├── .gitignore ├── .gitmodules ├── Implementations └── software │ ├── arm asm fixslice Adomnicai.zip │ ├── opt 32 │ ├── Romulus-H │ │ ├── LWC_HASH_KAT_256.txt │ │ ├── api.h │ │ ├── crypto_hash.h │ │ ├── genkat_hash.c │ │ ├── hash.c │ │ ├── hash_skinny.h │ │ ├── hash_skinny_key_schedule1.c │ │ ├── hash_skinny_key_schedule23.c │ │ └── hash_skinny_main.c │ ├── Romulus-M │ │ ├── LWC_AEAD_KAT_128_128_40.txt │ │ ├── armsrc │ │ │ ├── api.h │ │ │ ├── crypto_aead.h │ │ │ ├── encrypt.c │ │ │ ├── genkat_aead.c │ │ │ ├── skinny.h │ │ │ ├── skinny_key_schedule2.c │ │ │ ├── skinny_key_schedule3.c │ │ │ └── skinny_main.c │ │ └── gcc_option.txt │ ├── Romulus-N-H │ │ ├── LWC_AEAD_KAT_128_128.txt │ │ ├── LWC_HASH_KAT_256.txt │ │ ├── api.h │ │ ├── common.c │ │ ├── common.h │ │ ├── crypto_aead.h │ │ ├── crypto_hash.h │ │ ├── decrypt.c │ │ ├── encrypt.c │ │ ├── genkat_aead.c │ │ ├── genkat_hash.c │ │ ├── hash.c │ │ ├── hash_skinny.h │ │ ├── hash_skinny_key_schedule1.c │ │ ├── hash_skinny_key_schedule23.c │ │ ├── hash_skinny_main.c │ │ ├── skinny.h │ │ ├── skinny_key_schedule2.c │ │ ├── skinny_key_schedule3.c │ │ └── skinny_main.c │ └── Romulus-N │ │ ├── LWC_AEAD_KAT_128_128_40.txt │ │ ├── armsrc │ │ ├── api.h │ │ ├── crypto_aead.h │ │ ├── encrypt.c │ │ ├── genkat_aead.c │ │ ├── skinny.h │ │ ├── skinny_key_schedule2.c │ │ ├── skinny_key_schedule3.c │ │ └── skinny_main.c │ │ └── gcc_option.txt │ ├── python │ ├── Python_AEAD_KAT_ROMULUS-M.txt │ ├── Python_AEAD_KAT_ROMULUS-N.txt │ ├── Python_AEAD_KAT_ROMULUS-T.txt │ ├── Python_HASH_KAT_ROMULUS-H.txt │ ├── ROMULUS_H.py │ ├── ROMULUS_M.py │ ├── ROMULUS_N.py │ ├── ROMULUS_T.py │ ├── SKINNY_128_384_plus.py │ ├── SKINNY_128_384_plus_bitsliced.py │ ├── SKINNY_128_384_plus_constant_time.py │ ├── genkat_aead.py │ └── genkat_hash.py │ └── ref │ ├── Previous Romulus versions │ ├── Romulus-M1 │ │ ├── LWC_AEAD_KAT_128_128.txt │ │ ├── api.h │ │ ├── crypto_aead.h │ │ ├── crypto_hash.h │ │ ├── encrypt.c │ │ ├── genkat_aead.c │ │ ├── skinny.h │ │ ├── skinny_reference.c │ │ └── variant.h │ ├── Romulus-M2 │ │ ├── LWC_AEAD_KAT_128_96.txt │ │ ├── api.h │ │ ├── crypto_aead.h │ │ ├── crypto_hash.h │ │ ├── encrypt.c │ │ ├── genkat_aead.c │ │ ├── skinny.h │ │ ├── skinny_reference.c │ │ └── variant.h │ ├── Romulus-M3 │ │ ├── LWC_AEAD_KAT_128_96.txt │ │ ├── api.h │ │ ├── crypto_aead.h │ │ ├── crypto_hash.h │ │ ├── encrypt.c │ │ ├── genkat_aead.c │ │ ├── skinny.h │ │ ├── skinny_reference.c │ │ └── variant.h │ ├── Romulus-N1 │ │ ├── LWC_AEAD_KAT_128_128.txt │ │ ├── api.h │ │ ├── crypto_aead.h │ │ ├── crypto_hash.h │ │ ├── encrypt.c │ │ ├── genkat_aead.c │ │ ├── skinny.h │ │ ├── skinny_reference.c │ │ └── variant.h │ ├── Romulus-N2 │ │ ├── LWC_AEAD_KAT_128_128.txt │ │ ├── LWC_AEAD_KAT_128_96.txt │ │ ├── api.h │ │ ├── crypto_aead.h │ │ ├── crypto_hash.h │ │ ├── encrypt.c │ │ ├── genkat_aead.c │ │ ├── skinny.h │ │ ├── skinny_reference.c │ │ └── variant.h │ └── Romulus-N3 │ │ ├── LWC_AEAD_KAT_128_96.txt │ │ ├── api.h │ │ ├── crypto_aead.h │ │ ├── crypto_hash.h │ │ ├── encrypt.c │ │ ├── genkat_aead.c │ │ ├── skinny.h │ │ ├── skinny_reference.c │ │ └── variant.h │ ├── Romulus-H │ ├── LWC_HASH_KAT_256.txt │ ├── api.h │ ├── crypto_hash.h │ ├── hash.c │ ├── skinny.h │ ├── skinny_reference.c │ └── variant.h │ ├── Romulus-M-H │ ├── LWC_AEAD_KAT_128_128.txt │ ├── LWC_HASH_KAT_256.txt │ ├── api.h │ ├── crypto_aead.h │ ├── crypto_hash.h │ ├── decrypt.c │ ├── encrypt.c │ ├── hash.c │ ├── romulus_m.h │ ├── romulus_m_reference.c │ ├── skinny.h │ ├── skinny_reference.c │ └── variant.h │ ├── Romulus-M │ ├── LWC_AEAD_KAT_128_128.txt │ ├── api.h │ ├── crypto_aead.h │ ├── decrypt.c │ ├── encrypt.c │ ├── romulus_m.h │ ├── romulus_m_reference.c │ ├── skinny.h │ ├── skinny_reference.c │ └── variant.h │ ├── Romulus-N-H │ ├── LWC_AEAD_KAT_128_128.txt │ ├── LWC_HASH_KAT_256.txt │ ├── api.h │ ├── crypto_aead.h │ ├── crypto_hash.h │ ├── decrypt.c │ ├── encrypt.c │ ├── hash.c │ ├── romulus_n.h │ ├── romulus_n_reference.c │ ├── skinny.h │ ├── skinny_reference.c │ └── variant.h │ ├── Romulus-N │ ├── LWC_AEAD_KAT_128_128.txt │ ├── api.h │ ├── crypto_aead.h │ ├── decrypt.c │ ├── encrypt.c │ ├── romulus_n.h │ ├── romulus_n_reference.c │ ├── skinny.h │ ├── skinny_reference.c │ └── variant.h │ └── Romulus-T-H │ ├── LWC_AEAD_KAT_128_128.txt │ ├── LWC_HASH_KAT_256.txt │ ├── api.h │ ├── crypto_aead.h │ ├── crypto_hash.h │ ├── decrypt.c │ ├── encrypt.c │ ├── hash.c │ ├── romulus_t.h │ ├── romulus_t_hash.h │ ├── romulus_t_reference.c │ ├── skinny.h │ ├── skinny_reference.c │ └── variant.h ├── LICENSE ├── _config.yml ├── _layouts └── default.html ├── assets └── css │ └── style.scss ├── contact.md ├── docs ├── NIST_LWC_2022.pdf ├── Romulus_T_proof.pdf ├── Romulusv1.2.pdf ├── Romulusv1.3.pdf ├── Security_evaluation_Romulus_Jooyoung_Lee.pdf ├── modeH.png ├── modeM_simplified.png ├── modeN_simplified.png ├── modeT.png └── remus_romulus.png ├── impl.md ├── index.md ├── security.md └── specs.md /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | index.md 3 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "Implementations/hardware"] 2 | path = Implementations/hardware/_hardware 3 | url = https://github.com/romulusae/romulus-hardware.git 4 | -------------------------------------------------------------------------------- /Implementations/software/arm asm fixslice Adomnicai.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/romulusae/romulus/d0957f82666c32033e435c358e922681c951acdc/Implementations/software/arm asm fixslice Adomnicai.zip -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-H/api.h: -------------------------------------------------------------------------------- 1 | 2 | // AEAD defines 3 | #define CRYPTO_KEYBYTES 16 4 | #define CRYPTO_NSECBYTES 0 5 | #define CRYPTO_NPUBBYTES 16 6 | #define CRYPTO_ABYTES 16 7 | #define CRYPTO_NOOVERLAP 1 8 | 9 | // Hash defines 10 | #define CRYPTO_BYTES 32 -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-H/crypto_hash.h: -------------------------------------------------------------------------------- 1 | 2 | int crypto_hash( 3 | unsigned char *out, 4 | const unsigned char *in, 5 | unsigned long long inlen 6 | ); -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-H/genkat_hash.c: -------------------------------------------------------------------------------- 1 | // 2 | // NIST-developed software is provided by NIST as a public service. 3 | // You may use, copy and distribute copies of the software in any medium, 4 | // provided that you keep intact this entire notice. You may improve, 5 | // modify and create derivative works of the software or any portion of 6 | // the software, and you may copy and distribute such modifications or 7 | // works. Modified works should carry a notice stating that you changed 8 | // the software and should note the date and nature of any such change. 9 | // Please explicitly acknowledge the National Institute of Standards and 10 | // Technology as the source of the software. 11 | // 12 | // NIST-developed software is expressly provided "AS IS." NIST MAKES NO 13 | // WARRANTY OF ANY KIND, EXPRESS, IMPLIED, IN FACT OR ARISING BY OPERATION 14 | // OF LAW, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, 15 | // FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NIST 16 | // NEITHER REPRESENTS NOR WARRANTS THAT THE OPERATION OF THE SOFTWARE WILL BE 17 | // UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NIST 18 | // DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF THE SOFTWARE 19 | // OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, 20 | // RELIABILITY, OR USEFULNESS OF THE SOFTWARE. 21 | // 22 | // You are solely responsible for determining the appropriateness of using and 23 | // distributing the software and you assume all risks associated with its use, 24 | // including but not limited to the risks and costs of program errors, compliance 25 | // with applicable laws, damage to or loss of data, programs or equipment, and 26 | // the unavailability or interruption of operation. This software is not intended 27 | // to be used in any situation where a failure could cause risk of injury or 28 | // damage to property. The software developed by NIST employees is not subject to 29 | // copyright protection within the United States. 30 | // 31 | 32 | // disable deprecation for sprintf and fopen 33 | #ifdef _MSC_VER 34 | #define _CRT_SECURE_NO_WARNINGS 35 | #endif 36 | 37 | #include 38 | #include 39 | 40 | #include "crypto_hash.h" 41 | #include "api.h" 42 | 43 | #define KAT_SUCCESS 0 44 | #define KAT_FILE_OPEN_ERROR -1 45 | #define KAT_DATA_ERROR -3 46 | #define KAT_CRYPTO_FAILURE -4 47 | 48 | #define MAX_FILE_NAME 256 49 | #define MAX_MESSAGE_LENGTH 1024 50 | 51 | void init_buffer(unsigned char *buffer, unsigned long long numbytes); 52 | 53 | void fprint_bstr(FILE *fp, const char *label, const unsigned char *data, unsigned long long length); 54 | 55 | int generate_test_vectors(); 56 | 57 | 58 | int main() 59 | { 60 | int ret = generate_test_vectors(); 61 | 62 | if (ret != KAT_SUCCESS) { 63 | fprintf(stderr, "test vector generation failed with code %d\n", ret); 64 | } 65 | 66 | return ret; 67 | } 68 | 69 | int generate_test_vectors() 70 | { 71 | FILE *fp; 72 | char fileName[MAX_FILE_NAME]; 73 | unsigned char msg[MAX_MESSAGE_LENGTH]; 74 | unsigned char digest[CRYPTO_BYTES]; 75 | int ret_val = KAT_SUCCESS; 76 | int count = 1; 77 | 78 | init_buffer(msg, sizeof(msg)); 79 | 80 | sprintf(fileName, "LWC_HASH_KAT_%d.txt", (CRYPTO_BYTES * 8)); 81 | 82 | if ((fp = fopen(fileName, "w")) == NULL) { 83 | fprintf(stderr, "Couldn't open <%s> for write\n", fileName); 84 | return KAT_FILE_OPEN_ERROR; 85 | } 86 | 87 | for (unsigned long long mlen = 0; mlen <= MAX_MESSAGE_LENGTH; mlen++) { 88 | 89 | fprintf(fp, "Count = %d\n", count++); 90 | 91 | fprint_bstr(fp, "Msg = ", msg, mlen); 92 | 93 | ret_val = crypto_hash(digest, msg, mlen); 94 | 95 | if(ret_val != 0) { 96 | fprintf(fp, "crypto_hash returned <%d>\n", ret_val); 97 | ret_val = KAT_CRYPTO_FAILURE; 98 | break; 99 | } 100 | 101 | fprint_bstr(fp, "MD = ", digest, CRYPTO_BYTES); 102 | 103 | fprintf(fp, "\n"); 104 | } 105 | 106 | fclose(fp); 107 | 108 | return ret_val; 109 | } 110 | 111 | void fprint_bstr(FILE *fp, const char *label, const unsigned char *data, unsigned long long length) 112 | { 113 | fprintf(fp, "%s", label); 114 | 115 | for (unsigned long long i = 0; i < length; i++) 116 | fprintf(fp, "%02X", data[i]); 117 | 118 | fprintf(fp, "\n"); 119 | } 120 | 121 | void init_buffer(unsigned char *buffer, unsigned long long numbytes) 122 | { 123 | for (unsigned long long i = 0; i < numbytes; i++) 124 | buffer[i] = (unsigned char)i; 125 | } 126 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-H/hash_skinny.h: -------------------------------------------------------------------------------- 1 | #define ___SKINNY_LOOP 2 | //#define ___NUM_OF_ROUNDS_56 3 | 4 | #include 5 | 6 | typedef struct ___hash_skinny_ctrl { 7 | #ifdef ___NUM_OF_ROUNDS_56 8 | uint32_t roundKeys[144]; // number of rounds : 56 9 | #else 10 | uint32_t roundKeys[112]; // number of rounds : 40 11 | #endif 12 | void (*func_skinny_128_384_enc)(unsigned char*, unsigned char*, struct ___hash_skinny_ctrl*, unsigned char*, unsigned char*); 13 | } hash_skinny_ctrl; 14 | 15 | extern void hash_skinny_128_384_enc_321_main (unsigned char* h, unsigned char* g, hash_skinny_ctrl* pskinny_ctrl, unsigned char* key, unsigned char* m); 16 | extern void hash_skinny_128_384_enc_32_main (unsigned char* h, unsigned char*g, hash_skinny_ctrl* pskinny_ctrl, unsigned char* key, unsigned char* m); 17 | 18 | #define pack_word(x0, x1, x2, x3, w) \ 19 | w = ((x3) << 24) ^ \ 20 | ((x2) << 16) ^ \ 21 | ((x1) << 8) ^ \ 22 | (x0); 23 | 24 | #define unpack_word(x0, x1, x2, x3, w) \ 25 | x0 = ((w) & 0xff); \ 26 | x1 = (((w) >> 8) & 0xff); \ 27 | x2 = (((w) >> 16) & 0xff); \ 28 | x3 = ((w) >> 24); 29 | 30 | #define PERMUTATION(w0, w1) \ 31 | /* permutation */ \ 32 | \ 33 | /* 7 6 5 4 3 2 1 0 */ \ 34 | /* 5 7 2 3 6 0 4 1 */ \ 35 | \ 36 | /* w0 (3 2 1 0) */ \ 37 | /* w1 (7 6 5 4) */ \ 38 | \ 39 | /* w0 (6 0 4 1) */ \ 40 | /* w1 (5 7 2 3) */ \ 41 | \ 42 | t0 = w1 << 8; /* 6 5 4 - */ \ 43 | t0 = t0 & 0xff00ff00; /* 6 - 4 - */ \ 44 | \ 45 | t1 = w1 << 16; /* 5 4 - - */ \ 46 | t1 = t1 & 0xff000000; /* 5 - - - */ \ 47 | \ 48 | t2 = w1 & 0xff000000; /* 7 - - - */ \ 49 | t2 = t2 >> 8; /* - 7 - - */ \ 50 | t1 = t1 ^ t2; /* 5 7 - - */ \ 51 | \ 52 | t2 = w0 & 0xff000000; /* 3 - - - */ \ 53 | t2 = t2 >> 24; /* - - - 3 */ \ 54 | t1 = t1 ^ t2; /* 5 7 - 3 */ \ 55 | \ 56 | w1 = w0 >> 8; /* - 3 2 1 */ \ 57 | w1 = w1 & 0x0000ff00; /* - - 2 - */ \ 58 | w1 = w1 ^ t1; /* 5 7 2 3 */ \ 59 | \ 60 | t2 = w0 & 0x0000ff00; /* - - 1 - */ \ 61 | t2 = t2 >> 8; /* - - - 1 */ \ 62 | t0 = t0 ^ t2; /* 6 - 4 1 */ \ 63 | \ 64 | w0 = w0 << 16; /* 1 0 - - */ \ 65 | w0 = w0 & 0x00ff0000; /* - 0 - - */ \ 66 | w0 = w0 ^ t0; /* 6 0 4 1 */ 67 | 68 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-H/hash_skinny_key_schedule1.c: -------------------------------------------------------------------------------- 1 | /****************************************************************************** 2 | * Copyright (c) 2020, NEC Corporation. 3 | * 4 | * THIS CODE IS FURNISHED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. 5 | * 6 | *****************************************************************************/ 7 | 8 | /* 9 | * SKINNY-128-384 10 | * 11 | * T1 -> store 12 | * ART(TK1) 13 | * 14 | * number of rounds : 40 or 56 15 | */ 16 | 17 | #include "hash_skinny.h" 18 | 19 | #define PERMUTATION_TK1() \ 20 | \ 21 | /* permutation */ \ 22 | \ 23 | PERMUTATION(w0, w1) \ 24 | \ 25 | /* store */ \ 26 | \ 27 | *tk1++ = w0; \ 28 | *tk1++ = w1; \ 29 | tk1 += 2; 30 | 31 | #ifndef ___SKINNY_LOOP 32 | 33 | void hash_RunEncryptionKeyScheduleTK1(uint32_t *roundKeys) 34 | { 35 | 36 | uint32_t *tk1; 37 | uint32_t t0; // used in MACRO 38 | uint32_t t1; // used in MACRO 39 | uint32_t t2; // used in MACRO 40 | uint32_t w0; 41 | uint32_t w1; 42 | 43 | // odd 44 | 45 | // load master key 46 | w0 = roundKeys[0]; 47 | w1 = roundKeys[1]; 48 | 49 | // 1st round 50 | // not need to store 51 | 52 | tk1 = &roundKeys[4]; 53 | 54 | // 3rd, ... ,15th round 55 | PERMUTATION_TK1(); 56 | PERMUTATION_TK1(); 57 | PERMUTATION_TK1(); 58 | PERMUTATION_TK1(); 59 | PERMUTATION_TK1(); 60 | PERMUTATION_TK1(); 61 | PERMUTATION_TK1(); 62 | 63 | // even 64 | 65 | tk1 = &roundKeys[2]; 66 | 67 | // load master key 68 | w0 = roundKeys[2]; 69 | w1 = roundKeys[3]; 70 | 71 | // 2nd, ... ,16th round 72 | PERMUTATION_TK1(); 73 | PERMUTATION_TK1(); 74 | PERMUTATION_TK1(); 75 | PERMUTATION_TK1(); 76 | PERMUTATION_TK1(); 77 | PERMUTATION_TK1(); 78 | PERMUTATION_TK1(); 79 | PERMUTATION_TK1(); 80 | 81 | } 82 | 83 | #else 84 | 85 | void hash_RunEncryptionKeyScheduleTK1(uint32_t *roundKeys) 86 | { 87 | 88 | uint32_t *tk1; 89 | uint32_t t0; // used in MACRO 90 | uint32_t t1; // used in MACRO 91 | uint32_t t2; // used in MACRO 92 | uint32_t w0; 93 | uint32_t w1; 94 | 95 | // odd 96 | 97 | // load master key 98 | w0 = roundKeys[0]; 99 | w1 = roundKeys[1]; 100 | 101 | // 1st round 102 | // not need to store 103 | 104 | tk1 = &roundKeys[4]; 105 | 106 | // 3rd, ... ,15th round 107 | for(int i=0;i<7;i++) { 108 | PERMUTATION_TK1(); 109 | } 110 | 111 | // even 112 | 113 | tk1 = &roundKeys[2]; 114 | 115 | // load master key 116 | w0 = roundKeys[2]; 117 | w1 = roundKeys[3]; 118 | 119 | // 2nd, ... ,16th round 120 | for(int i=0;i<8;i++) { 121 | PERMUTATION_TK1(); 122 | } 123 | 124 | } 125 | 126 | #endif 127 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-H/hash_skinny_key_schedule23.c: -------------------------------------------------------------------------------- 1 | /****************************************************************************** 2 | * Copyright (c) 2020, NEC Corporation. 3 | * 4 | * THIS CODE IS FURNISHED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. 