf128mul_init_4k_bbe(const be128 *g); 0228 void gf128mul_4k_lle(be128 *a, const struct gf128mul_4k *t); 0229 void gf128mul_4k_bbe(be128 *a, const struct gf128mul_4k *t); 0230 void gf128mul_x8_ble(le128 *r, const le128 *x); 0231 static inline void gf128mul_free_4k(struct gf128mul_4k *t) 0232 { 0233 kfree_sensitive(t); 0234 } 0235 0236 0237 /* 64k table optimization, implemented for bbe */ 0238 0239 struct gf128mul_64k { 0240 struct gf128mul_4k *t[16]; 0241 }; 0242 0243 /* First initialize with the constant factor with which you 0244 * want to multiply and then call gf128mul_64k_bbe with the other 0245 * factor in the first argument, and the table in the second. 0246 * Afterwards, the result is stored in *a. 0247 */ 0248 struct gf128mul_64k *gf128mul_init_64k_bbe(const be128 *g); 0249 void gf128mul_free_64k(struct gf128mul_64k *t); 0250 void gf128mul_64k_bbe(be128 *a, const struct gf128mul_64k *t); 0251 0252 #endif /* _CRYPTO_GF128MUL_H */
| [ Source navigation ] | [ Diff markup ] | [ Identifier search ] | [ general search ] |
|
This page was automatically generated by the 2.1.0 LXR engine. The LXR team |
|