2N/A * Copyright (C) 1998, 2002, 2003 Free Software Foundation, Inc. 2N/A * Written by Matthew Skala <mskala@ansuz.sooke.bc.ca>, July 26, 1998 2N/A * 256-bit key length added March 20, 1999 2N/A * Some modifications to reduce the text size by Werner Koch, April, 1998 2N/A * This file is part of Libgcrypt. 2N/A * Libgcrypt is free software; you can redistribute it and/or modify 2N/A * it under the terms of the GNU Lesser General Public License as 2N/A * published by the Free Software Foundation; either version 2.1 of 2N/A * the License, or (at your option) any later version. 2N/A * Libgcrypt is distributed in the hope that it will be useful, 2N/A * but WITHOUT ANY WARRANTY; without even the implied warranty of 2N/A * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 2N/A * GNU Lesser General Public License for more details. 2N/A * You should have received a copy of the GNU Lesser General Public 2N/A * License along with this program; if not, write to the Free Software 2N/A * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA 2N/A ******************************************************************** 2N/A * This code is a "clean room" implementation, written from the paper 2N/A * _Twofish: A 128-Bit Block Cipher_ by Bruce Schneier, John Kelsey, 2N/A * Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson, available 2N/A * For background information on multiplication in finite fields, used for 2N/A * the matrix operations in the key schedule, see the book _Contemporary 2N/A * Abstract Algebra_ by Joseph A. Gallian, especially chapter 22 in the 2N/A * Only the 128- and 256-bit key sizes are supported. This code is intended 2N/A * for GNU C on a 32-bit system, but it should work almost anywhere. Loops 2N/A * are unrolled, precomputation tables are used, etc., for maximum speed at 2N/A * some cost in memory consumption. */ 2N/A/* Prototype for the self-test function. */ 2N/A/* Structure for an expanded Twofish key. s contains the key-dependent 2N/A * S-boxes composed with the MDS matrix; w contains the eight "whitening" 2N/A * subkeys, K[0] through K[7]. k holds the remaining, "round" subkeys. Note 2N/A * that k[i] corresponds to what the Twofish paper calls K[i+8]. */ 2N/A/* These two tables are the q0 and q1 permutations, exactly as described in 2N/A * the Twofish paper. */ 2N/A 0xA9,
0x67,
0xB3,
0xE8,
0x04,
0xFD,
0xA3,
0x76,
0x9A,
0x92,
0x80,
0x78,
2N/A 0xE4,
0xDD,
0xD1,
0x38,
0x0D,
0xC6,
0x35,
0x98,
0x18,
0xF7,
0xEC,
0x6C,
2N/A 0x43,
0x75,
0x37,
0x26,
0xFA,
0x13,
0x94,
0x48,
0xF2,
0xD0,
0x8B,
0x30,
2N/A 0x84,
0x54,
0xDF,
0x23,
0x19,
0x5B,
0x3D,
0x59,
0xF3,
0xAE,
0xA2,
0x82,
2N/A 0x63,
0x01,
0x83,
0x2E,
0xD9,
0x51,
0x9B,
0x7C,
0xA6,
0xEB,
0xA5,
0xBE,
2N/A 0x16,
0x0C,
0xE3,
0x61,
0xC0,
0x8C,
0x3A,
0xF5,
0x73,
0x2C,
0x25,
0x0B,
2N/A 0xBB,
0x4E,
0x89,
0x6B,
0x53,
0x6A,
0xB4,
0xF1,
0xE1,
0xE6,
0xBD,
0x45,
2N/A 0xE2,
0xF4,
0xB6,
0x66,
0xCC,
0x95,
0x03,
0x56,
0xD4,
0x1C,
0x1E,
0xD7,
2N/A 0xFB,
0xC3,
0x8E,
0xB5,
0xE9,
0xCF,
0xBF,
0xBA,
0xEA,
0x77,
0x39,
0xAF,
2N/A 0x33,
0xC9,
0x62,
0x71,
0x81,
0x79,
0x09,
0xAD,
0x24,
0xCD,
0xF9,
0xD8,
2N/A 0xE5,
0xC5,
0xB9,
0x4D,
0x44,
0x08,
0x86,
0xE7,
0xA1,
0x1D,
0xAA,
0xED,
2N/A 0x06,
0x70,
0xB2,
0xD2,
0x41,
0x7B,
0xA0,
0x11,
0x31,
0xC2,
0x27,
0x90,
2N/A 0x20,
0xF6,
0x60,
0xFF,
0x96,
0x5C,
0xB1,
0xAB,
0x9E,
0x9C,
0x52,
0x1B,
2N/A 0x5F,
0x93,
0x0A,
0xEF,
0x91,
0x85,
0x49,
0xEE,
0x2D,
0x4F,
0x8F,
0x3B,
2N/A 0x47,
0x87,
0x6D,
0x46,
0xD6,
0x3E,
0x69,
0x64,
0x2A,
0xCE,
0xCB,
0x2F,
2N/A 0xFC,
0x97,
0x05,
0x7A,
0xAC,
0x7F,
0xD5,
0x1A,
0x4B,
0x0E,
0xA7,
0x5A,
2N/A 0x28,
0x14,
0x3F,
0x29,
0x88,
0x3C,
0x4C,
0x02,
0xB8,
0xDA,
0xB0,
0x17,
2N/A 0x55,
0x1F,
0x8A,
0x7D,
0x57,
0xC7,
0x8D,
0x74,
0xB7,
0xC4,
0x9F,
0x72,
2N/A 0x7E,
0x15,
0x22,
0x12,
0x58,
0x07,
0x99,
0x34,
0x6E,
0x50,
0xDE,
0x68,
2N/A 0x65,
0xBC,
0xDB,
0xF8,
0xC8,
0xA8,
0x2B,
0x40,
0xDC,
0xFE,
0x32,
0xA4,
2N/A 0xCA,
0x10,
0x21,
0xF0,
0xD3,
0x5D,
0x0F,
0x00,
0x6F,
0x9D,
0x36,
0x42,
2N/A 0x4A,
0x5E,
0xC1,
0xE0 2N/A 0x75,
0xF3,
0xC6,
0xF4,
0xDB,
0x7B,
0xFB,
0xC8,
0x4A,
0xD3,
0xE6,
0x6B,
2N/A 0x45,
0x7D,
0xE8,
0x4B,
0xD6,
0x32,
0xD8,
0xFD,
0x37,
0x71,
0xF1,
0xE1,
2N/A 0x30,
0x0F,
0xF8,
0x1B,
0x87,
0xFA,
0x06,
0x3F,
0x5E,
0xBA,
0xAE,
0x5B,
2N/A 0x8A,
0x00,
0xBC,
0x9D,
0x6D,
0xC1,
0xB1,
0x0E,
0x80,
0x5D,
0xD2,
0xD5,
2N/A 0xA0,
0x84,
0x07,
0x14,
0xB5,
0x90,
0x2C,
0xA3,
0xB2,
0x73,
0x4C,
0x54,
2N/A 0x92,
0x74,
0x36,
0x51,
0x38,
0xB0,
0xBD,
0x5A,
0xFC,
0x60,
0x62,
0x96,
2N/A 0x6C,
0x42,
0xF7,
0x10,
0x7C,
0x28,
0x27,
0x8C,
0x13,
0x95,
0x9C,
0xC7,
2N/A 0x24,
0x46,
0x3B,
0x70,
0xCA,
0xE3,
0x85,
0xCB,
0x11,
0xD0,
0x93,
0xB8,
2N/A 0xA6,
0x83,
0x20,
0xFF,
0x9F,
0x77,
0xC3,
0xCC,
0x03,
0x6F,
0x08,
0xBF,
2N/A 0x40,
0xE7,
0x2B,
0xE2,
0x79,
0x0C,
0xAA,
0x82,
0x41,
0x3A,
0xEA,
0xB9,
2N/A 0xE4,
0x9A,
0xA4,
0x97,
0x7E,
0xDA,
0x7A,
0x17,
0x66,
0x94,
0xA1,
0x1D,
2N/A 0x3D,
0xF0,
0xDE,
0xB3,
0x0B,
0x72,
0xA7,
0x1C,
0xEF,
0xD1,
0x53,
0x3E,
2N/A 0x8F,
0x33,
0x26,
0x5F,
0xEC,
0x76,
0x2A,
0x49,
0x81,
0x88,
0xEE,
0x21,
2N/A 0xC4,
0x1A,