5 | * 6 | *****************************************************************************/ 7 | 8 | /* 9 | * SKINNY-128-384 10 | * 11 | * TK2 ^ TK3 ^ AC(c0 c1) -> store 12 | * ART(TK2) 13 | * ART(TK3) 14 | * 15 | * number of rounds : 40 or 56 16 | */ 17 | 18 | #include "hash_skinny.h" 19 | 20 | #define PERMUTATION_TK23(c0Val, c1Val) \ 21 | \ 22 | /* permutation (TK2) */ \ 23 | \ 24 | PERMUTATION(tk20, tk21) \ 25 | \ 26 | /* LFSR(for TK2) (x7 x6 x5 x4 x3 x2 x1 x0) -> (x6 x5 x4 x3 x2 x1 x0 x7^x5) */ \ 27 | tk20 = ((tk20 << 1) & 0xfefefefe) ^ \ 28 | (((tk20 >> 7) ^ (tk20 >> 5)) & 0x01010101); \ 29 | tk21 = ((tk21 << 1) & 0xfefefefe) ^ \ 30 | (((tk21 >> 7) ^ (tk21 >> 5)) & 0x01010101); \ 31 | \ 32 | /* permutation (TK3) */ \ 33 | \ 34 | PERMUTATION(tk30, tk31) \ 35 | \ 36 | /* LFSR(for TK3) (x7 x6 x5 x4 x3 x2 x1 x0) -> (x0^x6 x7 x6 x5 x4 x3 x2 x1) */ \ 37 | tk30 = ((tk30 >> 1) & 0x7f7f7f7f) ^ \ 38 | (((tk30 << 7) ^ (tk30 << 1)) & 0x80808080); \ 39 | tk31 = ((tk31 >> 1) & 0x7f7f7f7f) ^ \ 40 | (((tk31 << 7) ^ (tk31 << 1)) & 0x80808080); \ 41 | \ 42 | /* TK2 ^ TK3 ^ AC(c0 c1) */ \ 43 | /* store */ \ 44 | *tk2++ = tk20 ^ tk30 ^ c0Val; \ 45 | *tk2++ = tk21 ^ tk31 ^ ((uint32_t)c1Val << 8); \ 46 | tk2 += 2; 47 | 48 | #ifndef ___SKINNY_LOOP 49 | 50 | void hash_RunEncryptionKeyScheduleTK23(uint32_t *roundKeys) 51 | { 52 | uint32_t *tk2; 53 | uint32_t t0; // used in MACRO 54 | uint32_t t1; // used in MACRO 55 | uint32_t t2; // used in MACRO 56 | uint32_t tk20; 57 | uint32_t tk21; 58 | uint32_t tk30; 59 | uint32_t tk31; 60 | 61 | // odd 62 | 63 | // load master key 64 | tk20 = roundKeys[4]; 65 | tk21 = roundKeys[5]; 66 | tk30 = roundKeys[8]; 67 | tk31 = roundKeys[9]; 68 | 69 | tk2 = &roundKeys[32]; 70 | 71 | // 1st round 72 | *tk2++ = tk20 ^ tk30 ^ 0x01; 73 | *tk2++ = tk21 ^ tk31; 74 | tk2 += 2; 75 | 76 | // 3rd,5th, ... ,37th,39th round 77 | PERMUTATION_TK23(0x7, 0x0); 78 | PERMUTATION_TK23(0xf, 0x1); 79 | PERMUTATION_TK23(0xd, 0x3); 80 | PERMUTATION_TK23(0x7, 0x3); 81 | PERMUTATION_TK23(0xe, 0x1); 82 | PERMUTATION_TK23(0x9, 0x3); 83 | PERMUTATION_TK23(0x7, 0x2); 84 | PERMUTATION_TK23(0xd, 0x1); 85 | PERMUTATION_TK23(0x5, 0x3); 86 | 87 | PERMUTATION_TK23(0x6, 0x1); 88 | PERMUTATION_TK23(0x8, 0x1); 89 | PERMUTATION_TK23(0x1, 0x2); 90 | PERMUTATION_TK23(0x5, 0x0); 91 | PERMUTATION_TK23(0x7, 0x1); 92 | PERMUTATION_TK23(0xc, 0x1); 93 | PERMUTATION_TK23(0x1, 0x3); 94 | PERMUTATION_TK23(0x6, 0x0); 95 | PERMUTATION_TK23(0xb, 0x1); 96 | PERMUTATION_TK23(0xd, 0x2); 97 | 98 | #ifdef ___NUM_OF_ROUNDS_56 99 | 100 | // 41td,43th, ... ,53th,55th round 101 | PERMUTATION_TK23(0x4, 0x3); 102 | PERMUTATION_TK23(0x2, 0x1); 103 | PERMUTATION_TK23(0x8, 0x0); 104 | PERMUTATION_TK23(0x2, 0x2); 105 | PERMUTATION_TK23(0x9, 0x0); 106 | PERMUTATION_TK23(0x6, 0x2); 107 | PERMUTATION_TK23(0x9, 0x1); 108 | PERMUTATION_TK23(0x5, 0x2); 109 | 110 | #endif 111 | 112 | // even 113 | 114 | // load master key 115 | tk20 = roundKeys[6]; 116 | tk21 = roundKeys[7]; 117 | tk30 = roundKeys[10]; 118 | tk31 = roundKeys[11]; 119 | 120 | tk2 = &roundKeys[34]; 121 | 122 | // 2nd,4th, ... ,38th,40th round 123 | PERMUTATION_TK23(0x3, 0x0); 124 | PERMUTATION_TK23(0xf, 0x0); 125 | PERMUTATION_TK23(0xe, 0x3); 126 | PERMUTATION_TK23(0xb, 0x3); 127 | PERMUTATION_TK23(0xf, 0x2); 128 | PERMUTATION_TK23(0xc, 0x3); 129 | PERMUTATION_TK23(0x3, 0x3); 130 | PERMUTATION_TK23(0xe, 0x0); 131 | PERMUTATION_TK23(0xa, 0x3); 132 | PERMUTATION_TK23(0xb, 0x2); 133 | 134 | PERMUTATION_TK23(0xc, 0x2); 135 | PERMUTATION_TK23(0x0, 0x3); 136 | PERMUTATION_TK23(0x2, 0x0); 137 | PERMUTATION_TK23(0xb, 0x0); 138 | PERMUTATION_TK23(0xe, 0x2); 139 | PERMUTATION_TK23(0x8, 0x3); 140 | PERMUTATION_TK23(0x3, 0x2); 141 | PERMUTATION_TK23(0xd, 0x0); 142 | PERMUTATION_TK23(0x6, 0x3); 143 | PERMUTATION_TK23(0xa, 0x1); 144 | 145 | #ifdef ___NUM_OF_ROUNDS_56 146 | 147 | // 42nd,44th, ... ,54th,56th round 148 | PERMUTATION_TK23(0x9, 0x2); 149 | PERMUTATION_TK23(0x4, 0x2); 150 | PERMUTATION_TK23(0x1, 0x1); 151 | PERMUTATION_TK23(0x4, 0x0); 152 | PERMUTATION_TK23(0x3, 0x1); 153 | PERMUTATION_TK23(0xc, 0x0); 154 | PERMUTATION_TK23(0x2, 0x3); 155 | PERMUTATION_TK23(0xa, 0x0); 156 | 157 | #endif 158 | 159 | } 160 | 161 | #else 162 | 163 | void hash_RunEncryptionKeyScheduleTK23(uint32_t *roundKeys, unsigned char *pRC) 164 | { 165 | 166 | uint32_t *tk2; 167 | uint32_t t0; // used in MACRO 168 | uint32_t t1; // used in MACRO 169 | uint32_t t2; // used in MACRO 170 | uint32_t tk20; 171 | uint32_t tk21; 172 | uint32_t tk30; 173 | uint32_t tk31; 174 | uint16_t c0; 175 | uint16_t c1; 176 | 177 | // odd 178 | 179 | // load master key 180 | tk20 = roundKeys[4]; 181 | tk21 = roundKeys[5]; 182 | tk30 = roundKeys[8]; 183 | tk31 = roundKeys[9]; 184 | 185 | tk2 = &roundKeys[32]; 186 | 187 | // 1st round 188 | *tk2++ = tk20 ^ tk30 ^ 0x01; 189 | *tk2++ = tk21 ^ tk31; 190 | tk2 += 2; 191 | 192 | pRC += 4; 193 | // 3rd,5th, ... 194 | #ifndef ___NUM_OF_ROUNDS_56 195 | for(int i=0;i<19;i++) 196 | #else 197 | for(int i=0;i<27;i++) 198 | #endif 199 | { 200 | c0 = *pRC++; 201 | c1 = *pRC++; 202 | pRC += 2; 203 | PERMUTATION_TK23(c0, c1); 204 | } 205 | 206 | // even 207 | 208 | // load master key 209 | tk20 = roundKeys[6]; 210 | tk21 = roundKeys[7]; 211 | tk30 = roundKeys[10]; 212 | tk31 = roundKeys[11]; 213 | 214 | tk2 = &roundKeys[34]; 215 | #ifndef ___NUM_OF_ROUNDS_56 216 | pRC -= 78; 217 | #else 218 | pRC -= 110; 219 | #endif 220 | 221 | // 2nd,4th, ... 222 | #ifndef ___NUM_OF_ROUNDS_56 223 | for(int i=0;i<20;i++) 224 | #else 225 | for(int i=0;i<28;i++) 226 | #endif 227 | { 228 | c0 = *pRC++; 229 | c1 = *pRC++; 230 | pRC += 2; 231 | PERMUTATION_TK23(c0, c1); 232 | } 233 | 234 | } 235 | 236 | #endif 237 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-M/armsrc/api.h: -------------------------------------------------------------------------------- 1 | #define CRYPTO_KEYBYTES 16 2 | #define CRYPTO_NSECBYTES 0 3 | #define CRYPTO_NPUBBYTES 16 4 | #define CRYPTO_ABYTES 16 5 | #define CRYPTO_NOOVERLAP 1 6 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-M/armsrc/crypto_aead.h: -------------------------------------------------------------------------------- 1 | int crypto_aead_encrypt(unsigned char *c, unsigned long long *clen, 2 | const unsigned char *m, unsigned long long mlen, 3 | const unsigned char *ad, unsigned long long adlen, 4 | const unsigned char *nsec, const unsigned char *npub, 5 | const unsigned char *k); 6 | 7 | int crypto_aead_decrypt(unsigned char *m, unsigned long long *outputmlen, 8 | unsigned char *nsec, 9 | const unsigned char *c, unsigned long long clen, 10 | const unsigned char *ad, unsigned long long adlen, 11 | const unsigned char *npub, const unsigned char *k); 12 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-M/armsrc/genkat_aead.c: -------------------------------------------------------------------------------- 1 | // 2 | // NIST-developed software is provided by NIST as a public service. 3 | // You may use, copy and distribute copies of the software in any medium, 4 | // provided that you keep intact this entire notice. You may improve, 5 | // modify and create derivative works of the software or any portion of 6 | // the software, and you may copy and distribute such modifications or 7 | // works. Modified works should carry a notice stating that you changed 8 | // the software and should note the date and nature of any such change. 9 | // Please explicitly acknowledge the National Institute of Standards and 10 | // Technology as the source of the software. 11 | // 12 | // NIST-developed software is expressly provided "AS IS." NIST MAKES NO 13 | // WARRANTY OF ANY KIND, EXPRESS, IMPLIED, IN FACT OR ARISING BY OPERATION 14 | // OF LAW, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, 15 | // FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NIST 16 | // NEITHER REPRESENTS NOR WARRANTS THAT THE OPERATION OF THE SOFTWARE WILL BE 17 | // UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NIST 18 | // DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF THE SOFTWARE 19 | // OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, 20 | // RELIABILITY, OR USEFULNESS OF THE SOFTWARE. 21 | // 22 | // You are solely responsible for determining the appropriateness of using and 23 | // distributing the software and you assume all risks associated with its use, 24 | // including but not limited to the risks and costs of program errors, compliance 25 | // with applicable laws, damage to or loss of data, programs or equipment, and 26 | // the unavailability or interruption of operation. This software is not intended 27 | // to be used in any situation where a failure could cause risk of injury or 28 | // damage to property. The software developed by NIST employees is not subject to 29 | // copyright protection within the United States. 30 | // 31 | 32 | // disable deprecation for sprintf and fopen 33 | #ifdef _MSC_VER 34 | #define _CRT_SECURE_NO_WARNINGS 35 | #endif 36 | 37 | #include 38 | #include 39 | 40 | #include "crypto_aead.h" 41 | #include "api.h" 42 | 43 | #define KAT_SUCCESS 0 44 | #define KAT_FILE_OPEN_ERROR -1 45 | #define KAT_DATA_ERROR -3 46 | #define KAT_CRYPTO_FAILURE -4 47 | 48 | #define MAX_FILE_NAME 256 49 | #define MAX_MESSAGE_LENGTH 32 50 | #define MAX_ASSOCIATED_DATA_LENGTH 32 51 | 52 | void init_buffer(unsigned char *buffer, unsigned long long numbytes); 53 | 54 | void fprint_bstr(FILE *fp, const char *label, const unsigned char *data, unsigned long long length); 55 | 56 | int generate_test_vectors(); 57 | 58 | int main() 59 | { 60 | int ret = generate_test_vectors(); 61 | 62 | if (ret != KAT_SUCCESS) { 63 | fprintf(stderr, "test vector generation failed with code %d\n", ret); 64 | } 65 | 66 | return ret; 67 | } 68 | 69 | int generate_test_vectors() 70 | { 71 | FILE *fp; 72 | char fileName[MAX_FILE_NAME]; 73 | unsigned char key[CRYPTO_KEYBYTES]; 74 | unsigned char nonce[CRYPTO_NPUBBYTES]; 75 | unsigned char msg[MAX_MESSAGE_LENGTH]; 76 | unsigned char msg2[MAX_MESSAGE_LENGTH]; 77 | unsigned char ad[MAX_ASSOCIATED_DATA_LENGTH]; 78 | unsigned char ct[MAX_MESSAGE_LENGTH + CRYPTO_ABYTES]; 79 | unsigned long long clen, mlen2; 80 | int count = 1; 81 | int func_ret, ret_val = KAT_SUCCESS; 82 | 83 | init_buffer(key, sizeof(key)); 84 | init_buffer(nonce, sizeof(nonce)); 85 | init_buffer(msg, sizeof(msg)); 86 | init_buffer(ad, sizeof(ad)); 87 | 88 | sprintf(fileName, "LWC_AEAD_KAT_%d_%d.txt", (CRYPTO_KEYBYTES * 8), (CRYPTO_NPUBBYTES * 8)); 89 | 90 | if ((fp = fopen(fileName, "w")) == NULL) { 91 | fprintf(stderr, "Couldn't open <%s> for write\n", fileName); 92 | return KAT_FILE_OPEN_ERROR; 93 | } 94 | 95 | for (unsigned long long mlen = 0; (mlen <= MAX_MESSAGE_LENGTH) && (ret_val == KAT_SUCCESS); mlen++) { 96 | for (unsigned long long adlen = 0; adlen <= MAX_ASSOCIATED_DATA_LENGTH; adlen++) { 97 | 98 | printf("%0d\n", (int)clen); 99 | 100 | fprintf(fp, "Count = %d\n", count++); 101 | printf("Count = %d\n", count - 1); 102 | 103 | fprint_bstr(fp, "Key = ", key, CRYPTO_KEYBYTES); 104 | 105 | fprint_bstr(fp, "Nonce = ", nonce, CRYPTO_NPUBBYTES); 106 | 107 | fprint_bstr(fp, "PT = ", msg, mlen); 108 | 109 | fprint_bstr(fp, "AD = ", ad, adlen); 110 | 111 | if ((func_ret = crypto_aead_encrypt(ct, &clen, msg, mlen, ad, adlen, NULL, nonce, key)) != 0) { 112 | fprintf(fp, "crypto_aead_encrypt returned <%d>\n", func_ret); 113 | ret_val = KAT_CRYPTO_FAILURE; 114 | break; 115 | } 116 | 117 | fprint_bstr(fp, "CT = ", ct, clen); 118 | 119 | fprintf(fp, "\n"); 120 | 121 | if ((func_ret = crypto_aead_decrypt(msg2, &mlen2, NULL, ct, clen, ad, adlen, nonce, key)) != 0) { 122 | fprintf(fp, "crypto_aead_decrypt returned <%d>\n", func_ret); 123 | ret_val = KAT_CRYPTO_FAILURE; 124 | break; 125 | } 126 | 127 | if (mlen != mlen2) { 128 | fprintf(fp, "crypto_aead_decrypt returned bad 'mlen': Got <%llu>, expected <%llu>\n", mlen2, mlen); 129 | ret_val = KAT_CRYPTO_FAILURE; 130 | break; 131 | } 132 | 133 | if (memcmp(msg, msg2, mlen)) { 134 | fprintf(fp, "crypto_aead_decrypt did not recover the plaintext\n"); 135 | ret_val = KAT_CRYPTO_FAILURE; 136 | break; 137 | } 138 | } 139 | } 140 | 141 | fclose(fp); 142 | 143 | return ret_val; 144 | } 145 | 146 | 147 | void fprint_bstr(FILE *fp, const char *label, const unsigned char *data, unsigned long long length) 148 | { 149 | fprintf(fp, "%s", label); 150 | 151 | for (unsigned long long i = 0; i < length; i++) 152 | fprintf(fp, "%02X", data[i]); 153 | 154 | fprintf(fp, "\n"); 155 | } 156 | 157 | void init_buffer(unsigned char *buffer, unsigned long long numbytes) 158 | { 159 | for (unsigned long long i = 0; i < numbytes; i++) 160 | buffer[i] = (unsigned char)i; 161 | } 162 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-M/armsrc/skinny.h: -------------------------------------------------------------------------------- 1 | typedef struct ___skinny_ctrl { 2 | unsigned char roundKeys[704]; // number of round : 40 3 | void (*func_skinny_128_384_enc)(unsigned char*, struct ___skinny_ctrl*, unsigned char* CNT, unsigned char* T, const unsigned char* K); 4 | } skinny_ctrl; 5 | 6 | extern void skinny_128_384_enc123_12 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K); 7 | extern void skinny_128_384_enc12_12 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K); 8 | extern void skinny_128_384_enc1_1 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K); 9 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-M/gcc_option.txt: -------------------------------------------------------------------------------- 1 | Cortex-m3 2 | 3 | -mcpu=cortex-m3 4 | -mthumb 5 | -mfloat-abi=soft 6 | -O3 7 | 8 | Cortex-m4 9 | 10 | -mcpu=cortex-m4 11 | -mthumb 12 | -mfloat-abi=hard 13 | -mfpu=fpv4-sp-d16 14 | -O3 15 | 16 | * If you want to use SIMD 17 | -DSTM32F4 18 | 19 | - end of file - 20 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-N-H/api.h: -------------------------------------------------------------------------------- 1 | 2 | // AEAD defines 3 | #define CRYPTO_KEYBYTES 16 4 | #define CRYPTO_NSECBYTES 0 5 | #define CRYPTO_NPUBBYTES 16 6 | #define CRYPTO_ABYTES 16 7 | #define CRYPTO_NOOVERLAP 1 8 | 9 | // Hash defines 10 | #define CRYPTO_BYTES 32 -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-N-H/common.h: -------------------------------------------------------------------------------- 1 | void lfsr_gf56 (unsigned char* CNT); 2 | void nonce_encryption ( 3 | const unsigned char* N, 4 | unsigned char* CNT, 5 | unsigned char*s, const unsigned char* k, 6 | unsigned char D, 7 | skinny_ctrl* p_skinny_ctrl); 8 | unsigned long long ad_encryption_ud16( 9 | const unsigned char** A, unsigned char* s, 10 | unsigned long long adlen, 11 | unsigned char* CNT); 12 | unsigned long long ad_encryption_eq16 ( 13 | const unsigned char** A, unsigned char* s, 14 | unsigned char* CNT); 15 | unsigned long long ad_encryption_ov16 ( 16 | const unsigned char** A, unsigned char* s, 17 | const unsigned char* k, unsigned long long adlen, 18 | unsigned char* CNT, 19 | unsigned char D, 20 | skinny_ctrl* p_skinny_ctrl); 21 | unsigned long long ad_encryption_eqov32 ( 22 | const unsigned char** A, unsigned char* s, 23 | const unsigned char* k, unsigned long long adlen, 24 | unsigned char* CNT, 25 | unsigned char D, 26 | skinny_ctrl* p_skinny_ctrl); 27 | unsigned long long msg_encryption_ud16 ( 28 | const unsigned char** M, unsigned char** c, 29 | const unsigned char* N, 30 | unsigned char* CNT, 31 | unsigned char*s, const unsigned char* k, 32 | unsigned char D, 33 | unsigned long long mlen, 34 | skinny_ctrl* p_skinny_ctrl); 35 | unsigned long long msg_encryption_eqov16 ( 36 | const unsigned char** M, unsigned char** c, 37 | const unsigned char* N, 38 | unsigned char* CNT, 39 | unsigned char*s, const unsigned char* k, 40 | unsigned char D, 41 | unsigned long long mlen, 42 | skinny_ctrl* p_skinny_ctrl); 43 | void generate_tag ( 44 | unsigned char** c, unsigned char* s, 45 | unsigned long long* clen); 46 | void g8A (unsigned char* s, unsigned char* c); 47 | void pad (const unsigned char* m, unsigned char* mp, int len8); 48 | void reset_lfsr_gf56 (unsigned char* CNT); 49 | void g8A_for_Tag_Generation (unsigned char* s, unsigned char* c); 50 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-N-H/crypto_aead.h: -------------------------------------------------------------------------------- 1 | int crypto_aead_encrypt(unsigned char *c, unsigned long long *clen, 2 | const unsigned char *m, unsigned long long mlen, 3 | const unsigned char *ad, unsigned long long adlen, 4 | const unsigned char *nsec, const unsigned char *npub, 5 | const unsigned char *k); 6 | 7 | int crypto_aead_decrypt(unsigned char *m, unsigned long long *outputmlen, 8 | unsigned char *nsec, 9 | const unsigned char *c, unsigned long long clen, 10 | const unsigned char *ad, unsigned long long adlen, 11 | const unsigned char *npub, const unsigned char *k); 12 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-N-H/crypto_hash.h: -------------------------------------------------------------------------------- 1 | 2 | int crypto_hash( 3 | unsigned char *out, 4 | const unsigned char *in, 5 | unsigned long long inlen 6 | ); -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-N-H/encrypt.