1 /* gf128mul.h - GF(2^128) multiplication funct 1
2 *
3 * Copyright (c) 2003, Dr Brian Gladman, Worce
4 * Copyright (c) 2006 Rik Snel <rsnel@cube.dyn
5 *
6 * Based on Dr Brian Gladman's (GPL'd) work pu
7 * http://fp.gladman.plus.com/cryptography_tec
8 * See the original copyright notice below.
9 *
10 * This program is free software; you can redi
11 * under the terms of the GNU General Public L
12 * Software Foundation; either version 2 of th
13 * any later version.
14 */
15 /*
16 ---------------------------------------------
17 Copyright (c) 2003, Dr Brian Gladman, Worcest
18
19 LICENSE TERMS
20
21 The free distribution and use of this softwar
22 form is allowed (with or without changes) pro
23
24 1. distributions of this source code includ
25 notice, this list of conditions and the
26
27 2. distributions in binary form include the
28 notice, this list of conditions and the
29 in the documentation and/or other associ
30
31 3. the copyright holder's name is not used
32 built using this software without specif
33
34 ALTERNATIVELY, provided that this notice is r
35 may be distributed under the terms of the GNU
36 in which case the provisions of the GPL apply
37
38 DISCLAIMER
39
40 This software is provided 'as is' with no exp
41 in respect of its properties, including, but
42 and/or fitness for purpose.
43 ---------------------------------------------
44 Issue Date: 31/01/2006
45
46 An implementation of field multiplication in
47 */
48
49 #ifndef _CRYPTO_GF128MUL_H
50 #define _CRYPTO_GF128MUL_H
51
52 #include <asm/byteorder.h>
53 #include <crypto/b128ops.h>
54 #include <linux/slab.h>
55
56 /* Comment by Rik:
57 *
58 * For some background on GF(2^128) see for ex
59 * http://csrc.nist.gov/groups/ST/toolkit/BCM/
60 *
61 * The elements of GF(2^128) := GF(2)[X]/(X^12
62 * be mapped to computer memory in a variety o
63 * three common cases.
64 *
65 * Take a look at the 16 binary octets below i
66 * are left and the lsb's are right. char b[16
67 * the first octet.
68 *
69 * 10000000 00000000 00000000 00000000 .... 00
70 * b[0] b[1] b[2] b[3]
71 *
72 * Every bit is a coefficient of some power of
73 * in every byte in little-endian order and th
74 * little endian order. I will call this lle (
75 * The above buffer represents the polynomial
76 * like 11100001 00000000 .... 00000000 = { 0x
77 * This format was originally implemented in g
78 * in GCM (Galois/Counter mode) and in ABL (Ar
79 *
80 * Another convention says: store the bits in
81 * bytes also. This is bbe (big-big-endian). N
82 * represents X^127. X^7+X^2+X^1+1 looks like
83 * b[15] = 0x87 and the rest is 0. LRW uses th
84 * is partly implemented.
85 *
86 * Both of the above formats are easy to imple
87 * machines.
88 *
89 * XTS and EME (the latter of which is patent
90 * format (bits are stored in big endian order
91 * endian). The above buffer represents X^7 in
92 * primitive polynomial is b[0] = 0x87.
93 *
94 * The common machine word-size is smaller tha
95 * an efficient implementation we must split i
96 * This implementation uses 64-bit words for t
97 * endianness comes into play. The lle format
98 * endianness is discussed below by the origin
99 * Brian Gladman.
100 *
101 * Let's look at the bbe and ble format on a l
102 *
103 * bbe on a little endian machine u32 x[4]:
104 *
105 * MS x[0] LS MS
106 * ms ls ms ls ms ls ms ls ms ls m
107 * 103..96 111.104 119.112 127.120 71...64 7
108 *
109 * MS x[2] LS MS
110 * ms ls ms ls ms ls ms ls ms ls m
111 * 39...32 47...40 55...48 63...56 07...00 1
112 *
113 * ble on a little endian machine
114 *
115 * MS x[0] LS MS
116 * ms ls ms ls ms ls ms ls ms ls m
117 * 31...24 23...16 15...08 07...00 63...56 5
118 *
119 * MS x[2] LS MS
120 * ms ls ms ls ms ls ms ls ms ls m
121 * 95...88 87...80 79...72 71...64 127.120 1
122 *
123 * Multiplications in GF(2^128) are mostly bit
124 * ble (and lbe also) are easier to implement
125 * machine than on a big-endian machine. The c
126 * and lle.