0xEB,
0xD9,
0xC5,
0x39,
0x99,
0xCD,
0xAD,
0x31,
0x8B,
0x01,
2N/A 0x18,
0x23,
0xDD,
0x1F,
0x4E,
0x2D,
0xF9,
0x48,
0x4F,
0xF2,
0x65,
0x8E,
2N/A 0x78,
0x5C,
0x58,
0x19,
0x8D,
0xE5,
0x98,
0x57,
0x67,
0x7F,
0x05,
0x64,
2N/A 0xAF,
0x63,
0xB6,
0xFE,
0xF5,
0xB7,
0x3C,
0xA5,
0xCE,
0xE9,
0x68,
0x44,
2N/A 0xE0,
0x4D,
0x43,
0x69,
0x29,
0x2E,
0xAC,
0x15,
0x59,
0xA8,
0x0A,
0x9E,
2N/A 0x6E,
0x47,
0xDF,
0x34,
0x35,
0x6A,
0xCF,
0xDC,
0x22,
0xC9,
0xC0,
0x9B,
2N/A 0x89,
0xD4,
0xED,
0xAB,
0x12,
0xA2,
0x0D,
0x52,
0xBB,
0x02,
0x2F,
0xA9,
2N/A 0xD7,
0x61,
0x1E,
0xB4,
0x50,
0x04,
0xF6,
0xC2,
0x16,
0x25,
0x86,
0x56,
2N/A 0x55,
0x09,
0xBE,
0x91 2N/A/* These MDS tables are actually tables of MDS composed with q0 and q1, 2N/A * because it is only ever used that way and we can save some time by 2N/A * precomputing. Of course the main saving comes from precomputing the 2N/A * GF(2^8) multiplication involved in the MDS matrix multiply; by looking 2N/A * things up in these tables we reduce the matrix multiply to four lookups 2N/A * and three XORs. Semi-formally, the definition of these tables is: 2N/A * mds[0][i] = MDS (q1[i] 0 0 0)^T mds[1][i] = MDS (0 q0[i] 0 0)^T 2N/A * mds[2][i] = MDS (0 0 q1[i] 0)^T mds[3][i] = MDS (0 0 0 q0[i])^T 2N/A * where ^T means "transpose", the matrix multiply is performed in GF(2^8) 2N/A * represented as GF(2)[x]/v(x) where v(x)=x^8+x^6+x^5+x^3+1 as described 2N/A * by Schneier et al, and I'm casually glossing over the byte/word 2N/A * conversion issues. */ 2N/A {
0xBCBC3275,
0xECEC21F3,
0x202043C6,
0xB3B3C9F4,
0xDADA03DB,
0x02028B7B,
2N/A 0xE2E22BFB,
0x9E9EFAC8,
0xC9C9EC4A,
0xD4D409D3,
0x18186BE6,
0x1E1E9F6B,
2N/A 0x98980E45,
0xB2B2387D,
0xA6A6D2E8,
0x2626B74B,
0x3C3C57D6,
0x93938A32,
2N/A 0x8282EED8,
0x525298FD,
0x7B7BD437,
0xBBBB3771,
0x5B5B97F1,
0x474783E1,
2N/A 0x24243C30,
0x5151E20F,
0xBABAC6F8,
0x4A4AF31B,
0xBFBF4887,
0x0D0D70FA,
2N/A 0xB0B0B306,
0x7575DE3F,
0xD2D2FD5E,
0x7D7D20BA,
0x666631AE,
0x3A3AA35B,
2N/A 0x59591C8A,
0x00000000,
0xCDCD93BC,
0x1A1AE09D,
0xAEAE2C6D,
0x7F7FABC1,
2N/A 0x2B2BC7B1,
0xBEBEB90E,
0xE0E0A080,
0x8A8A105D,
0x3B3B52D2,
0x6464BAD5,
2N/A 0xD8D888A0,
0xE7E7A584,
0x5F5FE807,
0x1B1B1114,
0x2C2CC2B5,
0xFCFCB490,
2N/A 0x3131272C,
0x808065A3,
0x73732AB2,
0x0C0C8173,
0x79795F4C,
0x6B6B4154,
2N/A 0x4B4B0292,
0x53536974,
0x94948F36,
0x83831F51,
0x2A2A3638,
0xC4C49CB0,
2N/A 0x2222C8BD,
0xD5D5F85A,
0xBDBDC3FC,
0x48487860,
0xFFFFCE62,
0x4C4C0796,
2N/A 0x4141776C,
0xC7C7E642,
0xEBEB24F7,
0x1C1C1410,
0x5D5D637C,
0x36362228,
2N/A 0x6767C027,
0xE9E9AF8C,
0x4444F913,
0x1414EA95,
0xF5F5BB9C,
0xCFCF18C7,
2N/A 0x3F3F2D24,
0xC0C0E346,
0x7272DB3B,
0x54546C70,
0x29294CCA,
0xF0F035E3,
2N/A 0x0808FE85,
0xC6C617CB,
0xF3F34F11,
0x8C8CE4D0,
0xA4A45993,
0xCACA96B8,
2N/A 0x68683BA6,
0xB8B84D83,
0x38382820,
0xE5E52EFF,
0xADAD569F,
0x0B0B8477,
2N/A 0xC8C81DC3,
0x9999FFCC,
0x5858ED03,
0x19199A6F,
0x0E0E0A08,
0x95957EBF,
2N/A 0x70705040,
0xF7F730E7,
0x6E6ECF2B,
0x1F1F6EE2,
0xB5B53D79,
0x09090F0C,
2N/A 0x616134AA,
0x57571682,
0x9F9F0B41,
0x9D9D803A,
0x111164EA,
0x2525CDB9,
2N/A 0xAFAFDDE4,
0x4545089A,
0xDFDF8DA4,
0xA3A35C97,
0xEAEAD57E,
0x353558DA,
2N/A 0xEDEDD07A,
0x4343FC17,
0xF8F8CB66,
0xFBFBB194,
0x3737D3A1,
0xFAFA401D,
2N/A 0xC2C2683D,
0xB4B4CCF0,
0x32325DDE,
0x9C9C71B3,
0x5656E70B,
0xE3E3DA72,
2N/A 0x878760A7,
0x15151B1C,
0xF9F93AEF,
0x6363BFD1,
0x3434A953,
0x9A9A853E,
2N/A 0xB1B1428F,
0x7C7CD133,
0x88889B26,
0x3D3DA65F,
0xA1A1D7EC,
0xE4E4DF76,
2N/A 0x8181942A,
0x91910149,
0x0F0FFB81,
0xEEEEAA88,
0x161661EE,
0xD7D77321,
2N/A 0x9797F5C4,
0xA5A5A81A,
0xFEFE3FEB,
0x6D6DB5D9,
0x7878AEC5,
0xC5C56D39,
2N/A 0x1D1DE599,
0x7676A4CD,
0x3E3EDCAD,
0xCBCB6731,
0xB6B6478B,
0xEFEF5B01,
2N/A 0x12121E18,
0x6060C523,
0x6A6AB0DD,
0x4D4DF61F,
0xCECEE94E,
0xDEDE7C2D,
2N/A 0x55559DF9,
0x7E7E5A48,
0x2121B24F,
0x03037AF2,
0xA0A02665,
0x5E5E198E,
2N/A 0x5A5A6678,
0x65654B5C,
0x62624E58,
0xFDFD4519,
0x0606F48D,
0x404086E5,
2N/A 0xF2F2BE98,
0x3333AC57,
0x17179067,
0x05058E7F,
0xE8E85E05,
0x4F4F7D64,
2N/A 0x89896AAF,
0x10109563,
0x74742FB6,
0x0A0A75FE,
0x5C5C92F5,
0x9B9B74B7,
2N/A 0x2D2D333C,
0x3030D6A5,
0x2E2E49CE,
0x494989E9,
0x46467268,
0x77775544,
2N/A 0xA8A8D8E0,
0x9696044D,
0x2828BD43,
0xA9A92969,
0xD9D97929,
0x8686912E,
2N/A 0xD1D187AC,
0xF4F44A15,
0x8D8D1559,
0xD6D682A8,
0xB9B9BC0A,
0x42420D9E,
2N/A 0xF6F6C16E,
0x2F2FB847,
0xDDDD06DF,
0x23233934,
0xCCCC6235,
0xF1F1C46A,
2N/A 0xC1C112CF,
0x8585EBDC,
0x8F8F9E22,
0x7171A1C9,
0x9090F0C0,
0xAAAA539B,
2N/A 0x0101F189,
0x8B8BE1D4,
0x4E4E8CED,
0x8E8E6FAB,
0xABABA212,
0x6F6F3EA2,
2N/A 0xE6E6540D,
0xDBDBF252,
0x92927BBB,
0xB7B7B602,
0x6969CA2F,
0x3939D9A9,
2N/A 0xD3D30CD7,
0xA7A72361,
0xA2A2AD1E,
0xC3C399B4,
0x6C6C4450,
0x07070504,
2N/A 0x04047FF6,
0x272746C2,
0xACACA716,
0xD0D07625,
0x50501386,
0xDCDCF756,
2N/A 0x84841A55,
0xE1E15109,
0x7A7A25BE,
0x1313EF91},
2N/A {
0xA9D93939,
0x67901717,
0xB3719C9C,
0xE8D2A6A6,
0x04050707,
0xFD985252,
2N/A 0xA3658080,
0x76DFE4E4,
0x9A084545,
0x92024B4B,
0x80A0E0E0,
0x78665A5A,
2N/A 0xE4DDAFAF,
0xDDB06A6A,
0xD1BF6363,
0x38362A2A,