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Date: 29 November 2018 3 | * Contact: Thomas Peyrin - thomas.peyrin@gmail.com 4 | * Mustafa Khairallah - mustafam001@e.ntu.edu.sg 5 | */ 6 | 7 | #include "crypto_aead.h" 8 | #include "api.h" 9 | #include "skinny.h" 10 | #include "common.h" 11 | #include 12 | #include 13 | 14 | 15 | int crypto_aead_encrypt ( 16 | unsigned char* c, unsigned long long* clen, 17 | const unsigned char* m, unsigned long long mlen, 18 | const unsigned char* ad, unsigned long long adlen, 19 | const unsigned char* nsec, 20 | const unsigned char* npub, 21 | const unsigned char* k) { 22 | 23 | unsigned char s[16]; 24 | unsigned char CNT[8]; 25 | const unsigned char* A; 26 | const unsigned char* M; 27 | const unsigned char* N; 28 | 29 | skinny_ctrl ctrl; 30 | ctrl.func_skinny_128_384_enc = skinny_128_384_enc123_12; 31 | 32 | (void) nsec; 33 | A = ad; 34 | M = m; 35 | N = npub; 36 | 37 | #ifdef ___ENABLE_WORD_CAST 38 | 39 | *(uint32_t*)(&s[0]) = 0; 40 | *(uint32_t*)(&s[4]) = 0; 41 | *(uint32_t*)(&s[8]) = 0; 42 | *(uint32_t*)(&s[12]) = 0; 43 | 44 | #else 45 | 46 | s[0] = 0; 47 | s[1] = 0; 48 | s[2] = 0; 49 | s[3] = 0; 50 | s[4] = 0; 51 | s[5] = 0; 52 | s[6] = 0; 53 | s[7] = 0; 54 | s[8] = 0; 55 | s[9] = 0; 56 | s[10] = 0; 57 | s[11] = 0; 58 | s[12] = 0; 59 | s[13] = 0; 60 | s[14] = 0; 61 | s[15] = 0; 62 | 63 | #endif 64 | 65 | reset_lfsr_gf56(CNT); 66 | 67 | if (adlen == 0) { // AD is an empty string 68 | lfsr_gf56(CNT); 69 | nonce_encryption(N,CNT,s,k,0x1a,&ctrl); 70 | } 71 | else while (adlen > 0) { 72 | if (adlen < 16) { // The last block of AD is odd and incomplete 73 | adlen = ad_encryption_ud16(&A,s,adlen,CNT); 74 | nonce_encryption(N,CNT,s,k,0x1a,&ctrl); 75 | } 76 | else if (adlen == 16) { // The last block of AD is odd and complete 77 | adlen = ad_encryption_eq16(&A,s,CNT); 78 | nonce_encryption(N,CNT,s,k,0x18,&ctrl); 79 | } 80 | else if (adlen < 32) { // The last block of AD is even and incomplete 81 | adlen = ad_encryption_ov16(&A,s,k,adlen,CNT,0x08,&ctrl); 82 | nonce_encryption(N,CNT,s,k,0x1a,&ctrl); 83 | } 84 | else if (adlen == 32) { // The last block of AD is even and complete 85 | adlen = ad_encryption_eqov32(&A,s,k,adlen,CNT,0x08,&ctrl); 86 | nonce_encryption(N,CNT,s,k,0x18,&ctrl); 87 | } 88 | else { // A normal full pair of blocks of AD 89 | adlen = ad_encryption_eqov32(&A,s,k,adlen,CNT,0x08,&ctrl); 90 | } 91 | } 92 | 93 | ctrl.func_skinny_128_384_enc = skinny_128_384_enc1_1; 94 | 95 | reset_lfsr_gf56(CNT); 96 | 97 | *clen = mlen + 16; 98 | 99 | if (mlen == 0) { // M is an empty string 100 | lfsr_gf56(CNT); 101 | nonce_encryption(N,CNT,s,k,0x15,&ctrl); 102 | } 103 | else while (mlen > 0) { 104 | if (mlen < 16) { // The last block of M is incomplete 105 | mlen = msg_encryption_ud16(&M,&c,N,CNT,s,k,0x15,mlen,&ctrl); 106 | } 107 | else if (mlen == 16) { // The last block of M is complete 108 | mlen = msg_encryption_eqov16(&M,&c,N,CNT,s,k,0x14,mlen,&ctrl); 109 | } 110 | else { // A normal full message block 111 | mlen = msg_encryption_eqov16(&M,&c,N,CNT,s,k,0x04,mlen,&ctrl); 112 | } 113 | } 114 | 115 | // Tag generation 116 | generate_tag(&c,s,clen); 117 | 118 | return 0; 119 | 120 | } 121 | 122 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-N-H/genkat_aead.c: -------------------------------------------------------------------------------- 1 | // 2 | // NIST-developed software is provided by NIST as a public service. 3 | // You may use, copy and distribute copies of the software in any medium, 4 | // provided that you keep intact this entire notice. You may improve, 5 | // modify and create derivative works of the software or any portion of 6 | // the software, and you may copy and distribute such modifications or 7 | // works. Modified works should carry a notice stating that you changed 8 | // the software and should note the date and nature of any such change. 9 | // Please explicitly acknowledge the National Institute of Standards and 10 | // Technology as the source of the software. 11 | // 12 | // NIST-developed software is expressly provided "AS IS." NIST MAKES NO 13 | // WARRANTY OF ANY KIND, EXPRESS, IMPLIED, IN FACT OR ARISING BY OPERATION 14 | // OF LAW, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, 15 | // FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NIST 16 | // NEITHER REPRESENTS NOR WARRANTS THAT THE OPERATION OF THE SOFTWARE WILL BE 17 | // UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NIST 18 | // DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF THE SOFTWARE 19 | // OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, 20 | // RELIABILITY, OR USEFULNESS OF THE SOFTWARE. 21 | // 22 | // You are solely responsible for determining the appropriateness of using and 23 | // distributing the software and you assume all risks associated with its use, 24 | // including but not limited to the risks and costs of program errors, compliance 25 | // with applicable laws, damage to or loss of data, programs or equipment, and 26 | // the unavailability or interruption of operation. This software is not intended 27 | // to be used in any situation where a failure could cause risk of injury or 28 | // damage to property. The software developed by NIST employees is not subject to 29 | // copyright protection within the United States. 30 | // 31 | 32 | // disable deprecation for sprintf and fopen 33 | #ifdef _MSC_VER 34 | #define _CRT_SECURE_NO_WARNINGS 35 | #endif 36 | 37 | #include 38 | #include 39 | 40 | #include "crypto_aead.h" 41 | #include "api.h" 42 | 43 | #define KAT_SUCCESS 0 44 | #define KAT_FILE_OPEN_ERROR -1 45 | #define KAT_DATA_ERROR -3 46 | #define KAT_CRYPTO_FAILURE -4 47 | 48 | #define MAX_FILE_NAME 256 49 | #define MAX_MESSAGE_LENGTH 32 50 | #define MAX_ASSOCIATED_DATA_LENGTH 32 51 | 52 | void init_buffer(unsigned char *buffer, unsigned long long numbytes); 53 | 54 | void fprint_bstr(FILE *fp, const char *label, const unsigned char *data, unsigned long long length); 55 | 56 | int generate_test_vectors(); 57 | 58 | int main() 59 | { 60 | int ret = generate_test_vectors(); 61 | 62 | if (ret != KAT_SUCCESS) { 63 | fprintf(stderr, "test vector generation failed with code %d\n", ret); 64 | } 65 | 66 | return ret; 67 | } 68 | 69 | int generate_test_vectors() 70 | { 71 | FILE *fp; 72 | char fileName[MAX_FILE_NAME]; 73 | unsigned char key[CRYPTO_KEYBYTES]; 74 | unsigned char nonce[CRYPTO_NPUBBYTES]; 75 | unsigned char msg[MAX_MESSAGE_LENGTH]; 76 | unsigned char msg2[MAX_MESSAGE_LENGTH]; 77 | unsigned char ad[MAX_ASSOCIATED_DATA_LENGTH]; 78 | unsigned char ct[MAX_MESSAGE_LENGTH + CRYPTO_ABYTES]; 79 | unsigned long long clen, mlen2; 80 | int count = 1; 81 | int func_ret, ret_val = KAT_SUCCESS; 82 | 83 | init_buffer(key, sizeof(key)); 84 | init_buffer(nonce, sizeof(nonce)); 85 | init_buffer(msg, sizeof(msg)); 86 | init_buffer(ad, sizeof(ad)); 87 | 88 | sprintf(fileName, "LWC_AEAD_KAT_%d_%d.txt", (CRYPTO_KEYBYTES * 8), (CRYPTO_NPUBBYTES * 8)); 89 | 90 | if ((fp = fopen(fileName, "w")) == NULL) { 91 | fprintf(stderr, "Couldn't open <%s> for write\n", fileName); 92 | return KAT_FILE_OPEN_ERROR; 93 | } 94 | 95 | for (unsigned long long mlen = 0; (mlen <= MAX_MESSAGE_LENGTH) && (ret_val == KAT_SUCCESS); mlen++) { 96 | for (unsigned long long adlen = 0; adlen <= MAX_ASSOCIATED_DATA_LENGTH; adlen++) { 97 | 98 | printf("%0d\n", (int)clen); 99 | 100 | fprintf(fp, "Count = %d\n", count++); 101 | printf("Count = %d\n", count - 1); 102 | 103 | fprint_bstr(fp, "Key = ", key, CRYPTO_KEYBYTES); 104 | 105 | fprint_bstr(fp, "Nonce = ", nonce, CRYPTO_NPUBBYTES); 106 | 107 | fprint_bstr(fp, "PT = ", msg, mlen); 108 | 109 | fprint_bstr(fp, "AD = ", ad, adlen); 110 | 111 | if ((func_ret = crypto_aead_encrypt(ct, &clen, msg, mlen, ad, adlen, NULL, nonce, key)) != 0) { 112 | fprintf(fp, "crypto_aead_encrypt returned <%d>\n", func_ret); 113 | ret_val = KAT_CRYPTO_FAILURE; 114 | break; 115 | } 116 | 117 | fprint_bstr(fp, "CT = ", ct, clen); 118 | 119 | fprintf(fp, "\n"); 120 | 121 | if ((func_ret = crypto_aead_decrypt(msg2, &mlen2, NULL, ct, clen, ad, adlen, nonce, key)) != 0) { 122 | fprintf(fp, "crypto_aead_decrypt returned <%d>\n", func_ret); 123 | ret_val = KAT_CRYPTO_FAILURE; 124 | break; 125 | } 126 | 127 | if (mlen != mlen2) { 128 | fprintf(fp, "crypto_aead_decrypt returned bad 'mlen': Got <%llu>, expected <%llu>\n", mlen2, mlen); 129 | ret_val = KAT_CRYPTO_FAILURE; 130 | break; 131 | } 132 | 133 | if (memcmp(msg, msg2, mlen)) { 134 | fprintf(fp, "crypto_aead_decrypt did not recover the plaintext\n"); 135 | ret_val = KAT_CRYPTO_FAILURE; 136 | break; 137 | } 138 | } 139 | } 140 | 141 | fclose(fp); 142 | 143 | return ret_val; 144 | } 145 | 146 | 147 | void fprint_bstr(FILE *fp, const char *label, const unsigned char *data, unsigned long long length) 148 | { 149 | fprintf(fp, "%s", label); 150 | 151 | for (unsigned long long i = 0; i < length; i++) 152 | fprintf(fp, "%02X", data[i]); 153 | 154 | fprintf(fp, "\n"); 155 | } 156 | 157 | void init_buffer(unsigned char *buffer, unsigned long long numbytes) 158 | { 159 | for (unsigned long long i = 0; i < numbytes; i++) 160 | buffer[i] = (unsigned char)i; 161 | } 162 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-N-H/genkat_hash.c: -------------------------------------------------------------------------------- 1 | // 2 | // NIST-developed software is provided by NIST as a public service. 3 | // You may use, copy and distribute copies of the software in any medium, 4 | // provided that you keep intact this entire notice. You may improve, 5 | // modify and create derivative works of the software or any portion of 6 | // the software, and you may copy and distribute such modifications or 7 | // works. Modified works should carry a notice stating that you changed 8 | // the software and should note the date and nature of any such change. 9 | // Please explicitly acknowledge the National Institute of Standards and 10 | // Technology as the source of the software. 11 | // 12 | // NIST-developed software is expressly provided "AS IS." NIST MAKES NO 13 | // WARRANTY OF ANY KIND, EXPRESS, IMPLIED, IN FACT OR ARISING BY OPERATION 14 | // OF LAW, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, 15 | // FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NIST 16 | // NEITHER REPRESENTS NOR WARRANTS THAT THE OPERATION OF THE SOFTWARE WILL BE 17 | // UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NIST 18 | // DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF THE SOFTWARE 19 | // OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, 20 | // RELIABILITY, OR USEFULNESS OF THE SOFTWARE. 21 | // 22 | // You are solely responsible for determining the appropriateness of using and 23 | // distributing the software and you assume all risks associated with its use, 24 | // including but not limited to the risks and costs of program errors, compliance 25 | // with applicable laws, damage to or loss of data, programs or equipment, and 26 | // the unavailability or interruption of operation. This software is not intended 27 | // to be used in any situation where a failure could cause risk of injury or 28 | // damage to property. The software developed by NIST employees is not subject to 29 | // copyright protection within the United States. 30 | // 31 | 32 | // disable deprecation for sprintf and fopen 33 | #ifdef _MSC_VER 34 | #define _CRT_SECURE_NO_WARNINGS 35 | #endif 36 | 37 | #include 38 | #include 39 | 40 | #include "crypto_hash.h" 41 | #include "api.h" 42 | 43 | #define KAT_SUCCESS 0 44 | #define KAT_FILE_OPEN_ERROR -1 45 | #define KAT_DATA_ERROR -3 46 | #define KAT_CRYPTO_FAILURE -4 47 | 48 | #define MAX_FILE_NAME 256 49 | #define MAX_MESSAGE_LENGTH 1024 50 | 51 | void init_buffer(unsigned char *buffer, unsigned long long numbytes); 52 | 53 | void fprint_bstr(FILE *fp, const char *label, const unsigned char *data, unsigned long long length); 54 | 55 | int generate_test_vectors(); 56 | 57 | 58 | int main() 59 | { 60 | int ret = generate_test_vectors(); 61 | 62 | if (ret != KAT_SUCCESS) { 63 | fprintf(stderr, "test vector generation failed with code %d\n", ret); 64 | } 65 | 66 | return ret; 67 | } 68 | 69 | int generate_test_vectors() 70 | { 71 | FILE *fp; 72 | char fileName[MAX_FILE_NAME]; 73 | unsigned char msg[MAX_MESSAGE_LENGTH]; 74 | unsigned char digest[CRYPTO_BYTES]; 75 | int ret_val = KAT_SUCCESS; 76 | int count = 1; 77 | 78 | init_buffer(msg, sizeof(msg)); 79 | 80 | sprintf(fileName, "LWC_HASH_KAT_%d.txt", (CRYPTO_BYTES * 8)); 81 | 82 | if ((fp = fopen(fileName, "w")) == NULL) { 83 | fprintf(stderr, "Couldn't open <%s> for write\n", fileName); 84 | return KAT_FILE_OPEN_ERROR; 85 | } 86 | 87 | for (unsigned long long mlen = 0; mlen <= MAX_MESSAGE_LENGTH; mlen++) { 88 | 89 | fprintf(fp, "Count = %d\n", count++); 90 | 91 | fprint_bstr(fp, "Msg = ", msg, mlen); 92 | 93 | ret_val = crypto_hash(digest, msg, mlen); 94 | 95 | if(ret_val != 0) { 96 | fprintf(fp, "crypto_hash returned <%d>\n", ret_val); 97 | ret_val = KAT_CRYPTO_FAILURE; 98 | break; 99 | } 100 | 101 | fprint_bstr(fp, "MD = ", digest, CRYPTO_BYTES); 102 | 103 | fprintf(fp, "\n"); 104 | } 105 | 106 | fclose(fp); 107 | 108 | return ret_val; 109 | } 110 | 111 | void fprint_bstr(FILE *fp, const char *label, const unsigned char *data, unsigned long long length) 112 | { 113 | fprintf(fp, "%s", label); 114 | 115 | for (unsigned long long i = 0; i < length; i++) 116 | fprintf(fp, "%02X", data[i]); 117 | 118 | fprintf(fp, "\n"); 119 | } 120 | 121 | void init_buffer(unsigned char *buffer, unsigned long long numbytes) 122 | { 123 | for (unsigned long long i = 0; i < numbytes; i++) 124 | buffer[i] = (unsigned char)i; 125 | } 126 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-N-H/hash_skinny.h: -------------------------------------------------------------------------------- 1 | #define ___SKINNY_LOOP 2 | //#define ___NUM_OF_ROUNDS_56 3 | 4 | #include 5 | 6 | typedef struct ___hash_skinny_ctrl { 7 | #ifdef ___NUM_OF_ROUNDS_56 8 | uint32_t roundKeys[144]; // number of rounds : 56 9 | #else 10 | uint32_t roundKeys[112]; // number of rounds : 40 11 | #endif 12 | void (*func_skinny_128_384_enc)(unsigned char*, unsigned char*, struct ___hash_skinny_ctrl*, unsigned char*, unsigned char*); 13 | } hash_skinny_ctrl; 14 | 15 | extern void hash_skinny_128_384_enc_321_main (unsigned char* h, unsigned char* g, hash_skinny_ctrl* pskinny_ctrl, unsigned char* key, unsigned char* m); 16 | extern void hash_skinny_128_384_enc_32_main (unsigned char* h, unsigned char*g, hash_skinny_ctrl* pskinny_ctrl, unsigned char* key, unsigned char* m); 17 | 18 | #define pack_word(x0, x1, x2, x3, w) \ 19 | w = ((x3) << 24) ^ \ 20 | ((x2) << 16) ^ \ 21 | ((x1) << 8) ^ \ 22 | (x0); 23 | 24 | #define unpack_word(x0, x1, x2, x3, w) \ 25 | x0 = ((w) & 0xff); \ 26 | x1 = (((w) >> 8) & 0xff); \ 27 | x2 = (((w) >> 16) & 0xff); \ 28 | x3 = ((w) >> 24); 29 | 30 | #define PERMUTATION(w0, w1) \ 31 | /* permutation */ \ 32 | \ 33 | /* 7 6 5 4 3 2 1 0 */ \ 34 | /* 5 7 2 3 6 0 4 1 */ \ 35 | \ 36 | /* w0 (3 2 1 0) */ \ 37 | /* w1 (7 6 5 4) */ \ 38 | \ 39 | /* w0 (6 0 4 1) */ \ 40 | /* w1 (5 7 2 3) */ \ 41 | \ 42 | t0 = w1 << 8; /* 6 5 4 - */ \ 43 | t0 = t0 & 0xff00ff00; /* 6 - 4 - */ \ 44 | \ 45 | t1 = w1 << 16; /* 5 4 - - */ \ 46 | t1 = t1 & 0xff000000; /* 5 - - - */ \ 47 | \ 48 | t2 = w1 & 0xff000000; /* 7 - - - */ \ 49 | t2 = t2 >> 8; /* - 7 - - */ \ 50 | t1 = t1 ^ t2; /* 5 7 - - */ \ 51 | \ 52 | t2 = w0 & 0xff000000; /* 3 - - - */ \ 53 | t2 = t2 >> 24; /* - - - 3 */ \ 54 | t1 = t1 ^ t2; /* 5 7 - 3 */ \ 55 | \ 56 | w1 = w0 >> 8; /* - 3 2 1 */ \ 57 | w1 = w1 & 0x0000ff00; /* - - 2 - */ \ 58 | w1 = w1 ^ t1; /* 5 7 2 3 */ \ 59 | \ 60 | t2 = w0 & 0x0000ff00; /* - - 1 - */ \ 61 | t2 = t2 >> 8; /* - - - 1 */ \ 62 | t0 = t0 ^ t2; /* 6 - 4 1 */ \ 63 | \ 64 | w0 = w0 << 16; /* 1 0 - - */ \ 65 | w0 = w0 & 0x00ff0000; /* - 0 - - */ \ 66 | w0 = w0 ^ t0; /* 6 0 4 1 */ 67 | 68 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-N-H/hash_skinny_key_schedule1.c: -------------------------------------------------------------------------------- 1 | /****************************************************************************** 2 | * Copyright (c) 2020, NEC Corporation. 