127 *
128 * Note: to have good alignment, it seems to m
129 * to keep elements of GF(2^128) in type u64[2
130 * machines this will automatically aligned to
131 * machine also.
132 */
133 /* Multiply a GF(2^128) field element by
134 held in arrays of bytes in which field bit
135 byte[n], with lower indexed bits placed in
136 significant bit positions within bytes.
137
138 On little endian machines the bit indexes
139 positions within four 32-bit words in the
140
141 MS x[0] LS MS
142 ms ls ms ls ms ls ms ls ms ls m
143 24...31 16...23 08...15 00...07 56...63 4
144
145 MS x[2] LS MS
146 ms ls ms ls ms ls ms ls ms ls m
147 88...95 80...87 72...79 64...71 120.127 1
148
149 On big endian machines the bit indexes tra
150 positions within four 32-bit words in the
151
152 MS x[0] LS MS
153 ms ls ms ls ms ls ms ls ms ls m
154 00...07 08...15 16...23 24...31 32...39 4
155
156 MS x[2] LS MS
157 ms ls ms ls ms ls ms ls ms ls m
158 64...71 72...79 80...87 88...95 96..103 1
159 */
160
161 /* A slow generic version of gf_mul, impl
162 * It multiplies a and b and puts the res
163 void gf128mul_lle(be128 *a, const be128 *b);
164
165 void gf128mul_bbe(be128 *a, const be128 *b);
166
167 /*
168 * The following functions multiply a field el
169 * the polynomial field representation. They
170 * to gain speed but compensate for machine en
171 * correctly on both styles of machine.
172 *
173 * They are defined here for performance.
174 */
175
176 static inline u64 gf128mul_mask_from_bit(u64 x
177 {
178 /* a constant-time version of 'x & ((u
179 return ((s64)(x << (63 - which)) >> 63
180 }
181
182 static inline void gf128mul_x_lle(be128 *r, co
183 {
184 u64 a = be64_to_cpu(x->a);
185 u64 b = be64_to_cpu(x->b);
186
187 /* equivalent to gf128mul_table_le[(b
188 * (see crypto/gf128mul.c): */
189 u64 _tt = gf128mul_mask_from_bit(b, 0)
190
191 r->b = cpu_to_be64((b >> 1) | (a << 63
192 r->a = cpu_to_be64((a >> 1) ^ _tt);
193 }
194
195 static inline void gf128mul_x_bbe(be128 *r, co
196 {
197 u64 a = be64_to_cpu(x->a);
198 u64 b = be64_to_cpu(x->b);
199
200 /* equivalent to gf128mul_table_be[a >
201 u64 _tt = gf128mul_mask_from_bit(a, 63
202
203 r->a = cpu_to_be64((a << 1) | (b >> 63
204 r->b = cpu_to_be64((b << 1) ^ _tt);
205 }
206
207 /* needed by XTS */
208 static inline void gf128mul_x_ble(le128 *r, co
209 {
210 u64 a = le64_to_cpu(x->a);
211 u64 b = le64_to_cpu(x->b);
212
213 /* equivalent to gf128mul_table_be[b >
214 u64 _tt = gf128mul_mask_from_bit(a, 63
215
216 r->a = cpu_to_le64((a << 1) | (b >> 63
217 r->b = cpu_to_le64((b << 1) ^ _tt);
218 }
219
220 /* 4k table optimization */
221
222 struct gf128mul_4k {
223 be128 t[256];
224 };
225
226 struct gf128mul_4k *gf128mul_init_4k_lle(const
227 struct gf128mul_4k *gf128mul_init_4k_bbe(const
228 void gf128mul_4k_lle(be128 *a, const struct gf
229 void gf128mul_4k_bbe(be128 *a, const struct gf
230 void gf128mul_x8_ble(le128 *r, const le128 *x)
231 static inline void gf128mul_free_4k(struct gf1
232 {
233 kfree_sensitive(t);
234 }
235
236
237 /* 64k table optimization, implemented for bbe
238
239 struct gf128mul_64k {
240 struct gf128mul_4k *t[16];
241 };
242
243 /* First initialize with the constant factor w
244 * want to multiply and then call gf128mul_64k
245 * factor in the first argument, and the table
246 * Afterwards, the result is stored in *a.
247 */
248 struct gf128mul_64k *gf128mul_init_64k_bbe(con
249 void gf128mul_free_64k(struct gf128mul_64k *t)
250 void gf128mul_64k_bbe(be128 *a, const struct g
251
252 #endif /* _CRYPTO_GF128MUL_H */
253
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.