0x0D54E6E6,
0xC6432020,
2N/A 0x3562CCCC,
0x98BEF2F2,
0x181E1212,
0xF724EBEB,
0xECD7A1A1,
0x6C774141,
2N/A 0x43BD2828,
0x7532BCBC,
0x37D47B7B,
0x269B8888,
0xFA700D0D,
0x13F94444,
2N/A 0x94B1FBFB,
0x485A7E7E,
0xF27A0303,
0xD0E48C8C,
0x8B47B6B6,
0x303C2424,
2N/A 0x84A5E7E7,
0x54416B6B,
0xDF06DDDD,
0x23C56060,
0x1945FDFD,
0x5BA33A3A,
2N/A 0x3D68C2C2,
0x59158D8D,
0xF321ECEC,
0xAE316666,
0xA23E6F6F,
0x82165757,
2N/A 0x63951010,
0x015BEFEF,
0x834DB8B8,
0x2E918686,
0xD9B56D6D,
0x511F8383,
2N/A 0x9B53AAAA,
0x7C635D5D,
0xA63B6868,
0xEB3FFEFE,
0xA5D63030,
0xBE257A7A,
2N/A 0x16A7ACAC,
0x0C0F0909,
0xE335F0F0,
0x6123A7A7,
0xC0F09090,
0x8CAFE9E9,
2N/A 0x3A809D9D,
0xF5925C5C,
0x73810C0C,
0x2C273131,
0x2576D0D0,
0x0BE75656,
2N/A 0xBB7B9292,
0x4EE9CECE,
0x89F10101,
0x6B9F1E1E,
0x53A93434,
0x6AC4F1F1,
2N/A 0xB499C3C3,
0xF1975B5B,
0xE1834747,
0xE66B1818,
0xBDC82222,
0x450E9898,
2N/A 0xE26E1F1F,
0xF4C9B3B3,
0xB62F7474,
0x66CBF8F8,
0xCCFF9999,
0x95EA1414,
2N/A 0x03ED5858,
0x56F7DCDC,
0xD4E18B8B,
0x1C1B1515,
0x1EADA2A2,
0xD70CD3D3,
2N/A 0xFB2BE2E2,
0xC31DC8C8,
0x8E195E5E,
0xB5C22C2C,
0xE9894949,
0xCF12C1C1,
2N/A 0xBF7E9595,
0xBA207D7D,
0xEA641111,
0x77840B0B,
0x396DC5C5,
0xAF6A8989,
2N/A 0x33D17C7C,
0xC9A17171,
0x62CEFFFF,
0x7137BBBB,
0x81FB0F0F,
0x793DB5B5,
2N/A 0x0951E1E1,
0xADDC3E3E,
0x242D3F3F,
0xCDA47676,
0xF99D5555,
0xD8EE8282,
2N/A 0xE5864040,
0xC5AE7878,
0xB9CD2525,
0x4D049696,
0x44557777,
0x080A0E0E,
2N/A 0x86135050,
0xE730F7F7,
0xA1D33737,
0x1D40FAFA,
0xAA346161,
0xED8C4E4E,
2N/A 0x06B3B0B0,
0x706C5454,
0xB22A7373,
0xD2523B3B,
0x410B9F9F,
0x7B8B0202,
2N/A 0xA088D8D8,
0x114FF3F3,
0x3167CBCB,
0xC2462727,
0x27C06767,
0x90B4FCFC,
2N/A 0x20283838,
0xF67F0404,
0x60784848,
0xFF2EE5E5,
0x96074C4C,
0x5C4B6565,
2N/A 0xB1C72B2B,
0xAB6F8E8E,
0x9E0D4242,
0x9CBBF5F5,
0x52F2DBDB,
0x1BF34A4A,
2N/A 0x5FA63D3D,
0x9359A4A4,
0x0ABCB9B9,
0xEF3AF9F9,
0x91EF1313,
0x85FE0808,
2N/A 0x49019191,
0xEE611616,
0x2D7CDEDE,
0x4FB22121,
0x8F42B1B1,
0x3BDB7272,
2N/A 0x47B82F2F,
0x8748BFBF,
0x6D2CAEAE,
0x46E3C0C0,
0xD6573C3C,
0x3E859A9A,
2N/A 0x6929A9A9,
0x647D4F4F,
0x2A948181,
0xCE492E2E,
0xCB17C6C6,
0x2FCA6969,
2N/A 0xFCC3BDBD,
0x975CA3A3,
0x055EE8E8,
0x7AD0EDED,
0xAC87D1D1,
0x7F8E0505,
2N/A 0xD5BA6464,
0x1AA8A5A5,
0x4BB72626,
0x0EB9BEBE,
0xA7608787,
0x5AF8D5D5,
2N/A 0x28223636,
0x14111B1B,
0x3FDE7575,
0x2979D9D9,
0x88AAEEEE,
0x3C332D2D,
2N/A 0x4C5F7979,
0x02B6B7B7,
0xB896CACA,
0xDA583535,
0xB09CC4C4,
0x17FC4343,
2N/A 0x551A8484,
0x1FF64D4D,
0x8A1C5959,
0x7D38B2B2,
0x57AC3333,
0xC718CFCF,
2N/A 0x8DF40606,
0x74695353,
0xB7749B9B,
0xC4F59797,
0x9F56ADAD,
0x72DAE3E3,
2N/A 0x7ED5EAEA,
0x154AF4F4,
0x229E8F8F,
0x12A2ABAB,
0x584E6262,
0x07E85F5F,
2N/A 0x99E51D1D,
0x34392323,
0x6EC1F6F6,
0x50446C6C,
0xDE5D3232,
0x68724646,
2N/A 0x6526A0A0,
0xBC93CDCD,
0xDB03DADA,
0xF8C6BABA,
0xC8FA9E9E,
0xA882D6D6,
2N/A 0x2BCF6E6E,
0x40507070,
0xDCEB8585,
0xFE750A0A,
0x328A9393,
0xA48DDFDF,
2N/A 0xCA4C2929,
0x10141C1C,
0x2173D7D7,
0xF0CCB4B4,
0xD309D4D4,
0x5D108A8A,
2N/A 0x0FE25151,
0x00000000,
0x6F9A1919,
0x9DE01A1A,
0x368F9494,
0x42E6C7C7,
2N/A 0x4AECC9C9,
0x5EFDD2D2,
0xC1AB7F7F,
0xE0D8A8A8},
2N/A {
0xBC75BC32,
0xECF3EC21,
0x20C62043,
0xB3F4B3C9,
0xDADBDA03,
0x027B028B,
2N/A 0xE2FBE22B,
0x9EC89EFA,
0xC94AC9EC,
0xD4D3D409,
0x18E6186B,
0x1E6B1E9F,
2N/A 0x9845980E,
0xB27DB238,
0xA6E8A6D2,
0x264B26B7,
0x3CD63C57,
0x9332938A,
2N/A 0x82D882EE,
0x52FD5298,
0x7B377BD4,
0xBB71BB37,
0x5BF15B97,
0x47E14783,
2N/A 0x2430243C,
0x510F51E2,
0xBAF8BAC6,
0x4A1B4AF3,
0xBF87BF48,
0x0DFA0D70,
2N/A 0xB006B0B3,
0x753F75DE,
0xD25ED2FD,
0x7DBA7D20,
0x66AE6631,
0x3A5B3AA3,
2N/A 0x598A591C,
0x00000000,
0xCDBCCD93,
0x1A9D1AE0,
0xAE6DAE2C,
0x7FC17FAB,
2N/A 0x2BB12BC7,
0xBE0EBEB9,
0xE080E0A0,
0x8A5D8A10,
0x3BD23B52,
0x64D564BA,
2N/A 0xD8A0D888,
0xE784E7A5,
0x5F075FE8,
0x1B141B11,
0x2CB52CC2,
0xFC90FCB4,
2N/A 0x312C3127,
0x80A38065,
0x73B2732A,
0x0C730C81,
0x794C795F,
0x6B546B41,
2N/A 0x4B924B02,
0x53745369,
0x9436948F,
0x8351831F,
0x2A382A36,
0xC4B0C49C,
2N/A 0x22BD22C8,
0xD55AD5F8,
0xBDFCBDC3,
0x48604878,
0xFF62FFCE,
0x4C964C07,
2N/A 0x416C4177,
0xC742C7E6,
0xEBF7EB24,
0x1C101C14,
0x5D7C5D63,
0x36283622,
2N/A 0x672767C0,
0xE98CE9AF,
0x441344F9,
0x149514EA,
0xF59CF5BB,
0xCFC7CF18,
2N/A 0x3F243F2D,
0xC046C0E3,
0x723B72DB,
0x5470546C,
0x29CA294C,
0xF0E3F035,
2N/A 0x088508FE,
0xC6CBC617,
0xF311F34F,
0x8CD08CE4,
0xA493A459,
0xCAB8CA96,
2N/A 0x68A6683B,
0xB883B84D,
0x38203828,
0xE5FFE52E,
0xAD9FAD56,
0x0B770B84,
2N/A 0xC8C3C81D,
0x99CC99FF,
0x580358ED,
0x196F199A,
0x0E080E0A,
0x95BF957E,
2N/A 0x70407050,
0xF7E7F730,
0x6E2B6ECF,
0x1FE21F6E,
0xB579B53D,
0x090C090F,
2N/A 0x61AA6134,
0x57825716,
0x9F419F0B,
0x9D3A9D80,
0x11EA1164,
0x25B925CD,
2N/A 0xAFE4AFDD,
0x459A4508,
0xDFA4DF8D,
0xA397A35C,
0xEA7EEAD5,
0x35DA3558,
2N/A 0xED7AEDD0,
0x431743FC,
0xF866F8CB,
0xFB94FBB1,
0x37A137D3,
0xFA1DFA40,
2N/A 0xC23DC268,
0xB4F0B4CC,
0x32DE325D,
0x9CB39C71,
0x560B56E7,
0xE372E3DA,
2N/A 0x87A78760,
0x151C151B,
0xF9EFF93A,
0x63D163BF,
0x345334A9,
0x9A3E9A85,
2N/A 0xB18FB142,
0x7C337CD1,
0x8826889B,
0x3D5F3DA6,