3 | * 4 | * THIS CODE IS FURNISHED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. 5 | * 6 | *****************************************************************************/ 7 | 8 | /* 9 | * SKINNY-128-384 10 | * 11 | * T1 -> store 12 | * ART(TK1) 13 | * 14 | * number of rounds : 40 or 56 15 | */ 16 | 17 | #include "hash_skinny.h" 18 | 19 | #define PERMUTATION_TK1() \ 20 | \ 21 | /* permutation */ \ 22 | \ 23 | PERMUTATION(w0, w1) \ 24 | \ 25 | /* store */ \ 26 | \ 27 | *tk1++ = w0; \ 28 | *tk1++ = w1; \ 29 | tk1 += 2; 30 | 31 | #ifndef ___SKINNY_LOOP 32 | 33 | void hash_RunEncryptionKeyScheduleTK1(uint32_t *roundKeys) 34 | { 35 | 36 | uint32_t *tk1; 37 | uint32_t t0; // used in MACRO 38 | uint32_t t1; // used in MACRO 39 | uint32_t t2; // used in MACRO 40 | uint32_t w0; 41 | uint32_t w1; 42 | 43 | // odd 44 | 45 | // load master key 46 | w0 = roundKeys[0]; 47 | w1 = roundKeys[1]; 48 | 49 | // 1st round 50 | // not need to store 51 | 52 | tk1 = &roundKeys[4]; 53 | 54 | // 3rd, ... ,15th round 55 | PERMUTATION_TK1(); 56 | PERMUTATION_TK1(); 57 | PERMUTATION_TK1(); 58 | PERMUTATION_TK1(); 59 | PERMUTATION_TK1(); 60 | PERMUTATION_TK1(); 61 | PERMUTATION_TK1(); 62 | 63 | // even 64 | 65 | tk1 = &roundKeys[2]; 66 | 67 | // load master key 68 | w0 = roundKeys[2]; 69 | w1 = roundKeys[3]; 70 | 71 | // 2nd, ... ,16th round 72 | PERMUTATION_TK1(); 73 | PERMUTATION_TK1(); 74 | PERMUTATION_TK1(); 75 | PERMUTATION_TK1(); 76 | PERMUTATION_TK1(); 77 | PERMUTATION_TK1(); 78 | PERMUTATION_TK1(); 79 | PERMUTATION_TK1(); 80 | 81 | } 82 | 83 | #else 84 | 85 | void hash_RunEncryptionKeyScheduleTK1(uint32_t *roundKeys) 86 | { 87 | 88 | uint32_t *tk1; 89 | uint32_t t0; // used in MACRO 90 | uint32_t t1; // used in MACRO 91 | uint32_t t2; // used in MACRO 92 | uint32_t w0; 93 | uint32_t w1; 94 | 95 | // odd 96 | 97 | // load master key 98 | w0 = roundKeys[0]; 99 | w1 = roundKeys[1]; 100 | 101 | // 1st round 102 | // not need to store 103 | 104 | tk1 = &roundKeys[4]; 105 | 106 | // 3rd, ... ,15th round 107 | for(int i=0;i<7;i++) { 108 | PERMUTATION_TK1(); 109 | } 110 | 111 | // even 112 | 113 | tk1 = &roundKeys[2]; 114 | 115 | // load master key 116 | w0 = roundKeys[2]; 117 | w1 = roundKeys[3]; 118 | 119 | // 2nd, ... ,16th round 120 | for(int i=0;i<8;i++) { 121 | PERMUTATION_TK1(); 122 | } 123 | 124 | } 125 | 126 | #endif 127 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-N-H/skinny.h: -------------------------------------------------------------------------------- 1 | #define ___SKINNY_LOOP 2 | //#define ___NUM_OF_ROUNDS_56 3 | #define ___ENABLE_WORD_CAST 4 | 5 | #include 6 | 7 | typedef struct ___skinny_ctrl { 8 | #ifdef ___NUM_OF_ROUNDS_56 9 | uint32_t roundKeys[240]; // number of rounds : 56 10 | #else 11 | uint32_t roundKeys[176]; // number of rounds : 40 12 | #endif 13 | void (*func_skinny_128_384_enc)(unsigned char*, struct ___skinny_ctrl*, unsigned char* CNT, unsigned char* T, const unsigned char* K); 14 | } skinny_ctrl; 15 | 16 | extern void skinny_128_384_enc123_12 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K); 17 | extern void skinny_128_384_enc12_12 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K); 18 | extern void skinny_128_384_enc1_1 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K); 19 | 20 | #define pack_word(x0, x1, x2, x3, w) \ 21 | w = ((x3) << 24) ^ \ 22 | ((x2) << 16) ^ \ 23 | ((x1) << 8) ^ \ 24 | (x0); 25 | 26 | #define unpack_word(x0, x1, x2, x3, w) \ 27 | x0 = ((w) & 0xff); \ 28 | x1 = (((w) >> 8) & 0xff); \ 29 | x2 = (((w) >> 16) & 0xff); \ 30 | x3 = ((w) >> 24); 31 | 32 | #define PERMUTATION() \ 33 | /* permutation */ \ 34 | \ 35 | /* 7 6 5 4 3 2 1 0 */ \ 36 | /* 5 7 2 3 6 0 4 1 */ \ 37 | \ 38 | /* w0 (3 2 1 0) */ \ 39 | /* w1 (7 6 5 4) */ \ 40 | \ 41 | /* w0 (6 0 4 1) */ \ 42 | /* w1 (5 7 2 3) */ \ 43 | \ 44 | t0 = w1 << 8; /* 6 5 4 - */ \ 45 | t0 = t0 & 0xff00ff00; /* 6 - 4 - */ \ 46 | \ 47 | t1 = w1 << 16; /* 5 4 - - */ \ 48 | t1 = t1 & 0xff000000; /* 5 - - - */ \ 49 | \ 50 | t2 = w1 & 0xff000000; /* 7 - - - */ \ 51 | t2 = t2 >> 8; /* - 7 - - */ \ 52 | t1 = t1 ^ t2; /* 5 7 - - */ \ 53 | \ 54 | t2 = w0 & 0xff000000; /* 3 - - - */ \ 55 | t2 = t2 >> 24; /* - - - 3 */ \ 56 | t1 = t1 ^ t2; /* 5 7 - 3 */ \ 57 | \ 58 | w1 = w0 >> 8; /* - 3 2 1 */ \ 59 | w1 = w1 & 0x0000ff00; /* - - 2 - */ \ 60 | w1 = w1 ^ t1; /* 5 7 2 3 */ \ 61 | \ 62 | t2 = w0 & 0x0000ff00; /* - - 1 - */ \ 63 | t2 = t2 >> 8; /* - - - 1 */ \ 64 | t0 = t0 ^ t2; /* 6 - 4 1 */ \ 65 | \ 66 | w0 = w0 << 16; /* 1 0 - - */ \ 67 | w0 = w0 & 0x00ff0000; /* - 0 - - */ \ 68 | w0 = w0 ^ t0; /* 6 0 4 1 */ 69 | 70 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-N-H/skinny_key_schedule2.c: -------------------------------------------------------------------------------- 1 | /****************************************************************************** 2 | * Copyright (c) 2020, NEC Corporation. 3 | * 4 | * THIS CODE IS FURNISHED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. 5 | * 6 | *****************************************************************************/ 7 | 8 | /* 9 | * SKINNY-128-384 10 | * 11 | * load * AC(c0 c1) ^ TK3 12 | * calc AC(c0 c1) ^ TK2 -> store 13 | * ART(TK2) 14 | * 15 | * number of rounds : 40 or 56 16 | */ 17 | 18 | #include "skinny.h" 19 | 20 | #define PERMUTATION_TK2() \ 21 | \ 22 | /* permutation */ \ 23 | \ 24 | PERMUTATION() \ 25 | \ 26 | /* LFSR(for TK2) (x7 x6 x5 x4 x3 x2 x1 x0) -> (x6 x5 x4 x3 x2 x1 x0 x7^x5) */ \ 27 | w0 = ((w0 << 1) & 0xfefefefe) ^ \ 28 | (((w0 >> 7) ^ (w0 >> 5)) & 0x01010101); \ 29 | w1 = ((w1 << 1) & 0xfefefefe) ^ \ 30 | (((w1 >> 7) ^ (w1 >> 5)) & 0x01010101); \ 31 | \ 32 | /* Load TK3 */ \ 33 | /* TK2^TK3^AC(c0 c1) */ \ 34 | /* store */ \ 35 | *tk2++ = w0 ^ *tk3++; \ 36 | *tk2++ = w1 ^ *tk3++; \ 37 | tk2 += 2; \ 38 | tk3 += 2; 39 | 40 | #ifndef ___SKINNY_LOOP 41 | 42 | void RunEncryptionKeyScheduleTK2(uint32_t *roundKeys) 43 | { 44 | uint32_t* tk2; // used in MACRO 45 | uint32_t* tk3; // used in MACRO 46 | uint32_t t0; // used in MACRO 47 | uint32_t t1; // used in MACRO 48 | uint32_t t2; // used in MACRO 49 | uint32_t w0; 50 | uint32_t w1; 51 | 52 | // odd 53 | 54 | // load master key 55 | w0 = roundKeys[4]; 56 | w1 = roundKeys[5]; 57 | 58 | tk2 = &roundKeys[16]; 59 | #ifndef ___NUM_OF_ROUNDS_56 60 | tk3 = &roundKeys[96]; 61 | #else 62 | tk3 = &roundKeys[128]; 63 | #endif 64 | 65 | // 1st round 66 | *tk2++ = w0 ^ *tk3++; 67 | *tk2++ = w1 ^ *tk3++; 68 | 69 | tk2 += 2; 70 | tk3 += 2; 71 | 72 | // 3rd,5th, ... ,37th,39th round 73 | PERMUTATION_TK2(); 74 | PERMUTATION_TK2(); 75 | PERMUTATION_TK2(); 76 | PERMUTATION_TK2(); 77 | PERMUTATION_TK2(); 78 | PERMUTATION_TK2(); 79 | PERMUTATION_TK2(); 80 | PERMUTATION_TK2(); 81 | PERMUTATION_TK2(); 82 | 83 | PERMUTATION_TK2(); 84 | PERMUTATION_TK2(); 85 | PERMUTATION_TK2(); 86 | PERMUTATION_TK2(); 87 | PERMUTATION_TK2(); 88 | PERMUTATION_TK2(); 89 | PERMUTATION_TK2(); 90 | PERMUTATION_TK2(); 91 | PERMUTATION_TK2(); 92 | PERMUTATION_TK2(); 93 | 94 | #ifdef ___NUM_OF_ROUNDS_56 95 | 96 | // 41th,43th, ... ,51th,53th round 97 | PERMUTATION_TK2(); 98 | PERMUTATION_TK2(); 99 | PERMUTATION_TK2(); 100 | PERMUTATION_TK2(); 101 | PERMUTATION_TK2(); 102 | PERMUTATION_TK2(); 103 | PERMUTATION_TK2(); 104 | PERMUTATION_TK2(); 105 | 106 | #endif 107 | 108 | // even 109 | 110 | // load master key 111 | w0 = roundKeys[6]; 112 | w1 = roundKeys[7]; 113 | 114 | tk2 = &roundKeys[18]; 115 | #ifndef ___NUM_OF_ROUNDS_56 116 | tk3 = &roundKeys[98]; 117 | #else 118 | tk3 = &roundKeys[130]; 119 | #endif 120 | 121 | // 2nd,4th, ... ,54th,56th round 122 | PERMUTATION_TK2(); 123 | PERMUTATION_TK2(); 124 | PERMUTATION_TK2(); 125 | PERMUTATION_TK2(); 126 | PERMUTATION_TK2(); 127 | PERMUTATION_TK2(); 128 | PERMUTATION_TK2(); 129 | PERMUTATION_TK2(); 130 | PERMUTATION_TK2(); 131 | PERMUTATION_TK2(); 132 | 133 | PERMUTATION_TK2(); 134 | PERMUTATION_TK2(); 135 | PERMUTATION_TK2(); 136 | PERMUTATION_TK2(); 137 | PERMUTATION_TK2(); 138 | PERMUTATION_TK2(); 139 | PERMUTATION_TK2(); 140 | PERMUTATION_TK2(); 141 | PERMUTATION_TK2(); 142 | PERMUTATION_TK2(); 143 | 144 | #ifdef ___NUM_OF_ROUNDS_56 145 | 146 | // 42nd,44th, ... ,54th,56th round 147 | PERMUTATION_TK2(); 148 | PERMUTATION_TK2(); 149 | PERMUTATION_TK2(); 150 | PERMUTATION_TK2(); 151 | PERMUTATION_TK2(); 152 | PERMUTATION_TK2(); 153 | PERMUTATION_TK2(); 154 | PERMUTATION_TK2(); 155 | 156 | #endif 157 | 158 | } 159 | 160 | #else 161 | 162 | void RunEncryptionKeyScheduleTK2(uint32_t *roundKeys) 163 | { 164 | uint32_t* tk2; // used in MACRO 165 | uint32_t* tk3; // used in MACRO 166 | uint32_t t0; // used in MACRO 167 | uint32_t t1; // used in MACRO 168 | uint32_t t2; // used in MACRO 169 | uint32_t w0; 170 | uint32_t w1; 171 | 172 | // odd 173 | 174 | // load master key 175 | w0 = roundKeys[4]; 176 | w1 = roundKeys[5]; 177 | 178 | tk2 = &roundKeys[16]; 179 | #ifndef ___NUM_OF_ROUNDS_56 180 | tk3 = &roundKeys[96]; 181 | #else 182 | tk3 = &roundKeys[128]; 183 | #endif 184 | 185 | // 1st round 186 | *tk2++ = w0 ^ *tk3++; 187 | *tk2++ = w1 ^ *tk3++; 188 | 189 | tk2 += 2; 190 | tk3 += 2; 191 | 192 | // 3rd,5th, ... 193 | #ifndef ___NUM_OF_ROUNDS_56 194 | for(int i=0;i<19;i++) 195 | #else 196 | for(int i=0;i<27;i++) 197 | #endif 198 | { 199 | PERMUTATION_TK2(); 200 | } 201 | 202 | // even 203 | 204 | // load master key 205 | w0 = roundKeys[6]; 206 | w1 = roundKeys[7]; 207 | 208 | tk2 = &roundKeys[18]; 209 | #ifndef ___NUM_OF_ROUNDS_56 210 | tk3 = &roundKeys[98]; 211 | #else 212 | tk3 = &roundKeys[130]; 213 | #endif 214 | 215 | // 2nd,4th, ... 216 | #ifndef ___NUM_OF_ROUNDS_56 217 | for(int i=0;i<20;i++) 218 | #else 219 | for(int i=0;i<28;i++) 220 | #endif 221 | { 222 | PERMUTATION_TK2(); 223 | } 224 | 225 | } 226 | 227 | #endif 228 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-N-H/skinny_key_schedule3.c: -------------------------------------------------------------------------------- 1 | /****************************************************************************** 2 | * Copyright (c) 2020, NEC Corporation. 3 | * 4 | * THIS CODE IS FURNISHED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. 5 | * 6 | *****************************************************************************/ 7 | 8 | /* 9 | * SKINNY-128-384 10 | * 11 | * AC(c0 c1) ^ TK3 -> store 12 | * ART(TK3) 13 | * 14 | * number of rounds : 40 or 56 15 | */ 16 | 17 | #include "skinny.h" 18 | 19 | #define PERMUTATION_TK3(c0Val, c1Val) \ 20 | \ 21 | /* permutation */ \ 22 | \ 23 | PERMUTATION() \ 24 | \ 25 | /* LFSR(for TK3) (x7 x6 x5 x4 x3 x2 x1 x0) -> (x0^x6 x7 x6 x5 x4 x3 x2 x1) */ \ 26 | w0 = ((w0 >> 1) & 0x7f7f7f7f) ^ \ 27 | (((w0 << 7) ^ (w0 << 1)) & 0x80808080); \ 28 | w1 = ((w1 >> 1) & 0x7f7f7f7f) ^ \ 29 | (((w1 << 7) ^ (w1 << 1)) & 0x80808080); \ 30 | \ 31 | /* K3^AC(c0 c1) */ \ 32 | /* store */ \ 33 | *tk3++ = w0 ^ c0Val; \ 34 | *tk3++ = w1 ^ c1Val; \ 35 | tk3 += 2; 36 | 37 | #ifndef ___SKINNY_LOOP 38 | 39 | void RunEncryptionKeyScheduleTK3(uint32_t *roundKeys) 40 | { 41 | uint32_t *tk3; 42 | uint32_t t0; // used in MACRO 43 | uint32_t t1; // used in MACRO 44 | uint32_t t2; // used in MACRO 45 | uint32_t w0; 46 | uint32_t w1; 47 | 48 | // odd 49 | 50 | // load master key 51 | w0 = roundKeys[8]; 52 | w1 = roundKeys[9]; 53 | 54 | #ifndef ___NUM_OF_ROUNDS_56 55 | tk3 = &roundKeys[96]; 56 | #else 57 | tk3 = &roundKeys[128]; 58 | #endif 59 | 60 | // 1st round 61 | *tk3++ = w0 ^ 0x01; 62 | *tk3++ = w1; 63 | tk3 += 2; 64 | 65 | // 3rd,5th, ... ,37th,39th round 66 | PERMUTATION_TK3(0x7, 0x000); 67 | PERMUTATION_TK3(0xf, 0x100); 68 | PERMUTATION_TK3(0xd, 0x300); 69 | PERMUTATION_TK3(0x7, 0x300); 70 | PERMUTATION_TK3(0xe, 0x100); 71 | PERMUTATION_TK3(0x9, 0x300); 72 | PERMUTATION_TK3(0x7, 0x200); 73 | PERMUTATION_TK3(0xd, 0x100); 74 | PERMUTATION_TK3(0x5, 0x300); 75 | 76 | PERMUTATION_TK3(0x6, 0x100); 77 | PERMUTATION_TK3(0x8, 0x100); 78 | PERMUTATION_TK3(0x1, 0x200); 79 | PERMUTATION_TK3(0x5, 0x000); 80 | PERMUTATION_TK3(0x7, 0x100); 81 | PERMUTATION_TK3(0xc, 0x100); 82 | PERMUTATION_TK3(0x1, 0x300); 83 | PERMUTATION_TK3(0x6, 0x000); 84 | PERMUTATION_TK3(0xb, 0x100); 85 | PERMUTATION_TK3(0xd, 0x200); 86 | 87 | #ifdef ___NUM_OF_ROUNDS_56 88 | 89 | // 41td,43th, ... ,53th,55th round 90 | PERMUTATION_TK3(0x4, 0x300); 91 | PERMUTATION_TK3(0x2, 0x100); 92 | PERMUTATION_TK3(0x8, 0x000); 93 | PERMUTATION_TK3(0x2, 0x200); 94 | PERMUTATION_TK3(0x9, 0x000); 95 | PERMUTATION_TK3(0x6, 0x200); 96 | PERMUTATION_TK3(0x9, 0x100); 97 | PERMUTATION_TK3(0x5, 0x200); 98 | 99 | #endif 100 | 101 | // even 102 | 103 | // load master key 104 | w0 = roundKeys[10]; 105 | w1 = roundKeys[11]; 106 | 107 | 108 | #ifndef ___NUM_OF_ROUNDS_56 109 | tk3 = &roundKeys[98]; 110 | #else 111 | tk3 = &roundKeys[130]; 112 | #endif 113 | 114 | // 2nd,4th, ... ,38th,40th round 115 | PERMUTATION_TK3(0x3, 0x000); 116 | PERMUTATION_TK3(0xf, 0x000); 117 | PERMUTATION_TK3(0xe, 0x300); 118 | PERMUTATION_TK3(0xb, 0x300); 119 | PERMUTATION_TK3(0xf, 0x200); 120 | PERMUTATION_TK3(0xc, 0x300); 121 | PERMUTATION_TK3(0x3, 0x300); 122 | PERMUTATION_TK3(0xe, 0x000); 123 | PERMUTATION_TK3(0xa, 0x300); 124 | PERMUTATION_TK3(0xb, 0x200); 125 | 126 | PERMUTATION_TK3(0xc, 0x200); 127 | PERMUTATION_TK3(0x0, 0x300); 128 | PERMUTATION_TK3(0x2, 0x000); 129 | PERMUTATION_TK3(0xb, 0x000); 130 | PERMUTATION_TK3(0xe, 0x200); 131 | PERMUTATION_TK3(0x8, 0x300); 132 | PERMUTATION_TK3(0x3, 0x200); 133 | PERMUTATION_TK3(0xd, 0x000); 134 | PERMUTATION_TK3(0x6, 0x300); 135 | PERMUTATION_TK3(0xa, 0x100); 136 | 137 | #ifdef ___NUM_OF_ROUNDS_56 138 | 139 | // 42nd,44th, ... ,54th,56th round 140 | PERMUTATION_TK3(0x9, 0x200); 141 | PERMUTATION_TK3(0x4, 0x200); 142 | PERMUTATION_TK3(0x1, 0x100); 143 | PERMUTATION_TK3(0x4, 0x000); 144 | PERMUTATION_TK3(0x3, 0x100); 145 | PERMUTATION_TK3(0xc, 0x000); 146 | PERMUTATION_TK3(0x2, 0x300); 147 | PERMUTATION_TK3(0xa, 0x000); 148 | 149 | #endif 150 | 151 | } 152 | 153 | #else 154 | 155 | void RunEncryptionKeyScheduleTK3(uint32_t *roundKeys, unsigned char *pRC) 156 | { 157 | uint32_t *tk3; 158 | uint32_t t0; // used in MACRO 159 | uint32_t t1; // used in MACRO 160 | uint32_t t2; // used in MACRO 161 | uint32_t w0; 162 | uint32_t w1; 163 | uint16_t c0; 164 | uint16_t c1; 165 | 166 | // odd 167 | 168 | // load master key 169 | w0 = roundKeys[8]; 170 | w1 = roundKeys[9]; 171 | 172 | #ifndef ___NUM_OF_ROUNDS_56 173 | tk3 = &roundKeys[96]; 174 | #else 175 | tk3 = &roundKeys[128]; 176 | #endif 177 | 178 | // 1st round 179 | *tk3++ = w0 ^ 0x01; 180 | *tk3++ = w1; 181 | tk3 += 2; 182 | 183 | pRC += 4; 184 | // 3rd,5th, ... 