0xA1ECA1D7,
0xE476E4DF,
2N/A 0x812A8194,
0x91499101,
0x0F810FFB,
0xEE88EEAA,
0x16EE1661,
0xD721D773,
2N/A 0x97C497F5,
0xA51AA5A8,
0xFEEBFE3F,
0x6DD96DB5,
0x78C578AE,
0xC539C56D,
2N/A 0x1D991DE5,
0x76CD76A4,
0x3EAD3EDC,
0xCB31CB67,
0xB68BB647,
0xEF01EF5B,
2N/A 0x1218121E,
0x602360C5,
0x6ADD6AB0,
0x4D1F4DF6,
0xCE4ECEE9,
0xDE2DDE7C,
2N/A 0x55F9559D,
0x7E487E5A,
0x214F21B2,
0x03F2037A,
0xA065A026,
0x5E8E5E19,
2N/A 0x5A785A66,
0x655C654B,
0x6258624E,
0xFD19FD45,
0x068D06F4,
0x40E54086,
2N/A 0xF298F2BE,
0x335733AC,
0x17671790,
0x057F058E,
0xE805E85E,
0x4F644F7D,
2N/A 0x89AF896A,
0x10631095,
0x74B6742F,
0x0AFE0A75,
0x5CF55C92,
0x9BB79B74,
2N/A 0x2D3C2D33,
0x30A530D6,
0x2ECE2E49,
0x49E94989,
0x46684672,
0x77447755,
2N/A 0xA8E0A8D8,
0x964D9604,
0x284328BD,
0xA969A929,
0xD929D979,
0x862E8691,
2N/A 0xD1ACD187,
0xF415F44A,
0x8D598D15,
0xD6A8D682,
0xB90AB9BC,
0x429E420D,
2N/A 0xF66EF6C1,
0x2F472FB8,
0xDDDFDD06,
0x23342339,
0xCC35CC62,
0xF16AF1C4,
2N/A 0xC1CFC112,
0x85DC85EB,
0x8F228F9E,
0x71C971A1,
0x90C090F0,
0xAA9BAA53,
2N/A 0x018901F1,
0x8BD48BE1,
0x4EED4E8C,
0x8EAB8E6F,
0xAB12ABA2,
0x6FA26F3E,
2N/A 0xE60DE654,
0xDB52DBF2,
0x92BB927B,
0xB702B7B6,
0x692F69CA,
0x39A939D9,
2N/A 0xD3D7D30C,
0xA761A723,
0xA21EA2AD,
0xC3B4C399,
0x6C506C44,
0x07040705,
2N/A 0x04F6047F,
0x27C22746,
0xAC16ACA7,
0xD025D076,
0x50865013,
0xDC56DCF7,
2N/A 0x8455841A,
0xE109E151,
0x7ABE7A25,
0x139113EF},
2N/A {
0xD939A9D9,
0x90176790,
0x719CB371,
0xD2A6E8D2,
0x05070405,
0x9852FD98,
2N/A 0x6580A365,
0xDFE476DF,
0x08459A08,
0x024B9202,
0xA0E080A0,
0x665A7866,
2N/A 0xDDAFE4DD,
0xB06ADDB0,
0xBF63D1BF,
0x362A3836,
0x54E60D54,
0x4320C643,
2N/A 0x62CC3562,
0xBEF298BE,
0x1E12181E,
0x24EBF724,
0xD7A1ECD7,
0x77416C77,
2N/A 0xBD2843BD,
0x32BC7532,
0xD47B37D4,
0x9B88269B,
0x700DFA70,
0xF94413F9,
2N/A 0xB1FB94B1,
0x5A7E485A,
0x7A03F27A,
0xE48CD0E4,
0x47B68B47,
0x3C24303C,
2N/A 0xA5E784A5,
0x416B5441,
0x06DDDF06,
0xC56023C5,
0x45FD1945,
0xA33A5BA3,
2N/A 0x68C23D68,
0x158D5915,
0x21ECF321,
0x3166AE31,
0x3E6FA23E,
0x16578216,
2N/A 0x95106395,
0x5BEF015B,
0x4DB8834D,
0x91862E91,
0xB56DD9B5,
0x1F83511F,
2N/A 0x53AA9B53,
0x635D7C63,
0x3B68A63B,
0x3FFEEB3F,
0xD630A5D6,
0x257ABE25,
2N/A 0xA7AC16A7,
0x0F090C0F,
0x35F0E335,
0x23A76123,
0xF090C0F0,
0xAFE98CAF,
2N/A 0x809D3A80,
0x925CF592,
0x810C7381,
0x27312C27,
0x76D02576,
0xE7560BE7,
2N/A 0x7B92BB7B,
0xE9CE4EE9,
0xF10189F1,
0x9F1E6B9F,
0xA93453A9,
0xC4F16AC4,
2N/A 0x99C3B499,
0x975BF197,
0x8347E183,
0x6B18E66B,
0xC822BDC8,
0x0E98450E,
2N/A 0x6E1FE26E,
0xC9B3F4C9,
0x2F74B62F,
0xCBF866CB,
0xFF99CCFF,
0xEA1495EA,
2N/A 0xED5803ED,
0xF7DC56F7,
0xE18BD4E1,
0x1B151C1B,
0xADA21EAD,
0x0CD3D70C,
2N/A 0x2BE2FB2B,
0x1DC8C31D,
0x195E8E19,
0xC22CB5C2,
0x8949E989,
0x12C1CF12,
2N/A 0x7E95BF7E,
0x207DBA20,
0x6411EA64,
0x840B7784,
0x6DC5396D,
0x6A89AF6A,
2N/A 0xD17C33D1,
0xA171C9A1,
0xCEFF62CE,
0x37BB7137,
0xFB0F81FB,
0x3DB5793D,
2N/A 0x51E10951,
0xDC3EADDC,
0x2D3F242D,
0xA476CDA4,
0x9D55F99D,
0xEE82D8EE,
2N/A 0x8640E586,
0xAE78C5AE,
0xCD25B9CD,
0x04964D04,
0x55774455,
0x0A0E080A,
2N/A 0x13508613,
0x30F7E730,
0xD337A1D3,
0x40FA1D40,
0x3461AA34,
0x8C4EED8C,
2N/A 0xB3B006B3,
0x6C54706C,
0x2A73B22A,
0x523BD252,
0x0B9F410B,
0x8B027B8B,
2N/A 0x88D8A088,
0x4FF3114F,
0x67CB3167,
0x4627C246,
0xC06727C0,
0xB4FC90B4,
2N/A 0x28382028,
0x7F04F67F,
0x78486078,
0x2EE5FF2E,
0x074C9607,
0x4B655C4B,
2N/A 0xC72BB1C7,
0x6F8EAB6F,
0x0D429E0D,
0xBBF59CBB,
0xF2DB52F2,
0xF34A1BF3,
2N/A 0xA63D5FA6,
0x59A49359,
0xBCB90ABC,
0x3AF9EF3A,
0xEF1391EF,
0xFE0885FE,
2N/A 0x01914901,
0x6116EE61,
0x7CDE2D7C,
0xB2214FB2,
0x42B18F42,
0xDB723BDB,
2N/A 0xB82F47B8,
0x48BF8748,
0x2CAE6D2C,
0xE3C046E3,
0x573CD657,
0x859A3E85,
2N/A 0x29A96929,
0x7D4F647D,
0x94812A94,
0x492ECE49,
0x17C6CB17,
0xCA692FCA,
2N/A 0xC3BDFCC3,
0x5CA3975C,
0x5EE8055E,
0xD0ED7AD0,
0x87D1AC87,
0x8E057F8E,
2N/A 0xBA64D5BA,
0xA8A51AA8,
0xB7264BB7,
0xB9BE0EB9,
0x6087A760,
0xF8D55AF8,
2N/A 0x22362822,
0x111B1411,
0xDE753FDE,
0x79D92979,
0xAAEE88AA,
0x332D3C33,
2N/A 0x5F794C5F,
0xB6B702B6,
0x96CAB896,
0x5835DA58,
0x9CC4B09C,
0xFC4317FC,
2N/A 0x1A84551A,
0xF64D1FF6,
0x1C598A1C,
0x38B27D38,
0xAC3357AC,
0x18CFC718,
2N/A 0xF4068DF4,
0x69537469,
0x749BB774,
0xF597C4F5,
0x56AD9F56,
0xDAE372DA,
2N/A 0xD5EA7ED5,
0x4AF4154A,
0x9E8F229E,
0xA2AB12A2,
0x4E62584E,
0xE85F07E8,
2N/A 0xE51D99E5,
0x39233439,
0xC1F66EC1,
0x446C5044,
0x5D32DE5D,
0x72466872,
2N/A 0x26A06526,
0x93CDBC93,
0x03DADB03,
0xC6BAF8C6,
0xFA9EC8FA,
0x82D6A882,
2N/A 0xCF6E2BCF,
0x50704050,
0xEB85DCEB,
0x750AFE75,
0x8A93328A,
0x8DDFA48D,
2N/A 0x4C29CA4C,
0x141C1014,
0x73D72173,
0xCCB4F0CC,
0x09D4D309,
0x108A5D10,
2N/A 0xE2510FE2,
0x00000000,
0x9A196F9A,
0xE01A9DE0,
0x8F94368F,
0xE6C742E6,
2N/A 0xECC94AEC,
0xFDD25EFD,
0xAB7FC1AB,
0xD8A8E0D8}
2N/A/* The exp_to_poly and poly_to_exp tables are used to perform efficient 2N/A * operations in GF(2^8) represented as GF(2)[x]/w(x) where 2N/A * w(x)=x^8+x^6+x^3+x^2+1. We care about doing that because it's part of the 2N/A * definition of the RS matrix in the key schedule. Elements of that field 2N/A * are polynomials of degree not greater than 7 and all coefficients 0 or 1, 2N/A * which can be represented naturally by bytes (just substitute x=2). In that 2N/A * form, GF(2^8) addition is the same as bitwise XOR, but GF(2^8) 2N/A * multiplication is inefficient without hardware support. To multiply 2N/A * faster, I make use of the fact x is a generator for the nonzero elements, 2N/A * so that every element p of GF(2)[x]/w(x) is either 0 or equal to (x)^n for 2N/A * some n in 0..254. Note that that caret is exponentiation in GF(2^8), 2N/A * *not* polynomial notation. So if I want to compute pq where p and q are 2N/A * in GF(2^8), I can just say: 2N/A * 1. if p=0 or q=0 then pq=0 2N/A * 2. otherwise, find m and n such that p=x^m and q=x^n 2N/A * 3. pq=(x^m)(x^n)=x^(m+n), so add m and n and find pq 2N/A * The translations in steps 2 and 3 are looked up in the tables 2N/A * poly_to_exp (for step 2) and exp_to_poly (for step 3). To see this 2N/A * in action, look at the CALC_S macro. As additional wrinkles, note that 2N/A * one of my operands is always a constant, so the poly_to_exp lookup on it 2N/A * is done in advance; I included the original values in the comments so 2N/A * readers can have some chance of recognizing that this *is* the RS matrix 2N/A * from the Twofish paper. I've only included the table entries I actually 2N/A * need; I never do a lookup on a variable input of zero and the biggest 2N/A * exponents I'll ever see are 254 (variable) and 237 (constant), so they'll 2N/A * never sum to more than 491. I'm repeating part of the exp_to_poly table 2N/A * so that I don't have to do mod-255 reduction in the exponent arithmetic. 2N/A * Since I know my constant operands are never zero, I only have to worry 2N/A * about zero values in the variable operand, and I do it with a simple 2N/A * conditional branch. I know conditionals are expensive, but I couldn't 2N/A * see a non-horrible way of avoiding them, and I did manage to group the 2N/A * statements so that each if covers four group multiplications. */ 2N/A 0x00,
0x01,
0x17,
0x02,
0x2E,
0x18,
0x53,
0x03,
0x6A,
0x2F,
0x93,
0x19,
2N/A 0x34,
0x54,
0x45,
0x04,
0x5C,
0x6B,
0xB6,
0x30,
0xA6,
0x94,
0x4B,
0x1A,
2N/A 0x8C,
0x35,
0x81,
0x55,
0xAA,
0x46,
0x0D,
0x05,
0x24,
0x5D,
0x87,
0x6C,
2N/A 0x9B,
0xB7,
0xC1,
0x31,
0x2B,
0xA7,
0xA3,
0x95,
0x98,
0x4C,
0xCA,
0x1B,
2N/A 0xE6,
0x8D,
0x73,
0x36,
0xCD,
0x82,
0x12,
0x56,
0x62,
0xAB,
0xF0,
0x47,
2N/A 0x4F,
0x0E,
0xBD,
0x06,
0xD4,
0x25,
0xD2,
0x5E,
0x27,
0x88,
0x66,
0x6D,
2N/A 0xD6,
0x9C,
0x79,
0xB8,
0x08,
0xC2,
0xDF,
0x32,
0x68,
0x2C,
0xFD,
0xA8,
2N/A 0x8A,
0xA4,
0x5A,
0x96,
0x29,
0x99,
0x22,
0x4D,
0x60,
0xCB,
0xE4,
0x1C,
2N/A 0x7B,
0xE7,
0x3B,
0x8E,
0x9E,
0x74,
0xF4,
0x37,
0xD8,
0xCE,
0xF9,
0x83,
2N/A 0x6F,
0x13,
0xB2,
0x57,
0xE1,
0x63,
0xDC,
0xAC,
0xC4,
0xF1,
0xAF,
0x48,
2N/A 0x0A,
0x50,
0x42,
0x0F,
0xBA,
0xBE,
0xC7,
0x07,
0xDE,
0xD5,
0x78,
0x26,
2N/A 0x65,
0xD3,
0xD1,
0x5F,
0xE3,
0x28,
0x21,
0x89,
0x59,
0x67,
0xFC,
0x6E,
2N/A 0xB1,
0xD7,
0xF8,
0x9D,
0xF3,
0x7A,
0x3A,
0xB9,
0xC6,
0x09,
0x41,
0xC3,
2N/A 0xAE,
0xE0,
0xDB,
0x33,
0x44,
0x69,
0x92,
0x2D,
0x52,
0xFE,
0x16,
0xA9,
2N/A 0x0C,
0x8B,
0x80,
0xA5,
0x4A,
0x5B,
0xB5,
0x97,
0xC9,
0x2A,
0xA2,
0x9A,
2N/A 0xC0,
0x23,
0x86,
0x4E,
0xBC,
0x61,
0xEF,
0xCC,
0x11,
0xE5,
0x72,
0x1D,
2N/A 0x3D,
0x7C,
0xEB,
0xE8,
0xE9,
0x3C,
0xEA,
0x8F,
0x7D,
0x9F,
0xEC,
0x75,
2N/A 0x1E,
0xF5,
0x3E,
0x38,
0xF6,
0xD9,
0x3F,
0xCF,
0x76,
0xFA,
0x1F,
0x84,
2N/A 0xA0,
0x70,
0xED,
0x14,
0x90,
0xB3,
0x7E,
0x58,
0xFB,
0xE2,
0x20,
0x64,
2N/A 0xD0,
0xDD,
0x77,
0xAD,
0xDA,
0xC5,
0x40,
0xF2,
0x39,
0xB0,
0xF7,
0x49,
2N/A 0xB4,
0x0B,
0x7F,
0x51,
0x15,
0x43,
0x91,
0x10,
0x71,
0xBB,
0xEE,
0xBF,
2N/A 0x01,
0x02,
0x04,
0x08,
0x10,
0x20,
0x40,
0x80,
0x4D,
0x9A,
0x79,
0xF2,
2N/A 0xA9,
0x1F,
0x3E,
0x7C,
0xF8,
0xBD,
0x37,
0x6E,
0xDC,
0xF5,
0xA7,
0x03,
2N/A 0x06,
0x0C,
0x18,
0x30,
0x60,
0xC0,
0xCD,
0xD7,
0xE3,
0x8B,
0x5B,
0xB6,
2N/A 0x21,
0x42,
0x84,
0x45,
0x8A,
0x59,
0xB2,
0x29,
0x52,
0xA4,
0x05,
0x0A,
2N/A 0x14,
0x28,
0x50,
0xA0,
0x0D,
0x1A,
0x34,
0x68,
0xD0,
0xED,
0x97,
0x63,
2N/A 0xC6,
0xC1,
0xCF,
0xD3,
0xEB,
0x9B,
0x7B,
0xF6,
0xA1,
0x0F,
0x1E,
0x3C,
2N/A 0x78,
0xF0,
0xAD,
0x17,
0x2E,
0x5C,
0xB8,
0x3D,
0x7A,
0xF4,
0xA5,
0x07,
2N/A 0x0E,
0x1C,
0x38,
0x70,
0xE0,
0x8D,
0x57,
0xAE,
0x11,
0x22,
0x44,
0x88,
2N/A 0x5D,
0xBA,
0x39,
0x72,
0xE4,
0x85,
0x47,
0x8E,
0x51,
0xA2,
0x09,
0x12,
2N/A 0x24,
0x48,
0x90,
0x6D,
0xDA,
0xF9,
0xBF,
0x33,
0x66,
0xCC,
0xD5,
0xE7,
2N/A 0x83,
0x4B,
0x96,
0x61,
0xC2,
0xC9,
0xDF,
0xF3,
0xAB,
0x1B,
0x36,
0x6C,
2N/A 0xD8,
0xFD,
0xB7,
0x23,
0x46,
0x8C,
0x55,
0xAA,
0x19,
0x32,
0x64,
0xC8,
2N/A 0xDD,
0xF7,
0xA3,
0x0B,
0x16,
0x2C,
0x58,
0xB0,
0x2D,
0x5A,
0xB4,
0x25,
2N/A 0x4A,
0x94,
0x65,
0xCA,
0xD9,
0xFF,
0xB3,
0x2B,
0x56,
0xAC,
0x15,
0x2A,
2N/A 0x54,
0xA8,
0x1D,
0x3A,
0x74,
0xE8,
0x9D,
0x77,
0xEE,
0x91,
0x6F,
0xDE,
2N/A 0xF1,
0xAF,
0x13,
0x26,
0x4C,
0x98,
0x7D,
0xFA,
0xB9,
0x3F,
0x7E,
0xFC,
2N/A 0xB5,
0x27,
0x4E,
0x9C,
0x75,
0xEA,
0x99,
0x7F,
0xFE,
0xB1,
0x2F,
0x5E,
2N/A 0xBC,