185 | #ifndef ___NUM_OF_ROUNDS_56 186 | for(int i=0;i<19;i++) 187 | #else 188 | for(int i=0;i<27;i++) 189 | #endif 190 | { 191 | c0 = *pRC++; 192 | c1 = *pRC++; 193 | c1 <<= 8; 194 | pRC += 2; 195 | PERMUTATION_TK3(c0, c1); 196 | } 197 | 198 | // even 199 | 200 | // load master key 201 | w0 = roundKeys[10]; 202 | w1 = roundKeys[11]; 203 | 204 | #ifndef ___NUM_OF_ROUNDS_56 205 | pRC -= 78; 206 | tk3 = &roundKeys[98]; 207 | #else 208 | pRC -= 110; 209 | tk3 = &roundKeys[130]; 210 | #endif 211 | 212 | // 2nd,4th, ... 213 | #ifndef ___NUM_OF_ROUNDS_56 214 | for(int i=0;i<20;i++) 215 | #else 216 | for(int i=0;i<28;i++) 217 | #endif 218 | { 219 | c0 = *pRC++; 220 | c1 = *pRC++; 221 | c1 <<= 8; 222 | pRC += 2; 223 | PERMUTATION_TK3(c0, c1); 224 | } 225 | 226 | } 227 | 228 | #endif 229 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-N/armsrc/api.h: -------------------------------------------------------------------------------- 1 | #define CRYPTO_KEYBYTES 16 2 | #define CRYPTO_NSECBYTES 0 3 | #define CRYPTO_NPUBBYTES 16 4 | #define CRYPTO_ABYTES 16 5 | #define CRYPTO_NOOVERLAP 1 6 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-N/armsrc/crypto_aead.h: -------------------------------------------------------------------------------- 1 | int crypto_aead_encrypt(unsigned char *c, unsigned long long *clen, 2 | const unsigned char *m, unsigned long long mlen, 3 | const unsigned char *ad, unsigned long long adlen, 4 | const unsigned char *nsec, const unsigned char *npub, 5 | const unsigned char *k); 6 | 7 | int crypto_aead_decrypt(unsigned char *m, unsigned long long *outputmlen, 8 | unsigned char *nsec, 9 | const unsigned char *c, unsigned long long clen, 10 | const unsigned char *ad, unsigned long long adlen, 11 | const unsigned char *npub, const unsigned char *k); 12 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-N/armsrc/genkat_aead.c: -------------------------------------------------------------------------------- 1 | // 2 | // NIST-developed software is provided by NIST as a public service. 3 | // You may use, copy and distribute copies of the software in any medium, 4 | // provided that you keep intact this entire notice. You may improve, 5 | // modify and create derivative works of the software or any portion of 6 | // the software, and you may copy and distribute such modifications or 7 | // works. Modified works should carry a notice stating that you changed 8 | // the software and should note the date and nature of any such change. 9 | // Please explicitly acknowledge the National Institute of Standards and 10 | // Technology as the source of the software. 11 | // 12 | // NIST-developed software is expressly provided "AS IS." NIST MAKES NO 13 | // WARRANTY OF ANY KIND, EXPRESS, IMPLIED, IN FACT OR ARISING BY OPERATION 14 | // OF LAW, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, 15 | // FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NIST 16 | // NEITHER REPRESENTS NOR WARRANTS THAT THE OPERATION OF THE SOFTWARE WILL BE 17 | // UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NIST 18 | // DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF THE SOFTWARE 19 | // OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, 20 | // RELIABILITY, OR USEFULNESS OF THE SOFTWARE. 21 | // 22 | // You are solely responsible for determining the appropriateness of using and 23 | // distributing the software and you assume all risks associated with its use, 24 | // including but not limited to the risks and costs of program errors, compliance 25 | // with applicable laws, damage to or loss of data, programs or equipment, and 26 | // the unavailability or interruption of operation. This software is not intended 27 | // to be used in any situation where a failure could cause risk of injury or 28 | // damage to property. The software developed by NIST employees is not subject to 29 | // copyright protection within the United States. 30 | // 31 | 32 | // disable deprecation for sprintf and fopen 33 | #ifdef _MSC_VER 34 | #define _CRT_SECURE_NO_WARNINGS 35 | #endif 36 | 37 | #include 38 | #include 39 | 40 | #include "crypto_aead.h" 41 | #include "api.h" 42 | 43 | #define KAT_SUCCESS 0 44 | #define KAT_FILE_OPEN_ERROR -1 45 | #define KAT_DATA_ERROR -3 46 | #define KAT_CRYPTO_FAILURE -4 47 | 48 | #define MAX_FILE_NAME 256 49 | #define MAX_MESSAGE_LENGTH 32 50 | #define MAX_ASSOCIATED_DATA_LENGTH 32 51 | 52 | void init_buffer(unsigned char *buffer, unsigned long long numbytes); 53 | 54 | void fprint_bstr(FILE *fp, const char *label, const unsigned char *data, unsigned long long length); 55 | 56 | int generate_test_vectors(); 57 | 58 | int main() 59 | { 60 | int ret = generate_test_vectors(); 61 | 62 | if (ret != KAT_SUCCESS) { 63 | fprintf(stderr, "test vector generation failed with code %d\n", ret); 64 | } 65 | 66 | return ret; 67 | } 68 | 69 | int generate_test_vectors() 70 | { 71 | FILE *fp; 72 | char fileName[MAX_FILE_NAME]; 73 | unsigned char key[CRYPTO_KEYBYTES]; 74 | unsigned char nonce[CRYPTO_NPUBBYTES]; 75 | unsigned char msg[MAX_MESSAGE_LENGTH]; 76 | unsigned char msg2[MAX_MESSAGE_LENGTH]; 77 | unsigned char ad[MAX_ASSOCIATED_DATA_LENGTH]; 78 | unsigned char ct[MAX_MESSAGE_LENGTH + CRYPTO_ABYTES]; 79 | unsigned long long clen, mlen2; 80 | int count = 1; 81 | int func_ret, ret_val = KAT_SUCCESS; 82 | 83 | init_buffer(key, sizeof(key)); 84 | init_buffer(nonce, sizeof(nonce)); 85 | init_buffer(msg, sizeof(msg)); 86 | init_buffer(ad, sizeof(ad)); 87 | 88 | sprintf(fileName, "LWC_AEAD_KAT_%d_%d.txt", (CRYPTO_KEYBYTES * 8), (CRYPTO_NPUBBYTES * 8)); 89 | 90 | if ((fp = fopen(fileName, "w")) == NULL) { 91 | fprintf(stderr, "Couldn't open <%s> for write\n", fileName); 92 | return KAT_FILE_OPEN_ERROR; 93 | } 94 | 95 | for (unsigned long long mlen = 0; (mlen <= MAX_MESSAGE_LENGTH) && (ret_val == KAT_SUCCESS); mlen++) { 96 | for (unsigned long long adlen = 0; adlen <= MAX_ASSOCIATED_DATA_LENGTH; adlen++) { 97 | 98 | printf("%0d\n", (int)clen); 99 | 100 | fprintf(fp, "Count = %d\n", count++); 101 | printf("Count = %d\n", count - 1); 102 | 103 | fprint_bstr(fp, "Key = ", key, CRYPTO_KEYBYTES); 104 | 105 | fprint_bstr(fp, "Nonce = ", nonce, CRYPTO_NPUBBYTES); 106 | 107 | fprint_bstr(fp, "PT = ", msg, mlen); 108 | 109 | fprint_bstr(fp, "AD = ", ad, adlen); 110 | 111 | if ((func_ret = crypto_aead_encrypt(ct, &clen, msg, mlen, ad, adlen, NULL, nonce, key)) != 0) { 112 | fprintf(fp, "crypto_aead_encrypt returned <%d>\n", func_ret); 113 | ret_val = KAT_CRYPTO_FAILURE; 114 | break; 115 | } 116 | 117 | fprint_bstr(fp, "CT = ", ct, clen); 118 | 119 | fprintf(fp, "\n"); 120 | 121 | if ((func_ret = crypto_aead_decrypt(msg2, &mlen2, NULL, ct, clen, ad, adlen, nonce, key)) != 0) { 122 | fprintf(fp, "crypto_aead_decrypt returned <%d>\n", func_ret); 123 | ret_val = KAT_CRYPTO_FAILURE; 124 | break; 125 | } 126 | 127 | if (mlen != mlen2) { 128 | fprintf(fp, "crypto_aead_decrypt returned bad 'mlen': Got <%llu>, expected <%llu>\n", mlen2, mlen); 129 | ret_val = KAT_CRYPTO_FAILURE; 130 | break; 131 | } 132 | 133 | if (memcmp(msg, msg2, mlen)) { 134 | fprintf(fp, "crypto_aead_decrypt did not recover the plaintext\n"); 135 | ret_val = KAT_CRYPTO_FAILURE; 136 | break; 137 | } 138 | } 139 | } 140 | 141 | fclose(fp); 142 | 143 | return ret_val; 144 | } 145 | 146 | 147 | void fprint_bstr(FILE *fp, const char *label, const unsigned char *data, unsigned long long length) 148 | { 149 | fprintf(fp, "%s", label); 150 | 151 | for (unsigned long long i = 0; i < length; i++) 152 | fprintf(fp, "%02X", data[i]); 153 | 154 | fprintf(fp, "\n"); 155 | } 156 | 157 | void init_buffer(unsigned char *buffer, unsigned long long numbytes) 158 | { 159 | for (unsigned long long i = 0; i < numbytes; i++) 160 | buffer[i] = (unsigned char)i; 161 | } 162 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-N/armsrc/skinny.h: -------------------------------------------------------------------------------- 1 | typedef struct ___skinny_ctrl { 2 | unsigned char roundKeys[704]; // number of round : 40 3 | void (*func_skinny_128_384_enc)(unsigned char*, struct ___skinny_ctrl*, unsigned char* CNT, unsigned char* T, const unsigned char* K); 4 | } skinny_ctrl; 5 | 6 | extern void skinny_128_384_enc123_12 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K); 7 | extern void skinny_128_384_enc12_12 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K); 8 | extern void skinny_128_384_enc1_1 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K); 9 | -------------------------------------------------------------------------------- /Implementations/software/opt 32/Romulus-N/gcc_option.txt: -------------------------------------------------------------------------------- 1 | Cortex-m3 2 | 3 | -mcpu=cortex-m3 4 | -mthumb 5 | -mfloat-abi=soft 6 | -O3 7 | 8 | Cortex-m4 9 | 10 | -mcpu=cortex-m4 11 | -mthumb 12 | -mfloat-abi=hard 13 | -mfpu=fpv4-sp-d16 14 | -O3 15 | 16 | * If you want to use SIMD 17 | -DSTM32F4 18 | 19 | - end of file - 20 | -------------------------------------------------------------------------------- /Implementations/software/python/ROMULUS_H.py: -------------------------------------------------------------------------------- 1 | 2 | # ROMULUS-H Python Implementation 3 | 4 | # Copyright 2020: 5 | # Thomas Peyrin 6 | 7 | # This program is free software; you can redistribute it and/or 8 | # modify it under the terms of the GNU General Public License as 9 | # published by the Free Software Foundation; either version 2 of the 10 | # License, or (at your option) any later version. 11 | 12 | # This program is distributed in the hope that it will be useful, but 13 | # WITHOUT ANY WARRANTY; without even the implied warranty of 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 | # General Public License for more details. 16 | 17 | # You should have received a copy of the GNU General Public License 18 | # along with this program; if not, write to the Free Software 19 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 20 | # 02110-1301, USA. 21 | 22 | from SKINNY_128_384_plus import * 23 | import math 24 | 25 | # #################################################################### 26 | # # ROMULUS-H 27 | # #################################################################### 28 | 29 | 30 | # # ROMULUS-HASH 31 | M_LENGTH = 32 32 | 33 | # function that implements the Hash function 34 | # inputs: M the message 35 | # outputs: the 256-bit hash value 36 | def crypto_hash(M): 37 | L = [0] * 16 38 | R = [0] * 16 39 | M_pad = M + [0]*(M_LENGTH - 1 - (len(M) % M_LENGTH)) + [(len(M) % M_LENGTH)] 40 | for i in range(0,len(M_pad),M_LENGTH): 41 | if i==len(M_pad)-M_LENGTH: L[0] = L[0] ^ 0x02 42 | L_new = skinny_enc(L, R + M_pad[i:i+M_LENGTH]) 43 | for j in range(0,len(L)): L_new[j] = L_new[j] ^ L[j] 44 | L[0] = L[0] ^ 0x01 45 | R_new = skinny_enc(L, R + M_pad[i:i+M_LENGTH]) 46 | for j in range(0,len(R)): R_new[j] = R_new[j] ^ L[j] 47 | L = L_new.copy() 48 | R = R_new.copy() 49 | 50 | return L + R 51 | 52 | 53 | -------------------------------------------------------------------------------- /Implementations/software/python/ROMULUS_M.py: -------------------------------------------------------------------------------- 1 | 2 | # ROMULUS-M Python Implementation 3 | 4 | # Copyright 2020: 5 | # Thomas Peyrin 6 | 7 | # This program is free software; you can redistribute it and/or 8 | # modify it under the terms of the GNU General Public License as 9 | # published by the Free Software Foundation; either version 2 of the 10 | # License, or (at your option) any later version. 11 | 12 | # This program is distributed in the hope that it will be useful, but 13 | # WITHOUT ANY WARRANTY; without even the implied warranty of 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 | # General Public License for more details. 16 | 17 | # You should have received a copy of the GNU General Public License 18 | # along with this program; if not, write to the Free Software 19 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 20 | # 02110-1301, USA. 21 | 22 | from SKINNY_128_384_plus import * 23 | import math 24 | 25 | # #################################################################### 26 | # # ROMULUS-M 27 | # #################################################################### 28 | 29 | # # ROMULUS-M 30 | T_LENGTH = 16 31 | COUNTER_LENGTH = 7 32 | MEMBER_MASK = 32 33 | 34 | 35 | N_LENGTH = T_LENGTH 36 | 37 | def increase_counter(counter): 38 | if counter[COUNTER_LENGTH - 1] & 0x80 != 0: mask = 0x95 39 | else: mask = 0 40 | for i in reversed(range(1, COUNTER_LENGTH)): 41 | counter[i] = ((counter[i] << 1) & 0xfe) ^ (counter[i - 1] >> 7) 42 | counter[0] = ((counter[0] << 1) & 0xfe) ^ mask 43 | return counter 44 | 45 | 46 | def parse(L_in,x): 47 | L_out = [] 48 | cursor = 0 49 | while len(L_in) - cursor >= x: 50 | L_out.extend([L_in[cursor:cursor+x]]) 51 | cursor = cursor + x 52 | if len(L_in) - cursor > 0: 53 | L_out.extend([L_in[cursor:]]) 54 | if L_in == []: 55 | L_out = [[]] 56 | L_out.insert(0,[]) 57 | return L_out 58 | 59 | 60 | def pad(x, pad_length): 61 | if len(x) == 0: 62 | return [0] * pad_length 63 | if len(x) == pad_length: 64 | return x[:] 65 | y = x[:] 66 | for _ in range(pad_length - len(x) - 1): 67 | y.append(0) 68 | y.append(len(x)) 69 | return y 70 | 71 | def G(A): 72 | return [(x >> 1) ^ ((x ^ x << 7) & 0x80) for x in A] 73 | 74 | 75 | def rho(S, M): 76 | G_S = G(S) 77 | C = [M[i] ^ G_S[i] for i in range(16)] 78 | S_prime = [S[i] ^ M[i] for i in range(16)] 79 | return S_prime, C 80 | 81 | 82 | def rho_inv(S, C): 83 | G_S = G(S) 84 | M = [C[i] ^ G_S[i] for i in range(16)] 85 | S_prime = [S[i] ^ M[i] for i in range(16)] 86 | return S_prime, M 87 | 88 | 89 | def tk_encoding(counter, b, t, k): 90 | return counter + [b ^ MEMBER_MASK] + [0] * 8 + t + k 91 | 92 | 93 | # function that implements the AE encryption 94 | # inputs: M the message, A the associated data, N the nonce, K the key 95 | # outputs: C the ciphertext (the last 16 bytes representing the authentication tag) 96 | def crypto_aead_encrypt(M, A, N, K): 97 | S = [0] * 16 98 | counter = [1] + [0] * (COUNTER_LENGTH - 1) 99 | 100 | A_parsed = parse(A,16) 101 | a = len(A_parsed)-1 102 | M_parsed = parse(M,16) 103 | m = len(M_parsed)-1 104 | X = A_parsed[1:] + M_parsed[1:] 105 | X.insert(0,[]) 106 | 107 | w = 16 108 | if len(X[a]) < 16: w = w ^ 2 109 | if len(X[a+m]) < 16: w = w ^ 1 110 | if a%2 == 0: w = w ^ 8 111 | if m%2 == 0: w = w ^ 4 112 | 113 | X[a] = pad(X[a],16) 114 | X[a+m] = pad(X[a+m],16) 115 | 116 | x = 8 117 | 118 | for i in range(1,math.floor((a+m)/2)+1): 119 | S, _ = rho(S, X[2*i-1]) 120 | counter = increase_counter(counter) 121 | if i == math.floor(a/2)+1: x = x ^ 4 122 | S = skinny_enc(S, tk_encoding(counter, x, X[2*i], K)) 123 | counter = increase_counter(counter) 124 | 125 | 126 | if a%2 == m%2: S, _ = rho(S, [0]*16) 127 | else: 128 | S, _ = rho(S, X[a+m]) 129 | counter = increase_counter(counter) 130 | S = skinny_enc(S, tk_encoding(counter, w, N, K)) 131 | _, T = rho(S, [0]*16) 132 | 133 | if len(M) == 0: return T 134 | S = T[:] 135 | C = [] 136 | 137 | z = len(M_parsed[m]) 138 | M_parsed[m] = pad(M_parsed[m],16) 139 | 140 | counter = [1] + [0] * (COUNTER_LENGTH - 1) 141 | 142 | for i in range(1,m+1): 143 | S = skinny_enc(S, tk_encoding(counter, 4, N, K)) 144 | S, X = rho(S, M_parsed[i]) 145 | counter = increase_counter(counter) 146 | if i 6 | 7 | # This program is free software; you can redistribute it and/or 8 | # modify it under the terms of the GNU General Public License as 9 | # published by the Free Software Foundation; either version 2 of the 10 | # License, or (at your option) any later version. 