0x35,
0x6A,
0xD4,
0xE5,
0x87,
0x43,
0x86,
0x41,
0x82,
0x49,
0x92,
2N/A 0x69,
0xD2,
0xE9,
0x9F,
0x73,
0xE6,
0x81,
0x4F,
0x9E,
0x71,
0xE2,
0x89,
2N/A 0x5F,
0xBE,
0x31,
0x62,
0xC4,
0xC5,
0xC7,
0xC3,
0xCB,
0xDB,
0xFB,
0xBB,
2N/A 0x3B,
0x76,
0xEC,
0x95,
0x67,
0xCE,
0xD1,
0xEF,
0x93,
0x6B,
0xD6,
0xE1,
2N/A 0x8F,
0x53,
0xA6,
0x01,
0x02,
0x04,
0x08,
0x10,
0x20,
0x40,
0x80,
0x4D,
2N/A 0x9A,
0x79,
0xF2,
0xA9,
0x1F,
0x3E,
0x7C,
0xF8,
0xBD,
0x37,
0x6E,
0xDC,
2N/A 0xF5,
0xA7,
0x03,
0x06,
0x0C,
0x18,
0x30,
0x60,
0xC0,
0xCD,
0xD7,
0xE3,
2N/A 0x8B,
0x5B,
0xB6,
0x21,
0x42,
0x84,
0x45,
0x8A,
0x59,
0xB2,
0x29,
0x52,
2N/A 0xA4,
0x05,
0x0A,
0x14,
0x28,
0x50,
0xA0,
0x0D,
0x1A,
0x34,
0x68,
0xD0,
2N/A 0xED,
0x97,
0x63,
0xC6,
0xC1,
0xCF,
0xD3,
0xEB,
0x9B,
0x7B,
0xF6,
0xA1,
2N/A 0x0F,
0x1E,
0x3C,
0x78,
0xF0,
0xAD,
0x17,
0x2E,
0x5C,
0xB8,
0x3D,
0x7A,
2N/A 0xF4,
0xA5,
0x07,
0x0E,
0x1C,
0x38,
0x70,
0xE0,
0x8D,
0x57,
0xAE,
0x11,
2N/A 0x22,
0x44,
0x88,
0x5D,
0xBA,
0x39,
0x72,
0xE4,
0x85,
0x47,
0x8E,
0x51,
2N/A 0xA2,
0x09,
0x12,
0x24,
0x48,
0x90,
0x6D,
0xDA,
0xF9,
0xBF,
0x33,
0x66,
2N/A 0xCC,
0xD5,
0xE7,
0x83,
0x4B,
0x96,
0x61,
0xC2,
0xC9,
0xDF,
0xF3,
0xAB,
2N/A 0x1B,
0x36,
0x6C,
0xD8,
0xFD,
0xB7,
0x23,
0x46,
0x8C,
0x55,
0xAA,
0x19,
2N/A 0x32,
0x64,
0xC8,
0xDD,
0xF7,
0xA3,
0x0B,
0x16,
0x2C,
0x58,
0xB0,
0x2D,
2N/A 0x5A,
0xB4,
0x25,
0x4A,
0x94,
0x65,
0xCA,
0xD9,
0xFF,
0xB3,
0x2B,
0x56,
2N/A 0xAC,
0x15,
0x2A,
0x54,
0xA8,
0x1D,
0x3A,
0x74,
0xE8,
0x9D,
0x77,
0xEE,
2N/A 0x91,
0x6F,
0xDE,
0xF1,
0xAF,
0x13,
0x26,
0x4C,
0x98,
0x7D,
0xFA,
0xB9,
2N/A 0x3F,
0x7E,
0xFC,
0xB5,
0x27,
0x4E,
0x9C,
0x75,
0xEA,
0x99,
0x7F,
0xFE,
2N/A 0xB1,
0x2F,
0x5E,
0xBC,
0x35,
0x6A,
0xD4,
0xE5,
0x87,
0x43,
0x86,
0x41,
2N/A 0x82,
0x49,
0x92,
0x69,
0xD2,
0xE9,
0x9F,
0x73,
0xE6,
0x81,
0x4F,
0x9E,
2N/A 0x71,
0xE2,
0x89,
0x5F,
0xBE,
0x31,
0x62,
0xC4,
0xC5,
0xC7,
0xC3,
0xCB 2N/A/* The table constants are indices of 2N/A * S-box entries, preprocessed through q0 and q1. */ 2N/A 0xA9,
0x75,
0x67,
0xF3,
0xB3,
0xC6,
0xE8,
0xF4,
2N/A 0x04,
0xDB,
0xFD,
0x7B,
0xA3,
0xFB,
0x76,
0xC8,
2N/A 0x9A,
0x4A,
0x92,
0xD3,
0x80,
0xE6,
0x78,
0x6B,
2N/A 0xE4,
0x45,
0xDD,
0x7D,
0xD1,
0xE8,
0x38,
0x4B,
2N/A 0x0D,
0xD6,
0xC6,
0x32,
0x35,
0xD8,
0x98,
0xFD,
2N/A 0x18,
0x37,
0xF7,
0x71,
0xEC,
0xF1,
0x6C,
0xE1,
2N/A 0x43,
0x30,
0x75,
0x0F,
0x37,
0xF8,
0x26,
0x1B,
2N/A 0xFA,
0x87,
0x13,
0xFA,
0x94,
0x06,
0x48,
0x3F,
2N/A 0xF2,
0x5E,
0xD0,
0xBA,
0x8B,
0xAE,
0x30,
0x5B,
2N/A 0x84,
0x8A,
0x54,
0x00,
0xDF,
0xBC,
0x23,
0x9D,
2N/A 0x19,
0x6D,
0x5B,
0xC1,
0x3D,
0xB1,
0x59,
0x0E,
2N/A 0xF3,
0x80,
0xAE,
0x5D,
0xA2,
0xD2,
0x82,
0xD5,
2N/A 0x63,
0xA0,
0x01,
0x84,
0x83,
0x07,
0x2E,
0x14,
2N/A 0xD9,
0xB5,
0x51,
0x90,
0x9B,
0x2C,
0x7C,
0xA3,
2N/A 0xA6,
0xB2,
0xEB,
0x73,
0xA5,
0x4C,
0xBE,
0x54,
2N/A 0x16,
0x92,
0x0C,
0x74,
0xE3,
0x36,
0x61,
0x51,
2N/A 0xC0,
0x38,
0x8C,
0xB0,
0x3A,
0xBD,
0xF5,
0x5A,
2N/A 0x73,
0xFC,
0x2C,
0x60,
0x25,
0x62,
0x0B,
0x96,
2N/A 0xBB,
0x6C,
0x4E,
0x42,
0x89,
0xF7,
0x6B,
0x10,
2N/A 0x53,
0x7C,
0x6A,
0x28,
0xB4,
0x27,
0xF1,
0x8C,
2N/A 0xE1,
0x13,
0xE6,
0x95,
0xBD,
0x9C,
0x45,
0xC7,
2N/A 0xE2,
0x24,
0xF4,
0x46,
0xB6,
0x3B,
0x66,
0x70,
2N/A 0xCC,
0xCA,
0x95,
0xE3,
0x03,
0x85,
0x56,
0xCB,
2N/A 0xD4,
0x11,
0x1C,
0xD0,
0x1E,
0x93,
0xD7,
0xB8,
2N/A 0xFB,
0xA6,
0xC3,
0x83,
0x8E,
0x20,
0xB5,
0xFF,
2N/A 0xE9,
0x9F,
0xCF,
0x77,
0xBF,
0xC3,
0xBA,
0xCC,
2N/A 0xEA,
0x03,
0x77,
0x6F,
0x39,
0x08,
0xAF,
0xBF,
2N/A 0x33,
0x40,
0xC9,
0xE7,
0x62,
0x2B,
0x71,
0xE2,
2N/A 0x81,
0x79,
0x79,
0x0C,
0x09,
0xAA,
0xAD,
0x82,
2N/A 0x24,
0x41,
0xCD,
0x3A,
0xF9,
0xEA,
0xD8,
0xB9,
2N/A 0xE5,
0xE4,
0xC5,
0x9A,
0xB9,
0xA4,
0x4D,
0x97,
2N/A 0x44,
0x7E,
0x08,
0xDA,
0x86,
0x7A,
0xE7,
0x17,
2N/A 0xA1,
0x66,
0x1D,
0x94,
0xAA,
0xA1,
0xED,
0x1D,
2N/A 0x06,
0x3D,
0x70,
0xF0,
0xB2,
0xDE,
0xD2,
0xB3,
2N/A 0x41,
0x0B,
0x7B,
0x72,
0xA0,
0xA7,
0x11,
0x1C,
2N/A 0x31,
0xEF,
0xC2,
0xD1,
0x27,
0x53,
0x90,
0x3E,
2N/A 0x20,
0x8F,
0xF6,
0x33,
0x60,
0x26,
0xFF,
0x5F,
2N/A 0x96,
0xEC,
0x5C,
0x76,
0xB1,
0x2A,
0xAB,
0x49,
2N/A 0x9E,
0x81,
0x9C,
0x88,
0x52,
0xEE,
0x1B,
0x21,
2N/A 0x5F,
0xC4,
0x93,
0x1A,
0x0A,
0xEB,
0xEF,
0xD9,
2N/A 0x91,
0xC5,
0x85,
0x39,
0x49,
0x99,
0xEE,
0xCD,
2N/A 0x2D,
0xAD,
0x4F,
0x31,
0x8F,
0x8B,
0x3B,
0x01,
2N/A 0x47,
0x18,
0x87,
0x23,
0x6D,
0xDD,
0x46,
0x1F,
2N/A 0xD6,
0x4E,
0x3E,
0x2D,
0x69,
0xF9,
0x64,
0x48,
2N/A 0x2A,
0x4F,
0xCE,
0xF2,
0xCB,
0x65,
0x2F,
0x8E,
2N/A 0xFC,
0x78,
0x97,
0x5C,
0x05,
0x58,
0x7A,
0x19,
2N/A 0xAC,
0x8D,
0x7F,
0xE5,
0xD5,
0x98,
0x1A,
0x57,
2N/A 0x4B,
0x67,
0x0E,
0x7F,
0xA7,
0x05,
0x5A,
0x64,
2N/A 0x28,
0xAF,
0x14,
0x63,
0x3F,
0xB6,
0x29,
0xFE,
2N/A 0x88,
0xF5,
0x3C,
0xB7,
0x4C,
0x3C,
0x02,
0xA5,
2N/A 0xB8,
0xCE,
0xDA,
0xE9,
0xB0,
0x68,
0x17,
0x44,
2N/A 0x55,
0xE0,
0x1F,
0x4D,
0x8A,
0x43,
0x7D,
0x69,
2N/A 0x57,
0x29,
0xC7,
0x2E,
0x8D,
0xAC,
0x74,
0x15,
2N/A 0xB7,
0x59,
0xC4,
0xA8,
0x9F,
0x0A,
0x72,
0x9E,
2N/A 0x7E,
0x6E,
0x15,
0x47,
0x22,
0xDF,
0x12,
0x34,
2N/A 0x58,
0x35,
0x07,
0x6A,
0x99,
0xCF,
0x34,
0xDC,
2N/A 0x6E,
0x22,
0x50,
0xC9,
0xDE,
0xC0,
0x68,
0x9B,
2N/A 0x65,
0x89,
0xBC,
0xD4,
0xDB,
0xED,
0xF8,
0xAB,
2N/A 0xC8,
0x12,
0xA8,
0xA2,
0x2B,
0x0D,
0x40,
0x52,
2N/A 0xDC,
0xBB,
0xFE,
0x02,
0x32,
0x2F,
0xA4,
0xA9,
2N/A 0xCA,
0xD7,
0x10,
0x61,
0x21,
0x1E,
0xF0,
0xB4,
2N/A 0xD3,
0x50,
0x5D,
0x04,
0x0F,
0xF6,
0x00,
0xC2,
2N/A 0x6F,
0x16,
0x9D,
0x25,
0x36,
0x86,
0x42,
0x56,
2N/A 0x4A,
0x55,
0x5E,
0x09,
0xC1,
0xBE,
0xE0,
0x91 2N/A/* Macro to perform one column of the RS matrix multiplication. The 2N/A * parameters a, b, c, and d are the four bytes of output; i is the index 2N/A * of the key bytes, and w, x, y, and z, are the column of constants from 2N/A * the RS matrix, preprocessed through the poly_to_exp table. */ 2N/A/* Macros to calculate the key-dependent S-boxes for a 128-bit key using 2N/A * the S vector from CALC_S. CALC_SB_2 computes a single entry in all 2N/A * four S-boxes, where i is the index of the entry to compute, and a and b 2N/A * are the index numbers preprocessed through the q0 and q1 tables 2N/A * respectively. CALC_SB is simply a convenience to make the code shorter; 2N/A * it calls CALC_SB_2 four times with consecutive indices from i to i+3, 2N/A * using the remaining parameters two by two. */ 2N/A/* Macros exactly like CALC_SB and CALC_SB_2, but for 256-bit keys. */ 2N/A/* Macros to calculate the whitening and round subkeys. CALC_K_2 computes the 2N/A * last two stages of the h() function for a given index (either 2i or 2i+1). 2N/A * a, b, c, and d are the four bytes going into the last two stages. For 2N/A * 128-bit keys, this is the entire h() function and a and c are the index 2N/A * preprocessed through q0 and q1 respectively; for longer keys they are the 2N/A * output of previous stages. j is the index of the first key byte to use. 2N/A * CALC_K computes a pair of subkeys for 128-bit Twofish, by calling CALC_K_2 2N/A * twice, doing the Psuedo-Hadamard Transform, and doing the necessary 2N/A * rotations. Its parameters are: a, the array to write the results into, 2N/A * j, the index of the first output entry, k and l, the preprocessed indices 2N/A * for index 2i, and m and n, the preprocessed indices for index 2i+1. 2N/A * CALC_K256_2 expands CALC_K_2 to handle 256-bit keys, by doing two 2N/A * additional lookup-and-XOR stages. The parameters a and b are the index 2N/A * preprocessed through q0 and q1 respectively; j is the index of the first 2N/A * key byte to use. CALC_K256 is identical to CALC_K but for using the 2N/A * CALC_K256_2 macro instead of CALC_K_2. */ 2N/A y = (y <<
8) + (y >>
24); \
2N/A x += y; y += x;
ctx->a[j] = x; \
2N/A ctx->a[(j) +
1] = (y <<
9) + (y >>
23)
2N/A y = (y <<
8) + (y >>
24); \
2N/A x += y; y += x;
ctx->a[j] = x; \
2N/A ctx->a[(j) +
1] = (y <<
9) + (y >>
23)
2N/A/* Perform the key setup. Note that this works only with 128- and 256-bit 2N/A * keys, despite the API that looks like it might support other sizes. */ 2N/A /* Temporaries for CALC_K. */ 2N/A /* The S vector used to key the S-boxes, split up into individual bytes. 2N/A * 128-bit keys use only sa through sh; 256-bit use all of them. */ 2N/A /* Temporary for CALC_S. */ 2N/A /* Flags for self-test. */ 2N/A /* Check key length. */ 2N/A /* Do self-test if necessary. */ 2N/A /* Compute the first two words of the S vector. The magic numbers are 2N/A * the entries of the RS matrix, preprocessed through poly_to_exp. The 2N/A * numbers in the comments are the original (polynomial form) matrix 2N/A /* Calculate the remaining two words of the S vector */ 2N/A /* Compute the S-boxes. */ 2N/A for(i=j=0,k=
1; i <
256; i++, j +=
2, k +=
2 )
2N/A /* Calculate whitening and round subkeys. The constants are 2N/A * indices of subkeys, preprocessed through q0 and q1. */ 2N/A /* Compute the S-boxes. */ 2N/A for(i=j=0,k=
1; i <
256; i++, j +=
2, k +=
2 )
2N/A /* Calculate whitening and round subkeys. The constants are 2N/A * indices of subkeys, preprocessed through q0 and q1. */ 2N/A/* Macros to compute the g() function in the encryption and decryption 2N/A * rounds. G1 is the straight g() function; G2 includes the 8-bit 2N/A * rotation for the high 32-bit word. */ 2N/A (
ctx->s[0][(a) &
0xFF]) ^ (
ctx->s[
1][((a) >>
8) &
0xFF]) \
2N/A ^ (
ctx->s[
2][((a) >>
16) &
0xFF]) ^ (
ctx->s[
3][(a) >>
24])
2N/A (
ctx->s[
1][(b) &
0xFF]) ^ (
ctx->s[
2][((b) >>
8) &
0xFF]) \
2N/A ^ (
ctx->s[
3][((b) >>
16) &
0xFF]) ^ (
ctx->s[0][(b) >>
24])
2N/A/* Encryption and decryption Feistel rounds. Each one calls the two g() 2N/A * macros, does the PHT, and performs the XOR and the appropriate bit 2N/A * rotations. The parameters are the round number (used to select subkeys), 2N/A * and the four 32-bit chunks of the text. */ 2N/A x += y; y += x +
ctx->k[
2 * (n) +
1]; \
2N/A (c) = ((c) >>
1) + ((c) <<
31); \
2N/A (d) = (((d) <<
1)+((d) >>
31)) ^ y
2N/A (d) ^= y +
ctx->k[
2 * (n) +
1]; \
2N/A (d) = ((d) >>
1) + ((d) <<
31); \
2N/A (c) = (((c) <<
1)+((c) >>
31)); \