11 | 12 | # This program is distributed in the hope that it will be useful, but 13 | # WITHOUT ANY WARRANTY; without even the implied warranty of 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 | # General Public License for more details. 16 | 17 | # You should have received a copy of the GNU General Public License 18 | # along with this program; if not, write to the Free Software 19 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 20 | # 02110-1301, USA. 21 | 22 | from SKINNY_128_384_plus import * 23 | import math 24 | 25 | # #################################################################### 26 | # # ROMULUS-N 27 | # #################################################################### 28 | 29 | # # ROMULUS-N 30 | T_LENGTH = 16 31 | COUNTER_LENGTH = 7 32 | MEMBER_MASK = 0 33 | 34 | def increase_counter(counter): 35 | if counter[COUNTER_LENGTH - 1] & 0x80 != 0: mask = 0x95 36 | else: mask = 0 37 | for i in reversed(range(1, COUNTER_LENGTH)): 38 | counter[i] = ((counter[i] << 1) & 0xfe) ^ (counter[i - 1] >> 7) 39 | counter[0] = ((counter[0] << 1) & 0xfe) ^ mask 40 | return counter 41 | 42 | 43 | def parse(L_in,x): 44 | L_out = [] 45 | cursor = 0 46 | while len(L_in) - cursor >= x: 47 | L_out.extend([L_in[cursor:cursor+x]]) 48 | cursor = cursor + x 49 | if len(L_in) - cursor > 0: 50 | L_out.extend([L_in[cursor:]]) 51 | if L_in == []: 52 | L_out = [[]] 53 | L_out.insert(0,[]) 54 | return L_out 55 | 56 | 57 | def pad(x, pad_length): 58 | if len(x) == 0: 59 | return [0] * pad_length 60 | if len(x) == pad_length: 61 | return x[:] 62 | y = x[:] 63 | for _ in range(pad_length - len(x) - 1): 64 | y.append(0) 65 | y.append(len(x)) 66 | return y 67 | 68 | 69 | def G(A): 70 | return [(x >> 1) ^ ((x ^ x << 7) & 0x80) for x in A] 71 | 72 | 73 | def rho(S, M): 74 | G_S = G(S) 75 | C = [M[i] ^ G_S[i] for i in range(16)] 76 | S_prime = [S[i] ^ M[i] for i in range(16)] 77 | return S_prime, C 78 | 79 | 80 | def rho_inv(S, C): 81 | G_S = G(S) 82 | M = [C[i] ^ G_S[i] for i in range(16)] 83 | S_prime = [S[i] ^ M[i] for i in range(16)] 84 | return S_prime, M 85 | 86 | 87 | def tk_encoding(counter, b, t, k): 88 | return counter + [b ^ MEMBER_MASK] + [0] * 8 + t + k 89 | 90 | 91 | # function that implements the AE encryption 92 | # inputs: M the message, A the associated data, N the nonce, K the key 93 | # outputs: C the ciphertext (the last 16 bytes representing the authentication tag) 94 | def crypto_aead_encrypt(M, A, N, K): 95 | S = [0] * 16 96 | counter = [1] + [0] * (COUNTER_LENGTH - 1) 97 | A_parsed = parse(A,16) 98 | a = len(A_parsed)-1 99 | if len(A_parsed[a]) < 16: wa = 26 100 | else: wa = 24 101 | A_parsed[a] = pad(A_parsed[a],16) 102 | for i in range(1,math.floor(a/2)+1): 103 | S, _ = rho(S, A_parsed[2*i-1]) 104 | counter = increase_counter(counter) 105 | S = skinny_enc(S, tk_encoding(counter, 8, A_parsed[2*i], K)) 106 | counter = increase_counter(counter) 107 | 108 | if a%2==0: V = [0]*16 109 | else: 110 | V = A_parsed[a] 111 | counter = increase_counter(counter) 112 | S, _ = rho(S, V) 113 | S = skinny_enc(S, tk_encoding(counter, wa, N, K)) 114 | 115 | counter = [1] + [0] * (COUNTER_LENGTH - 1) 116 | C = [] 117 | M_parsed = parse(M,16) 118 | m = len(M_parsed)-1 119 | if len(M_parsed[m]) < 16: wm = 21 120 | else: wm = 20 121 | for i in range(1,m): 122 | S, x = rho(S, M_parsed[i]) 123 | counter = increase_counter(counter) 124 | C.extend(x) 125 | S = skinny_enc(S, tk_encoding(counter, 4, N, K)) 126 | 127 | M_prime = pad(M_parsed[m],16) 128 | S, x = rho(S, M_prime) 129 | counter = increase_counter(counter) 130 | C.extend(x[:len(M_parsed[m])]) 131 | S = skinny_enc(S, tk_encoding(counter, wm, N, K)) 132 | S, T = rho(S, [0] * 16) 133 | C.extend(T) 134 | return C 135 | 136 | 137 | # function that implements the AE decryption 138 | # inputs: C the ciphertext (the last 16 bytes representing the authentication tag), A the associated data, N the nonce, K the key 139 | # outputs: (0,M) with M the message if the tag is verified, returns (-1,[]) otherwise 140 | def crypto_aead_decrypt(C, A, N, K): 141 | S = [0] * 16 142 | counter = [1] + [0] * (COUNTER_LENGTH - 1) 143 | A_parsed = parse(A,16) 144 | a = len(A_parsed)-1 145 | if len(A_parsed[a]) < 16: wa = 26 146 | else: wa = 24 147 | A_parsed[a] = pad(A_parsed[a],16) 148 | for i in range(1,math.floor(a/2)+1): 149 | S, _ = rho(S, A_parsed[2*i-1]) 150 | counter = increase_counter(counter) 151 | S = skinny_enc(S, tk_encoding(counter, 8, A_parsed[2*i], K)) 152 | counter = increase_counter(counter) 153 | 154 | if a%2==0: V = [0]*16 155 | else: 156 | V = A_parsed[a] 157 | counter = increase_counter(counter) 158 | S, _ = rho(S, V) 159 | S = skinny_enc(S, tk_encoding(counter, wa, N, K)) 160 | 161 | counter = [1] + [0] * (COUNTER_LENGTH - 1) 162 | M = [] 163 | T = C[-16:] 164 | C[-16:] = [] 165 | C_parsed = parse(C,16) 166 | c = len(C_parsed)-1 167 | if len(C_parsed[c]) < 16: wc = 21 168 | else: wc = 20 169 | for i in range(1,c): 170 | S, x = rho_inv(S, C_parsed[i]) 171 | counter = increase_counter(counter) 172 | M.extend(x) 173 | S = skinny_enc(S, tk_encoding(counter, 4, N, K)) 174 | 175 | S_tilde = G(S[:]) 176 | l = len(C_parsed[c]) 177 | S_tilde = [0]*l + S_tilde[l-16:] 178 | C_prime = pad(C_parsed[c],16) 179 | for i in range(16): 180 | C_prime[i] = C_prime[i] ^ S_tilde[i] 181 | S, x = rho_inv(S, C_prime) 182 | counter = increase_counter(counter) 183 | M.extend(x[:len(C_parsed[c])]) 184 | S = skinny_enc(S, tk_encoding(counter, wc, N, K)) 185 | S, T_computed = rho(S, [0] * 16) 186 | compare = 0 187 | for i in range(16): 188 | compare |= (T[i] ^ T_computed[i]) 189 | 190 | if compare != 0: 191 | return -1, [] 192 | else: 193 | return 0, M 194 | -------------------------------------------------------------------------------- /Implementations/software/python/ROMULUS_T.py: -------------------------------------------------------------------------------- 1 | 2 | # ROMULUS-T Python Implementation 3 | 4 | # Copyright 2021: 5 | # Thomas Peyrin 6 | 7 | # This program is free software; you can redistribute it and/or 8 | # modify it under the terms of the GNU General Public License as 9 | # published by the Free Software Foundation; either version 2 of the 10 | # License, or (at your option) any later version. 11 | 12 | # This program is distributed in the hope that it will be useful, but 13 | # WITHOUT ANY WARRANTY; without even the implied warranty of 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 | # General Public License for more details. 16 | 17 | # You should have received a copy of the GNU General Public License 18 | # along with this program; if not, write to the Free Software 19 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 20 | # 02110-1301, USA. 21 | 22 | from SKINNY_128_384_plus import * 23 | from ROMULUS_H import crypto_hash 24 | import math 25 | 26 | # #################################################################### 27 | # # ROMULUS-T 28 | # #################################################################### 29 | 30 | # # ROMULUS-T 31 | COUNTER_LENGTH = 7 32 | MEMBER_MASK = 64 33 | 34 | 35 | def increase_counter(counter): 36 | if counter[COUNTER_LENGTH - 1] & 0x80 != 0: mask = 0x95 37 | else: mask = 0 38 | for i in reversed(range(1, COUNTER_LENGTH)): 39 | counter[i] = ((counter[i] << 1) & 0xfe) ^ (counter[i - 1] >> 7) 40 | counter[0] = ((counter[0] << 1) & 0xfe) ^ mask 41 | return counter 42 | 43 | 44 | def parse(L_in,x): 45 | L_out = [] 46 | cursor = 0 47 | while len(L_in) - cursor >= x: 48 | L_out.extend([L_in[cursor:cursor+x]]) 49 | cursor = cursor + x 50 | if len(L_in) - cursor > 0: 51 | L_out.extend([L_in[cursor:]]) 52 | if L_in == []: 53 | L_out = [[]] 54 | L_out.insert(0,[]) 55 | return L_out 56 | 57 | 58 | def ipad_star(x, pad_length): 59 | if len(x) == 0: return x 60 | return x + [0]*(pad_length - 1 - (len(x) % pad_length)) + [(len(x) % pad_length)] 61 | 62 | 63 | def tk_encoding(counter, b, t, k): 64 | return counter + [b ^ MEMBER_MASK] + [0] * 8 + t + k 65 | 66 | 67 | # function that implements the AE encryption 68 | # inputs: M the message, A the associated data, N the nonce, K the key 69 | # outputs: C the ciphertext (the last 16 bytes representing the authentication tag) 70 | def crypto_aead_encrypt(M, A, N, K): 71 | S = [0] * 16 72 | C = [] 73 | m = 0 74 | 75 | counter = [1] + [0] * (COUNTER_LENGTH - 1) 76 | 77 | if M != []: 78 | M_parsed = parse(M,16) 79 | m = len(M_parsed)-1 80 | S = skinny_enc(N, tk_encoding([0] * COUNTER_LENGTH, 2, [0] * 16, K)) 81 | for i in range(1,m): 82 | X = skinny_enc(N, tk_encoding(counter, 0, [0] * 16, S)) 83 | C.extend([X[u] ^ M[16*(i-1)+u] for u in range(16)]) 84 | S = skinny_enc(N, tk_encoding(counter, 1, [0] * 16, S)) 85 | counter = increase_counter(counter) 86 | 87 | X = skinny_enc(N, tk_encoding(counter, 0, [0] * 16, S)) 88 | C.extend([X[u] ^ M_parsed[m][u] for u in range(len(M_parsed[m]))]) 89 | counter = increase_counter(counter) 90 | 91 | H = crypto_hash(ipad_star(A,16) + ipad_star(C,16) + N + counter) 92 | T = skinny_enc(H[0:16], tk_encoding([0] * COUNTER_LENGTH, 4, H[16:32], K)) 93 | C.extend(T) 94 | return C 95 | 96 | 97 | 98 | # function that implements the AE decryption 99 | # inputs: C the ciphertext (the last 16 bytes representing the authentication tag), A the associated data, N the nonce, K the key 100 | # outputs: (0,M) with M the message if the tag is verified, returns (-1,[]) otherwise 101 | def crypto_aead_decrypt(C, A, N, K): 102 | S = [0] * 16 103 | T = C[-16:] 104 | C[-16:] = [] 105 | M = [] 106 | 107 | c = int((len(C)+15 - ((len(C)+15)%16))/16) 108 | counter = [1] + [0] * (COUNTER_LENGTH - 1) 109 | for i in range(0,c): counter = increase_counter(counter) 110 | H = crypto_hash(ipad_star(A,16) + ipad_star(C,16) + N + counter) 111 | T_computed = skinny_enc(H[0:16], tk_encoding([0] * COUNTER_LENGTH, 4, H[16:32], K)) 112 | compare = 0 113 | for i in range(16): 114 | compare |= (T[i] ^ T_computed[i]) 115 | 116 | if compare != 0: 117 | return -1, [] 118 | else: 119 | if C == []: return 0, M 120 | 121 | S = skinny_enc(N, tk_encoding([0] * COUNTER_LENGTH, 2, [0] * 16, K)) 122 | counter = [1] + [0] * (COUNTER_LENGTH - 1) 123 | for i in range(1,c): 124 | X = skinny_enc(N, tk_encoding(counter, 0, [0] * 16, S)) 125 | M.extend([X[u] ^ C[16*(i-1)+u] for u in range(16)]) 126 | S = skinny_enc(N, tk_encoding(counter, 1, [0] * 16, S)) 127 | counter = increase_counter(counter) 128 | 129 | X = skinny_enc(N, tk_encoding(counter, 0, [0] * 16, S)) 130 | M.extend([X[u] ^ C[16*(c-1)+u] for u in range(1+((len(C)+15)%16))]) 131 | 132 | return 0, M 133 | 134 | -------------------------------------------------------------------------------- /Implementations/software/python/SKINNY_128_384_plus_constant_time.py: -------------------------------------------------------------------------------- 1 | # Skinny-128-384+ constant time Python Implementation 2 | 3 | # Copyright 2020: 4 | # Thomas Peyrin 5 | 6 | # This program is free software; you can redistribute it and/or 7 | # modify it under the terms of the GNU General Public License as 8 | # published by the Free Software Foundation; either version 2 of the 9 | # License, or (at your option) any later version. 10 | 11 | # This program is distributed in the hope that it will be useful, but 12 | # WITHOUT ANY WARRANTY; without even the implied warranty of 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 | # General Public License for more details. 15 | 16 | # You should have received a copy of the GNU General Public License 17 | # along with this program; if not, write to the Free Software 18 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 19 | # 02110-1301, USA. 20 | 21 | # constants in Skinny-128-384+ 22 | c = [0x01,0x03,0x07,0x0F,0x1F,0x3E,0x3D,0x3B,0x37,0x2F,0x1E,0x3C,0x39,0x33,0x27,0x0E,0x1D,0x3A,0x35,0x2B,0x16,0x2C,0x18,0x30,0x21,0x02,0x05,0x0B,0x17,0x2E,0x1C,0x38,0x31,0x23,0x06,0x0D,0x1B,0x36,0x2D,0x1A] 23 | 24 | # PT permutation in Skinny-128-384+ 25 | PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] 26 | 27 | 28 | ROUNDS = 40 29 | TAB_TWEAK_LENGTH = 48 30 | 31 | # functions that implement the Skinny-128-384+ TBC encryption 32 | def skinny_enc(plaintext, tweakey): 33 | 34 | tk = [[0]*TWEAK_LENGTH]*(ROUNDS+1) 35 | 36 | s = [plaintext[i] for i in range(16)] 37 | tk[0] = [tweakey[i] for i in range(TWEAK_LENGTH)] 38 | 39 | for i in range(ROUNDS-1): 40 | tk[i+1] = tk[i][:] 41 | for j in range(TWEAK_LENGTH): tk[i+1][j] = tk[i][j-j%16+PT[j%16]] 42 | for j in range(8): 43 | tk[i+1][j+16] = ((tk[i+1][j+16]<<1)&0xfe) ^ (((tk[i+1][j+16]>>7) ^ (tk[i+1][j+16]>>5))&0x1) 44 | tk[i+1][j+32] = (tk[i+1][j+32]>>1) ^ (((tk[i+1][j+32]<<7) ^ (tk[i+1][j+32]<<1))&0x80) 45 | 46 | for i in range(ROUNDS): 47 | 48 | for j in range(16): 49 | for k in range(3): 50 | s[j] ^= (((s[j]>>3) | (s[j]>>2))&0x11) ^ 0x11 51 | s[j] = ((s[j]>>2)&0x32) ^ ((s[j]<<5)&0xc0) ^ ((s[j]<<2)&0x04) ^ ((s[j]>>1)&0x08) ^ ((s[j]>>5)&0x01) 52 | s[j] ^= (((s[j]>>3) | (s[j]>>2))&0x11) ^ 0x11 53 | s[j] ^= (s[j] & 0x06) ^ ((s[j]>>1)&0x02) ^ ((s[j]<<1)&0x04) 54 | 55 | s[0] ^= c[i] & 0xf 56 | s[4] ^= (c[i]>>4) & 0xf 57 | s[8] ^= 0x2 58 | 59 | for j in range(8): s[j] ^= tk[i][j] 60 | for j in range(8): s[j] ^= tk[i][j+16] ^ tk[i][j+32] 61 | 62 | s[4], s[5], s[6], s[7] = s[7], s[4], s[5], s[6] 63 | s[8], s[9], s[10], s[11] = s[10], s[11], s[8], s[9] 64 | s[12], s[13], s[14], s[15] = s[13], s[14], s[15], s[12] 65 | 66 | for j in range(4): s[j], s[4+j], s[8+j], s[12+j] = s[j] ^ s[8+j] ^ s[12+j] , s[j], s[4+j] ^ s[8+j] , s[0+j] ^ s[8+j] 67 | 68 | ciphertext = [s[i] for i in range(16)] 69 | 70 | return ciphertext 71 | 72 | 73 | # function that implements the Skinny-128-384+ TBC decryption 74 | def skinny_dec(ciphertext, tweakey): 75 | 76 | tk = [[0]*TWEAK_LENGTH]*ROUNDS 77 | 78 | s = [ciphertext[i] for i in range(16)] 79 | tk[0] = [tweakey[i] for i in range(TWEAK_LENGTH)] 80 | 81 | for i in range(ROUNDS-1): 82 | tk[i+1] = tk[i][:] 83 | for j in range(TWEAK_LENGTH): tk[i+1][j] = tk[i][j-j%16+PT[j%16]] 84 | for j in range(8): 85 | tk[i+1][j+16] = ((tk[i+1][j+16]<<1)&0xfe) ^ (((tk[i+1][j+16]>>7) ^ (tk[i+1][j+16]>>5))&0x1) 86 | tk[i+1][j+32] = (tk[i+1][j+32]>>1) ^ (((tk[i+1][j+32]<<7) ^ (tk[i+1][j+32]<<1))&0x80) 87 | 88 | for i in reversed(range(ROUNDS)): 89 | 90 | for j in range(4): s[j], s[4+j], s[8+j], s[12+j] = s[4+j] , s[4+j] ^ s[8+j] ^ s[12+j] , s[4+j] ^ s[12+j], s[j] ^ s[12+j] 91 | 92 | s[4], s[5], s[6], s[7] = s[5], s[6], s[7], s[4] 93 | s[8], s[9], s[10], s[11] = s[10], s[11], s[8], s[9] 94 | s[12], s[13], s[14], s[15] = s[15], s[12], s[13], s[14] 95 | 96 | for j in range(8): s[j] ^= tk[i][j] 97 | for j in range(8): s[j] ^= tk[i][j+16] ^ tk[i][j+32] 98 | 99 | s[0] ^= c[i] & 0xf 100 | s[4] ^= (c[i]>>4) & 0xf 101 | s[8] ^= 0x2 102 | 103 | for j in range(16): 104 | s[j] ^= (s[j] & 0x06) ^ ((s[j]>>1)&0x02) ^ ((s[j]<<1)&0x04) 105 | s[j] ^= (((s[j]>>3) | (s[j]>>2))&0x11) ^ 0x11 106 | for k in range(3): 107 | s[j] = ((s[j]<<2)&0xc8) ^ ((s[j]>>5)&0x06) ^ ((s[j]>>2)&0x01) ^ ((s[j]<<5)&0x20) ^ ((s[j]<<1)&0x10) 108 | s[j] ^= (((s[j]>>3) | (s[j]>>2))&0x11) ^ 0x11 109 | 110 | plaintext = [s[i] for i in range(16)] 111 | 112 | return plaintext 113 | 114 | 115 | # to print some internal state 116 | def print_state(s,tk): 117 | print("\nstate : " + "".join('{:02x}'.format(_) for _ in s)) 118 | print("TK1 : " + "".join('{:02x}'.format(_) for _ in tk[0:16])) 119 | if len(tk)>16: print("TK2 : " + "".join('{:02x}'.format(_) for _ in tk[16:32])) 120 | if len(tk)>32: print("TK3 : " + "".join('{:02x}'.format(_) for _ in tk[32:48])) 121 | 122 | 123 | # to generate test vectors and decryption 124 | def test_vectors(plaintext,key): 125 | ct = skinny_enc(plaintext,key) 126 | print("\nEncryption of " + "".join('{:02x}'.format(_) for _ in plaintext)) 127 | print("with key " + "".join('{:02x}'.format(_) for _ in key)) 128 | print("gives " + "".join('{:02x}'.format(_) for _ in ct)) 129 | pt = skinny_dec(ct,key) 130 | print("Decryption: " + "".join('{:02x}'.format(_) for _ in pt)) 131 | 132 | 133 | plaintext = [0xa3,0x99,0x4b,0x66,0xad,0x85,0xa3,0x45,0x9f,0x44,0xe9,0x2b,0x08,0xf5,0x50,0xcb] 134 | key = [0xdf,0x88,0x95,0x48,0xcf,0xc7,0xea,0x52,0xd2,0x96,0x33,0x93,0x01,0x79,0x74,0x49,0xab,0x58,0x8a,0x34,0xa4,0x7f,0x1a,0xb2,0xdf,0xe9,0xc8,0x29,0x3f,0xbe,0xa9,0xa5,0xab,0x1a,0xfa,0xc2,0x61,0x10,0x12,0xcd,0x8c,0xef,0x95,0x26,0x18,0xc3,0xeb,0xe8] 135 | test_vectors(plaintext,key) 136 | -------------------------------------------------------------------------------- /Implementations/software/python/genkat_aead.py: -------------------------------------------------------------------------------- 1 | # for generation of Romulus-N test vectors 2 | #from ROMULUS_N import * 3 | #filename = "Python_AEAD_KAT_ROMULUS-N.txt" 4 | 5 | # for generation of Romulus-M test vectors 6 | #from ROMULUS_M import * 7 | #filename = "Python_AEAD_KAT_ROMULUS-M.txt" 8 | 9 | # for generation of Romulus-T test vectors 10 | from ROMULUS_T import * 11 | filename = "Python_AEAD_KAT_ROMULUS-T.txt" 12 | 13 | MAX_MESSAGE_LENGTH = 32 14 | MAX_ASSOCIATED_DATA_LENGTH = 32 15 | 16 | CRYPTO_KEYBYTES = 16 17 | CRYPTO_NPUBBYTES = 16 18 | CRYPTO_ABYTES = 16 19 | 20 | fic = open(filename, "w") 21 | 22 | count = 0 23 | for mlen in range(MAX_MESSAGE_LENGTH+1): 24 | for adlen in range(MAX_ASSOCIATED_DATA_LENGTH+1): 25 | count += 1 26 | 27 | key = [i%256 for i in range(CRYPTO_KEYBYTES)] 28 | nonce = [i%256 for i in range(CRYPTO_NPUBBYTES)] 29 | msg = [i%256 for i in range(mlen)] 30 | ad = [i%256 for i in range(adlen)] 31 | 32 | print("\n\n***************************************** \n Count = %i" %(count)) 33 | 34 | fic.write("Count = {}".format(count) + "\n") 35 | fic.write("Key = " + "".join("{:02X}".format(_) for _ in key) + "\n") 36 | fic.write("Nonce = " + "".join("{:02X}".format(_) for _ in nonce) + "\n") 37 | fic.write("PT = " + "".join("{:02X}".format(_) for _ in msg) + "\n") 38 | fic.write("AD = " + "".join("{:02X}".format(_) for _ in ad) + "\n") 39 | 40 | print("\n-------- ENCRYPT --------\n") 41 | ct = crypto_aead_encrypt(msg, ad, nonce, key) 42 | 43 | fic.write("CT = " + "".join("{:02X}".format(_) for _ in ct) + "\n") 44 | fic.write("" + "\n") 45 | 46 | print("\n-------- DECRYPT --------\n") 47 | ret, msg2 = crypto_aead_decrypt(ct, ad, nonce, key) 48 | 49 | print("ret = %i" %(ret)) 50 | print("msg =") 51 | print(msg) 52 | print("ct =") 53 | print(ct) 54 | print("msg2 =") 55 | print(msg2) 56 | 57 | if ret: 58 | fic.write("Error: crypto_aead_decrypt returned non-zero (ret={}).".format(ret) + "\n") 59 | exit(1) 60 | 61 | if msg != msg2: 62 | fic.write("Error: crypto_aead_decrypt did not recover the plaintext" + "\n") 63 | exit(1) 64 | 65 | mlen = 243 66 | adlen = 147 67 | count += 1 68 | key = [i%256 for i in range(CRYPTO_KEYBYTES)] 69 | nonce = [i%256 for i in range(CRYPTO_NPUBBYTES)] 70 | msg = [i%256 for i in range(mlen)] 71 | ad = [i%256 for i in range(adlen)] 72 | 73 | print("\n\n***************************************** \n Count = %i" %(count)) 74 | 75 | fic.write("Count = {}".format(count) + "\n") 76 | fic.write("Key = " + "".join("{:02X}".format(_) for _ in key) + "\n") 77 | fic.write("Nonce = " + "".join("{:02X}".format(_) for _ in nonce) + "\n") 78 | fic.write("PT = " + "".join("{:02X}".format(_) for _ in msg) + "\n") 79 | fic.write("AD = " + "".join("{:02X}".format(_) for _ in ad) + "\n") 80 | 81 | print("\n-------- ENCRYPT --------\n") 82 | ct = crypto_aead_encrypt(msg, ad, nonce, key) 83 | 84 | fic.write("CT = " + "".join("{:02X}".format(_) for _ in ct) + "\n") 85 | fic.write("" + "\n") 86 | 87 | print("\n-------- DECRYPT --------\n") 88 | ret, msg2 = crypto_aead_decrypt(ct, ad, nonce, key) 89 | 90 | print("ret = %i" %(ret)) 91 | print("msg =") 92 | print(msg) 93 | print("ct =") 94 | print(ct) 95 | print("msg2 =") 96 | print(msg2) 97 | 98 | if ret: 99 | fic.write("Error: crypto_aead_decrypt returned non-zero (ret={}).".format(ret) + "\n") 100 | exit(1) 101 | 102 | if msg != msg2: 103 | fic.write("Error: crypto_aead_decrypt did not recover the plaintext" + "\n") 104 | exit(1) 105 | 106 | fic.close() 107 | #t = input("press key") 108 | -------------------------------------------------------------------------------- /Implementations/software/python/genkat_hash.py: -------------------------------------------------------------------------------- 1 | # for generation of Romulus-H test vectors 2 | from ROMULUS_H import * 3 | filename = "Python_HASH_KAT_ROMULUS-H.txt" 4 | 5 | MAX_MESSAGE_LENGTH = 128 6 | 7 | fic = open(filename, "w") 8 | 9 | count = 0 10 | for mlen in range(MAX_MESSAGE_LENGTH+1): 11 | count += 1 12 | msg = [i%256 for i in range(mlen)] 13 | 14 | print("\n\n***************************************** \n Count = %i" %(count)) 15 | 16 | fic.write("Count = {}".format(count) + "\n") 17 | fic.write("Msg = " + "".join("{:02X}".format(_) for _ in msg) + "\n") 18 | 19 | hash_value = crypto_hash(msg) 20 | 21 | fic.write("MD = " + "".join("{:02X}".format(_) for _ in hash_value) + "\n") 22 | fic.write("" + "\n") 23 | 24 | count += 1 25 | mlen = 247 26 | msg = [i%256 for i in range(mlen)] 27 | 28 | print("\n\n***************************************** \n Count = %i" %(count)) 29 | 30 | fic.write("Count = {}".format(count) + "\n") 31 | fic.write("Msg = " + "".join("{:02X}".format(_) for _ in msg) + "\n") 32 | 33 | hash_value = crypto_hash(msg) 34 | 35 | fic.write("MD = " + "".join("{:02X}".format(_) for _ in hash_value) + "\n") 36 | fic.write("" + "\n") 37 | 38 | fic.close() 39 | #t = input("press key") 40 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-M1/api.h: -------------------------------------------------------------------------------- 1 | #define CRYPTO_KEYBYTES 16 2 | #define CRYPTO_NSECBYTES 0 3 | #define CRYPTO_NPUBBYTES 16 4 | #define CRYPTO_ABYTES 16 5 | #define CRYPTO_NOOVERLAP 1 6 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-M1/crypto_aead.h: -------------------------------------------------------------------------------- 1 | extern int crypto_aead_encrypt ( 2 | unsigned char* c, unsigned long long* clen, 3 | const unsigned char* m, unsigned long long mlen, 4 | const unsigned char* ad, unsigned long long adlen, 5 | const unsigned char* nsec, 6 | const unsigned char* npub, 7 | const unsigned char* k 8 | ); 9 | extern int crypto_aead_decrypt( 10 | unsigned char *m,unsigned long long *mlen, 11 | unsigned char *nsec, 12 | const unsigned char *c,unsigned long long clen, 13 | const unsigned char *ad,unsigned long long adlen, 14 | const unsigned char *npub, 15 | const unsigned char *k 16 | ); 17 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-M1/crypto_hash.h: -------------------------------------------------------------------------------- 1 | 2 | int crypto_hash( 3 | unsigned char *out, 4 | const unsigned char *in, 5 | unsigned long long inlen 6 | ); -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-M1/genkat_aead.c: -------------------------------------------------------------------------------- 1 | // 2 | // NIST-developed software is provided by NIST as a public service. 3 | // You may use, copy and distribute copies of the software in any medium, 4 | // provided that you keep intact this entire notice. You may improve, 5 | // modify and create derivative works of the software or any portion of 6 | // the software, and you may copy and distribute such modifications or 7 | // works. Modified works should carry a notice stating that you changed 8 | // the software and should note the date and nature of any such change. 9 | // Please explicitly acknowledge the National Institute of Standards and 10 | // Technology as the source of the software. 11 | // 12 | // NIST-developed software is expressly provided "AS IS." NIST MAKES NO 13 | // WARRANTY OF ANY KIND, EXPRESS, IMPLIED, IN FACT OR ARISING BY OPERATION 14 | // OF LAW, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, 15 | // FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NIST 16 | // NEITHER REPRESENTS NOR WARRANTS THAT THE OPERATION OF THE SOFTWARE WILL BE 17 | // UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NIST 18 | // DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF THE SOFTWARE 19 | // OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, 20 | // RELIABILITY, OR USEFULNESS OF THE SOFTWARE. 21 | // 22 | // You are solely responsible for determining the appropriateness of using and 23 | // distributing the software and you assume all risks associated with its use, 24 | // including but not limited to the risks and costs of program errors, compliance 25 | // with applicable laws, damage to or loss of data, programs or equipment, and 26 | // the unavailability or interruption of operation. This software is not intended 27 | // to be used in any situation where a failure could cause risk of injury or 28 | // damage to property. The software developed by NIST employees is not subject to 29 | // copyright protection within the United States. 30 | // 31 | 32 | // disable deprecation for sprintf and fopen 33 | #ifdef _MSC_VER 34 | #define _CRT_SECURE_NO_WARNINGS 35 | #endif 36 | 37 | #include 38 | #include 39 | 40 | #include "crypto_aead.h" 41 | #include "api.h" 42 | 43 | #define KAT_SUCCESS 0 44 | #define KAT_FILE_OPEN_ERROR -1 45 | #define KAT_DATA_ERROR -3 46 | #define KAT_CRYPTO_FAILURE -4 47 | 48 | #define MAX_FILE_NAME 256 49 | #define MAX_MESSAGE_LENGTH 32 50 | #define MAX_ASSOCIATED_DATA_LENGTH 32 51 | 52 | void init_buffer(unsigned char *buffer, unsigned long long numbytes); 53 | 54 | void fprint_bstr(FILE *fp, const char *label, const unsigned char *data, unsigned long long length); 55 | 56 | int generate_test_vectors(); 57 | 58 | int main() 59 | { 60 | int ret = generate_test_vectors(); 61 | 62 | if (ret != KAT_SUCCESS) { 63 | fprintf(stderr, "test vector generation failed with code %d\n", ret); 64 | } 65 | 66 | return ret; 67 | } 68 | 69 | int generate_test_vectors() 70 | { 71 | FILE *fp; 72 | char fileName[MAX_FILE_NAME]; 73 | unsigned char key[CRYPTO_KEYBYTES]; 74 | unsigned char nonce[CRYPTO_NPUBBYTES]; 75 | unsigned char msg[MAX_MESSAGE_LENGTH]; 76 | unsigned char msg2[MAX_MESSAGE_LENGTH]; 77 | unsigned char ad[MAX_ASSOCIATED_DATA_LENGTH]; 78 | unsigned char ct[MAX_MESSAGE_LENGTH + CRYPTO_ABYTES]; 79 | unsigned long long clen, mlen2; 80 | int count = 1; 81 | int func_ret, ret_val = KAT_SUCCESS; 82 | 83 | init_buffer(key, sizeof(key)); 84 | init_buffer(nonce, sizeof(nonce)); 85 | init_buffer(msg, sizeof(msg)); 86 | init_buffer(ad, sizeof(ad)); 87 | 88 | sprintf(fileName, "LWC_AEAD_KAT_%d_%d.txt", (CRYPTO_KEYBYTES * 8), (CRYPTO_NPUBBYTES * 8)); 89 | 90 | if ((fp = fopen(fileName, "w")) == NULL) { 91 | fprintf(stderr, "Couldn't open <%s> for write\n", fileName); 92 | return KAT_FILE_OPEN_ERROR; 93 | } 94 | 95 | for (unsigned long long mlen = 0; (mlen <= MAX_MESSAGE_LENGTH) && (ret_val == KAT_SUCCESS); mlen++) { 96 | //for (unsigned long long mlen = 0; (mlen <= 32) && (ret_val == KAT_SUCCESS); mlen++) { 97 | for (unsigned long long adlen = 0; adlen <= MAX_ASSOCIATED_DATA_LENGTH; adlen++) { 98 | //for (unsigned long long adlen = 0; adlen <= 32; adlen++) { 99 | 100 | printf("%0d\n", (int)clen); 101 | 102 | fprintf(fp, "Count = %d\n", count++); 103 | printf("Count = %d\n", count - 1); 104 | 105 | fprint_bstr(fp, "Key = ", key, CRYPTO_KEYBYTES); 106 | 107 | fprint_bstr(fp, "Nonce = ", nonce, CRYPTO_NPUBBYTES); 108 | 109 | fprint_bstr(fp, "PT = ", msg, mlen); 110 | 111 | fprint_bstr(fp, "AD = ", ad, adlen); 112 | 113 | if ((func_ret = crypto_aead_encrypt(ct, &clen, msg, mlen, ad, adlen, NULL, nonce, key)) != 0) { 114 | fprintf(fp, "crypto_aead_encrypt returned <%d>\n", func_ret); 115 | ret_val = KAT_CRYPTO_FAILURE; 116 | break; 117 | } 118 | 119 | fprint_bstr(fp, "CT = ", ct, clen); 120 | 121 | fprintf(fp, "\n"); 122 | 123 | if ((func_ret = crypto_aead_decrypt(msg2, &mlen2, NULL, ct, clen, ad, adlen, nonce, key)) != 0) { 124 | fprintf(fp, "crypto_aead_decrypt returned <%d>\n", func_ret); 125 | ret_val = KAT_CRYPTO_FAILURE; 126 | break; 127 | } 128 | 129 | if (mlen != mlen2) { 130 | fprintf(fp, "crypto_aead_decrypt returned bad 'mlen': Got <%llu>, expected <%llu>\n", mlen2, mlen); 131 | ret_val = KAT_CRYPTO_FAILURE; 132 | break; 133 | } 134 | 135 | if (memcmp(msg, msg2, mlen)) { 136 | fprintf(fp, "crypto_aead_decrypt did not recover the plaintext\n"); 137 | ret_val = KAT_CRYPTO_FAILURE; 138 | break; 139 | } 140 | } 141 | } 142 | 143 | fclose(fp); 144 | 145 | return ret_val; 146 | } 147 | 148 | 149 | void fprint_bstr(FILE *fp, const char *label, const unsigned char *data, unsigned long long length) 150 | { 151 | fprintf(fp, "%s", label); 152 | 153 | for (unsigned long long i = 0; i < length; i++) 154 | fprintf(fp, "%02X", data[i]); 155 | 156 | fprintf(fp, "\n"); 157 | } 158 | 159 | void init_buffer(unsigned char *buffer, unsigned long long numbytes) 160 | { 161 | for (unsigned long long i = 0; i < numbytes; i++) 162 | buffer[i] = (unsigned char)i; 163 | } 164 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-M1/skinny.h: -------------------------------------------------------------------------------- 1 | extern void skinny_128_384_enc (unsigned char* input, const unsigned char* userkey); 2 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-M1/variant.h: -------------------------------------------------------------------------------- 1 | #define MSG_BLK_LEN 16 2 | #define AD_BLK_LEN_ODD 16 3 | #define AD_BLK_LEN_EVN 16 4 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-M2/api.h: -------------------------------------------------------------------------------- 1 | #define CRYPTO_KEYBYTES 16 2 | #define CRYPTO_NSECBYTES 0 3 | #define CRYPTO_NPUBBYTES 12 4 | #define CRYPTO_ABYTES 16 5 | #define CRYPTO_NOOVERLAP 1 6 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-M2/crypto_aead.h: -------------------------------------------------------------------------------- 1 | extern int crypto_aead_encrypt ( 2 | unsigned char* c, unsigned long long* clen, 3 | const unsigned char* m, unsigned long long mlen, 4 | const unsigned char* ad, unsigned long long adlen, 5 | const unsigned char* nsec, 6 | const unsigned char* npub, 7 | const unsigned char* k 8 | ); 9 | extern int crypto_aead_decrypt( 10 | unsigned char *m,unsigned long long *mlen, 11 | unsigned char *nsec, 12 | const unsigned char *c,unsigned long long clen, 13 | const unsigned char *ad,unsigned long long adlen, 14 | const unsigned char *npub, 15 | const unsigned char *k 16 | ); 17 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-M2/crypto_hash.h: -------------------------------------------------------------------------------- 1 | 2 | int crypto_hash( 3 | unsigned char *out, 4 | const unsigned char *in, 5 | unsigned long long inlen 6 | ); -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-M2/genkat_aead.c: -------------------------------------------------------------------------------- 1 | // 2 | // NIST-developed software is provided by NIST as a public service. 3 | // You may use, copy and distribute copies of the software in any medium, 4 | // provided that you keep intact this entire notice. You may improve, 5 | // modify and create derivative works of the software or any portion of 6 | // the software, and you may copy and distribute such modifications or 7 | // works. Modified works should carry a notice stating that you changed 8 | // the software and should note the date and nature of any such change. 9 | // Please explicitly acknowledge the National Institute of Standards and 10 | // Technology as the source of the software. 