2N/A/* Encryption and decryption cycles; each one is simply two Feistel rounds 2N/A * with the 32-bit chunks re-ordered to simulate the "swap" */ 2N/A/* Macros to convert the input and output bytes into 32-bit words, 2N/A * and simultaneously perform the whitening step. INPACK packs word 2N/A * number n into the variable named by x, using whitening subkey number m. 2N/A * OUTUNPACK unpacks word number n from the variable named by x, using 2N/A * whitening subkey number m. */ 2N/A x =
in[
4 * (n)] ^ (
in[
4 * (n) +
1] <<
8) \
2N/A ^ (
in[
4 * (n) +
2] <<
16) ^ (
in[
4 * (n) +
3] <<
24) ^
ctx->w[m]
2N/A out[
4 * (n)] = x;
out[
4 * (n) +
1] = x >>
8; \
2N/A out[
4 * (n) +
2] = x >>
16;
out[
4 * (n) +
3] = x >>
24 2N/A/* Encrypt one block. in and out may be the same. */ 2N/A /* The four 32-bit chunks of the text. */ 2N/A /* Temporaries used by the round function. */ 2N/A /* Input whitening and packing. */ 2N/A /* Encryption Feistel cycles. */ 2N/A /* Output whitening and unpacking. */ 2N/A/* Decrypt one block. in and out may be the same. */ 2N/A /* The four 32-bit chunks of the text. */ 2N/A /* Temporaries used by the round function. */ 2N/A /* Input whitening and packing. */ 2N/A /* Encryption Feistel cycles. */ 2N/A /* Output whitening and unpacking. */ 2N/A/* Test a single encryption and decryption with each key size. */ 2N/A * the vectors from the Twofish paper's "known answer test", I=3 for 2N/A * 128-bit and I=4 for 256-bit, instead of the all-0 vectors from the 2N/A * "intermediate value test", because an all-0 key would trigger all the 2N/A * special cases in the RS matrix multiply, leaving the math untested. */ 2N/A 0xD4,
0x91,
0xDB,
0x16,
0xE7,
0xB1,
0xC3,
0x9E,
2N/A 0x86,
0xCB,
0x08,
0x6B,
0x78,
0x9F,
0x54,
0x19 2N/A 0x9F,
0x58,
0x9F,
0x5C,
0xF6,
0x12,
0x2C,
0x32,
2N/A 0xB6,
0xBF,
0xEC,
0x2F,
0x2A,
0xE8,
0xC3,
0x5A 2N/A 0x01,
0x9F,
0x98,
0x09,
0xDE,
0x17,
0x11,
0x85,
2N/A 0x8F,
0xAA,
0xC3,
0xA3,
0xBA,
0x20,
0xFB,
0xC3 2N/A 0x90,
0xAF,
0xE9,
0x1B,
0xB2,
0x88,
0x54,
0x4F,
2N/A 0x2C,
0x32,
0xDC,
0x23,
0x9B,
0x26,
0x35,
0xE6 2N/A 0xD4,
0x3B,
0xB7,
0x55,
0x6E,
0xA3,
0x2E,
0x46,
2N/A 0xF2,
0xA2,
0x82,
0xB7,
0xD4,
0x5B,
0x4E,
0x0D,
2N/A 0x57,
0xFF,
0x73,
0x9D,
0x4D,
0xC9,
0x2C,
0x1B,
2N/A 0xD7,
0xFC,
0x01,
0x70,
0x0C,
0xC8,
0x21,
0x6F 2N/A 0x6C,
0xB4,
0x56,
0x1C,
0x40,
0xBF,
0x0A,
0x97,
2N/A 0x05,
0x93,
0x1C,
0xB6,
0xD4,
0x08,
0xE7,
0xFA 2N/A return "Twofish-128 test encryption failed.";
2N/A return "Twofish-128 test decryption failed.";
2N/A return "Twofish-256 test encryption failed.";
2N/A return "Twofish-256 test decryption failed.";
2N/A/* More complete test program. This does 1000 encryptions and decryptions 2N/A * with each of 250 128-bit keys and 2000 encryptions and decryptions with 2N/A * each of 125 256-bit keys, using a feedback scheme similar to a Feistel 2N/A * cipher, so as to be sure of testing all the table entries pretty 2N/A * thoroughly. We keep changing the keys so as to get a more meaningful 2N/A * performance number, since the key setup is non-trivial for Twofish. */ 2N/A int i, j;
/* Loop counters. */ 2N/A const char *
encrypt_msg;
/* Message to print regarding encryption test; 2N/A * the printf is done outside the loop to avoid 2N/A * stuffing up the timing. */ 2N/A {
0x00,
0x11,
0x22,
0x33,
0x44,
0x55,
0x66,
0x77,
2N/A 0x88,
0x99,
0xAA,
0xBB,
0xCC,
0xDD,
0xEE,
0xFF},
2N/A {
0x0F,
0x1E,
0x2D,
0x3C,
0x4B,
0x5A,
0x69,
0x78,
2N/A 0x87,
0x96,
0xA5,
0xB4,
0xC3,
0xD2 ,
0xE1,
0xF0},
2N/A {
0x01,
0x23,
0x45,
0x67,
0x89,
0xAB,
0xCD,
0xEF,
2N/A 0xFE,
0xDC,
0xBA,
0x98,
0x76,
0x54 ,
0x32,
0x10},
2N/A {
0x01,
0x23,
0x45,
0x67,
0x76,
0x54 ,
0x32,
0x10,
2N/A 0x89,
0xAB,
0xCD,
0xEF,
0xFE,
0xDC,
0xBA,
0x98}
2N/A /* Expected outputs for the million-operation test */ 2N/A {
0xC8,
0x23,
0xB8,
0xB7,
0x6B,
0xFE,
0x91,
0x13,
2N/A 0x2F,
0xA7,
0x5E,
0xE6,
0x94,
0x77,
0x6F,
0x6B},
2N/A {
0x90,
0x36,
0xD8,
0x29,
0xD5,
0x96,
0xC2,
0x8E,
2N/A 0xE4,
0xFF,
0x76,
0xBC,
0xE5,
0x77,
0x88,
0x27},
2N/A {
0xB8,
0x78,
0x69,
0xAF,
0x42,
0x8B,
0x48,
0x64,
2N/A 0xF7,
0xE9,
0xF3,
0x9C,
0x42,
0x18,
0x7B,
0x73},
2N/A {
0x7A,
0x88,
0xFB,
0xEB,
0x90,
0xA4,
0xB4,
0xA8,
2N/A 0x43,
0xA3,
0x1D,
0xF1,
0x26,
0xC4,
0x53,
0x57}
2N/A {
0x00,
0x11,
0x22,
0x33,
0x44,
0x55,
0x66,
0x77,
2N/A 0x88,
0x99,
0xAA,
0xBB,
0xCC,
0xDD,
0xEE,
0xFF},
2N/A {
0x0F,
0x1E,
0x2D,
0x3C,
0x4B,
0x5A,
0x69,
0x78,
2N/A 0x87,
0x96,
0xA5,
0xB4,
0xC3,
0xD2 ,
0xE1,
0xF0},
2N/A {
0x01,
0x23,
0x45,
0x67,
0x89,
0xAB,
0xCD,
0xEF,
2N/A 0xFE,
0xDC,
0xBA,
0x98,
0x76,
0x54 ,
0x32,
0x10},
2N/A {
0x01,
0x23,
0x45,
0x67,
0x76,
0x54 ,
0x32,
0x10,
2N/A 0x89,
0xAB,
0xCD,
0xEF,
0xFE,
0xDC,
0xBA,
0x98}
2N/A /* Start the timer ticking. */ 2N/A /* Encryption test. */ 2N/A for (i = 0; i <
125; i++)
2N/A for (j = 0; j <
1000; j++)
2N/A for (j = 0; j <
1000; j++)
2N/A for (j = 0; j <
1000; j++) {
2N/A "encryption failure!\n" :
"encryption OK!\n";
2N/A /* Decryption test. */ 2N/A for (i = 0; i <
125; i++)
2N/A for (j = 0; j <
1000; j++) {
2N/A for (j = 0; j <
1000; j++)
2N/A for (j = 0; j <
1000; j++)
2N/A /* Stop the timer, and print results. */ 2N/A "decryption failure!\n" :
"decryption OK!\n");