11 | // 12 | // NIST-developed software is expressly provided "AS IS." NIST MAKES NO 13 | // WARRANTY OF ANY KIND, EXPRESS, IMPLIED, IN FACT OR ARISING BY OPERATION 14 | // OF LAW, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, 15 | // FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NIST 16 | // NEITHER REPRESENTS NOR WARRANTS THAT THE OPERATION OF THE SOFTWARE WILL BE 17 | // UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NIST 18 | // DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF THE SOFTWARE 19 | // OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, 20 | // RELIABILITY, OR USEFULNESS OF THE SOFTWARE. 21 | // 22 | // You are solely responsible for determining the appropriateness of using and 23 | // distributing the software and you assume all risks associated with its use, 24 | // including but not limited to the risks and costs of program errors, compliance 25 | // with applicable laws, damage to or loss of data, programs or equipment, and 26 | // the unavailability or interruption of operation. This software is not intended 27 | // to be used in any situation where a failure could cause risk of injury or 28 | // damage to property. The software developed by NIST employees is not subject to 29 | // copyright protection within the United States. 30 | // 31 | 32 | // disable deprecation for sprintf and fopen 33 | #ifdef _MSC_VER 34 | #define _CRT_SECURE_NO_WARNINGS 35 | #endif 36 | 37 | #include 38 | #include 39 | 40 | #include "crypto_aead.h" 41 | #include "api.h" 42 | 43 | #define KAT_SUCCESS 0 44 | #define KAT_FILE_OPEN_ERROR -1 45 | #define KAT_DATA_ERROR -3 46 | #define KAT_CRYPTO_FAILURE -4 47 | 48 | #define MAX_FILE_NAME 256 49 | #define MAX_MESSAGE_LENGTH 32 50 | #define MAX_ASSOCIATED_DATA_LENGTH 32 51 | 52 | void init_buffer(unsigned char *buffer, unsigned long long numbytes); 53 | 54 | void fprint_bstr(FILE *fp, const char *label, const unsigned char *data, unsigned long long length); 55 | 56 | int generate_test_vectors(); 57 | 58 | int main() 59 | { 60 | int ret = generate_test_vectors(); 61 | 62 | if (ret != KAT_SUCCESS) { 63 | fprintf(stderr, "test vector generation failed with code %d\n", ret); 64 | } 65 | 66 | return ret; 67 | } 68 | 69 | int generate_test_vectors() 70 | { 71 | FILE *fp; 72 | char fileName[MAX_FILE_NAME]; 73 | unsigned char key[CRYPTO_KEYBYTES]; 74 | unsigned char nonce[CRYPTO_NPUBBYTES]; 75 | unsigned char msg[MAX_MESSAGE_LENGTH]; 76 | unsigned char msg2[MAX_MESSAGE_LENGTH]; 77 | unsigned char ad[MAX_ASSOCIATED_DATA_LENGTH]; 78 | unsigned char ct[MAX_MESSAGE_LENGTH + CRYPTO_ABYTES]; 79 | unsigned long long clen, mlen2; 80 | int count = 1; 81 | int func_ret, ret_val = KAT_SUCCESS; 82 | 83 | init_buffer(key, sizeof(key)); 84 | init_buffer(nonce, sizeof(nonce)); 85 | init_buffer(msg, sizeof(msg)); 86 | init_buffer(ad, sizeof(ad)); 87 | 88 | sprintf(fileName, "LWC_AEAD_KAT_%d_%d.txt", (CRYPTO_KEYBYTES * 8), (CRYPTO_NPUBBYTES * 8)); 89 | 90 | if ((fp = fopen(fileName, "w")) == NULL) { 91 | fprintf(stderr, "Couldn't open <%s> for write\n", fileName); 92 | return KAT_FILE_OPEN_ERROR; 93 | } 94 | 95 | for (unsigned long long mlen = 0; (mlen <= MAX_MESSAGE_LENGTH) && (ret_val == KAT_SUCCESS); mlen++) { 96 | //for (unsigned long long mlen = 0; (mlen <= 32) && (ret_val == KAT_SUCCESS); mlen++) { 97 | for (unsigned long long adlen = 0; adlen <= MAX_ASSOCIATED_DATA_LENGTH; adlen++) { 98 | //for (unsigned long long adlen = 0; adlen <= 32; adlen++) { 99 | 100 | printf("%0d\n", (int)clen); 101 | 102 | fprintf(fp, "Count = %d\n", count++); 103 | printf("Count = %d\n", count - 1); 104 | 105 | fprint_bstr(fp, "Key = ", key, CRYPTO_KEYBYTES); 106 | 107 | fprint_bstr(fp, "Nonce = ", nonce, CRYPTO_NPUBBYTES); 108 | 109 | fprint_bstr(fp, "PT = ", msg, mlen); 110 | 111 | fprint_bstr(fp, "AD = ", ad, adlen); 112 | 113 | if ((func_ret = crypto_aead_encrypt(ct, &clen, msg, mlen, ad, adlen, NULL, nonce, key)) != 0) { 114 | fprintf(fp, "crypto_aead_encrypt returned <%d>\n", func_ret); 115 | ret_val = KAT_CRYPTO_FAILURE; 116 | break; 117 | } 118 | 119 | fprint_bstr(fp, "CT = ", ct, clen); 120 | 121 | fprintf(fp, "\n"); 122 | 123 | if ((func_ret = crypto_aead_decrypt(msg2, &mlen2, NULL, ct, clen, ad, adlen, nonce, key)) != 0) { 124 | fprintf(fp, "crypto_aead_decrypt returned <%d>\n", func_ret); 125 | ret_val = KAT_CRYPTO_FAILURE; 126 | break; 127 | } 128 | 129 | if (mlen != mlen2) { 130 | fprintf(fp, "crypto_aead_decrypt returned bad 'mlen': Got <%llu>, expected <%llu>\n", mlen2, mlen); 131 | ret_val = KAT_CRYPTO_FAILURE; 132 | break; 133 | } 134 | 135 | if (memcmp(msg, msg2, mlen)) { 136 | fprintf(fp, "crypto_aead_decrypt did not recover the plaintext\n"); 137 | ret_val = KAT_CRYPTO_FAILURE; 138 | break; 139 | } 140 | } 141 | } 142 | 143 | fclose(fp); 144 | 145 | return ret_val; 146 | } 147 | 148 | 149 | void fprint_bstr(FILE *fp, const char *label, const unsigned char *data, unsigned long long length) 150 | { 151 | fprintf(fp, "%s", label); 152 | 153 | for (unsigned long long i = 0; i < length; i++) 154 | fprintf(fp, "%02X", data[i]); 155 | 156 | fprintf(fp, "\n"); 157 | } 158 | 159 | void init_buffer(unsigned char *buffer, unsigned long long numbytes) 160 | { 161 | for (unsigned long long i = 0; i < numbytes; i++) 162 | buffer[i] = (unsigned char)i; 163 | } 164 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-M2/skinny.h: -------------------------------------------------------------------------------- 1 | extern void skinny_128_384_enc (unsigned char* input, const unsigned char* userkey); 2 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-M2/variant.h: -------------------------------------------------------------------------------- 1 | #define MSG_BLK_LEN 16 2 | #define AD_BLK_LEN_ODD 16 3 | #define AD_BLK_LEN_EVN 12 4 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-M3/api.h: -------------------------------------------------------------------------------- 1 | #define CRYPTO_KEYBYTES 16 2 | #define CRYPTO_NSECBYTES 0 3 | #define CRYPTO_NPUBBYTES 12 4 | #define CRYPTO_ABYTES 16 5 | #define CRYPTO_NOOVERLAP 1 6 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-M3/crypto_aead.h: -------------------------------------------------------------------------------- 1 | extern int crypto_aead_encrypt ( 2 | unsigned char* c, unsigned long long* clen, 3 | const unsigned char* m, unsigned long long mlen, 4 | const unsigned char* ad, unsigned long long adlen, 5 | const unsigned char* nsec, 6 | const unsigned char* npub, 7 | const unsigned char* k 8 | ); 9 | extern int crypto_aead_decrypt( 10 | unsigned char *m,unsigned long long *mlen, 11 | unsigned char *nsec, 12 | const unsigned char *c,unsigned long long clen, 13 | const unsigned char *ad,unsigned long long adlen, 14 | const unsigned char *npub, 15 | const unsigned char *k 16 | ); 17 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-M3/crypto_hash.h: -------------------------------------------------------------------------------- 1 | 2 | int crypto_hash( 3 | unsigned char *out, 4 | const unsigned char *in, 5 | unsigned long long inlen 6 | ); -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-M3/genkat_aead.c: -------------------------------------------------------------------------------- 1 | // 2 | // NIST-developed software is provided by NIST as a public service. 3 | // You may use, copy and distribute copies of the software in any medium, 4 | // provided that you keep intact this entire notice. You may improve, 5 | // modify and create derivative works of the software or any portion of 6 | // the software, and you may copy and distribute such modifications or 7 | // works. Modified works should carry a notice stating that you changed 8 | // the software and should note the date and nature of any such change. 9 | // Please explicitly acknowledge the National Institute of Standards and 10 | // Technology as the source of the software. 11 | // 12 | // NIST-developed software is expressly provided "AS IS." NIST MAKES NO 13 | // WARRANTY OF ANY KIND, EXPRESS, IMPLIED, IN FACT OR ARISING BY OPERATION 14 | // OF LAW, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, 15 | // FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NIST 16 | // NEITHER REPRESENTS NOR WARRANTS THAT THE OPERATION OF THE SOFTWARE WILL BE 17 | // UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NIST 18 | // DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF THE SOFTWARE 19 | // OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, 20 | // RELIABILITY, OR USEFULNESS OF THE SOFTWARE. 21 | // 22 | // You are solely responsible for determining the appropriateness of using and 23 | // distributing the software and you assume all risks associated with its use, 24 | // including but not limited to the risks and costs of program errors, compliance 25 | // with applicable laws, damage to or loss of data, programs or equipment, and 26 | // the unavailability or interruption of operation. This software is not intended 27 | // to be used in any situation where a failure could cause risk of injury or 28 | // damage to property. The software developed by NIST employees is not subject to 29 | // copyright protection within the United States. 30 | // 31 | 32 | // disable deprecation for sprintf and fopen 33 | #ifdef _MSC_VER 34 | #define _CRT_SECURE_NO_WARNINGS 35 | #endif 36 | 37 | #include 38 | #include 39 | 40 | #include "crypto_aead.h" 41 | #include "api.h" 42 | 43 | #define KAT_SUCCESS 0 44 | #define KAT_FILE_OPEN_ERROR -1 45 | #define KAT_DATA_ERROR -3 46 | #define KAT_CRYPTO_FAILURE -4 47 | 48 | #define MAX_FILE_NAME 256 49 | #define MAX_MESSAGE_LENGTH 32 50 | #define MAX_ASSOCIATED_DATA_LENGTH 32 51 | 52 | void init_buffer(unsigned char *buffer, unsigned long long numbytes); 53 | 54 | void fprint_bstr(FILE *fp, const char *label, const unsigned char *data, unsigned long long length); 55 | 56 | int generate_test_vectors(); 57 | 58 | int main() 59 | { 60 | int ret = generate_test_vectors(); 61 | 62 | if (ret != KAT_SUCCESS) { 63 | fprintf(stderr, "test vector generation failed with code %d\n", ret); 64 | } 65 | 66 | return ret; 67 | } 68 | 69 | int generate_test_vectors() 70 | { 71 | FILE *fp; 72 | char fileName[MAX_FILE_NAME]; 73 | unsigned char key[CRYPTO_KEYBYTES]; 74 | unsigned char nonce[CRYPTO_NPUBBYTES]; 75 | unsigned char msg[MAX_MESSAGE_LENGTH]; 76 | unsigned char msg2[MAX_MESSAGE_LENGTH]; 77 | unsigned char ad[MAX_ASSOCIATED_DATA_LENGTH]; 78 | unsigned char ct[MAX_MESSAGE_LENGTH + CRYPTO_ABYTES]; 79 | unsigned long long clen, mlen2; 80 | int count = 1; 81 | int func_ret, ret_val = KAT_SUCCESS; 82 | 83 | init_buffer(key, sizeof(key)); 84 | init_buffer(nonce, sizeof(nonce)); 85 | init_buffer(msg, sizeof(msg)); 86 | init_buffer(ad, sizeof(ad)); 87 | 88 | sprintf(fileName, "LWC_AEAD_KAT_%d_%d.txt", (CRYPTO_KEYBYTES * 8), (CRYPTO_NPUBBYTES * 8)); 89 | 90 | if ((fp = fopen(fileName, "w")) == NULL) { 91 | fprintf(stderr, "Couldn't open <%s> for write\n", fileName); 92 | return KAT_FILE_OPEN_ERROR; 93 | } 94 | 95 | for (unsigned long long mlen = 0; (mlen <= MAX_MESSAGE_LENGTH) && (ret_val == KAT_SUCCESS); mlen++) { 96 | //for (unsigned long long mlen = 0; (mlen <= 32) && (ret_val == KAT_SUCCESS); mlen++) { 97 | for (unsigned long long adlen = 0; adlen <= MAX_ASSOCIATED_DATA_LENGTH; adlen++) { 98 | //for (unsigned long long adlen = 0; adlen <= 32; adlen++) { 99 | 100 | printf("%0d\n", (int)clen); 101 | 102 | fprintf(fp, "Count = %d\n", count++); 103 | printf("Count = %d\n", count - 1); 104 | 105 | fprint_bstr(fp, "Key = ", key, CRYPTO_KEYBYTES); 106 | 107 | fprint_bstr(fp, "Nonce = ", nonce, CRYPTO_NPUBBYTES); 108 | 109 | fprint_bstr(fp, "PT = ", msg, mlen); 110 | 111 | fprint_bstr(fp, "AD = ", ad, adlen); 112 | 113 | if ((func_ret = crypto_aead_encrypt(ct, &clen, msg, mlen, ad, adlen, NULL, nonce, key)) != 0) { 114 | fprintf(fp, "crypto_aead_encrypt returned <%d>\n", func_ret); 115 | ret_val = KAT_CRYPTO_FAILURE; 116 | break; 117 | } 118 | 119 | fprint_bstr(fp, "CT = ", ct, clen); 120 | 121 | fprintf(fp, "\n"); 122 | 123 | if ((func_ret = crypto_aead_decrypt(msg2, &mlen2, NULL, ct, clen, ad, adlen, nonce, key)) != 0) { 124 | fprintf(fp, "crypto_aead_decrypt returned <%d>\n", func_ret); 125 | ret_val = KAT_CRYPTO_FAILURE; 126 | break; 127 | } 128 | 129 | if (mlen != mlen2) { 130 | fprintf(fp, "crypto_aead_decrypt returned bad 'mlen': Got <%llu>, expected <%llu>\n", mlen2, mlen); 131 | ret_val = KAT_CRYPTO_FAILURE; 132 | break; 133 | } 134 | 135 | if (memcmp(msg, msg2, mlen)) { 136 | fprintf(fp, "crypto_aead_decrypt did not recover the plaintext\n"); 137 | ret_val = KAT_CRYPTO_FAILURE; 138 | break; 139 | } 140 | } 141 | } 142 | 143 | fclose(fp); 144 | 145 | return ret_val; 146 | } 147 | 148 | 149 | void fprint_bstr(FILE *fp, const char *label, const unsigned char *data, unsigned long long length) 150 | { 151 | fprintf(fp, "%s", label); 152 | 153 | for (unsigned long long i = 0; i < length; i++) 154 | fprintf(fp, "%02X", data[i]); 155 | 156 | fprintf(fp, "\n"); 157 | } 158 | 159 | void init_buffer(unsigned char *buffer, unsigned long long numbytes) 160 | { 161 | for (unsigned long long i = 0; i < numbytes; i++) 162 | buffer[i] = (unsigned char)i; 163 | } 164 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-M3/skinny.h: -------------------------------------------------------------------------------- 1 | extern void skinny_128_256_enc (unsigned char* input, const unsigned char* userkey); 2 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-M3/variant.h: -------------------------------------------------------------------------------- 1 | #define MSG_BLK_LEN 16 2 | #define AD_BLK_LEN_ODD 16 3 | #define AD_BLK_LEN_EVN 12 4 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-N1/api.h: -------------------------------------------------------------------------------- 1 | #define CRYPTO_KEYBYTES 16 2 | #define CRYPTO_NSECBYTES 0 3 | #define CRYPTO_NPUBBYTES 16 4 | #define CRYPTO_ABYTES 16 5 | #define CRYPTO_NOOVERLAP 1 6 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-N1/crypto_aead.h: -------------------------------------------------------------------------------- 1 | extern int crypto_aead_encrypt ( 2 | unsigned char* c, unsigned long long* clen, 3 | const unsigned char* m, unsigned long long mlen, 4 | const unsigned char* ad, unsigned long long adlen, 5 | const unsigned char* nsec, 6 | const unsigned char* npub, 7 | const unsigned char* k 8 | ); 9 | extern int crypto_aead_decrypt( 10 | unsigned char *m,unsigned long long *mlen, 11 | unsigned char *nsec, 12 | const unsigned char *c,unsigned long long clen, 13 | const unsigned char *ad,unsigned long long adlen, 14 | const unsigned char *npub, 15 | const unsigned char *k 16 | ); 17 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-N1/crypto_hash.h: -------------------------------------------------------------------------------- 1 | 2 | int crypto_hash( 3 | unsigned char *out, 4 | const unsigned char *in, 5 | unsigned long long inlen 6 | ); -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-N1/genkat_aead.c: -------------------------------------------------------------------------------- 1 | // 2 | // NIST-developed software is provided by NIST as a public service. 3 | // You may use, copy and distribute copies of the software in any medium, 4 | // provided that you keep intact this entire notice. You may improve, 5 | // modify and create derivative works of the software or any portion of 6 | // the software, and you may copy and distribute such modifications or 7 | // works. Modified works should carry a notice stating that you changed 8 | // the software and should note the date and nature of any such change. 9 | // Please explicitly acknowledge the National Institute of Standards and 10 | // Technology as the source of the software. 11 | // 12 | // NIST-developed software is expressly provided "AS IS." NIST MAKES NO 13 | // WARRANTY OF ANY KIND, EXPRESS, IMPLIED, IN FACT OR ARISING BY OPERATION 14 | // OF LAW, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, 15 | // FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NIST 16 | // NEITHER REPRESENTS NOR WARRANTS THAT THE OPERATION OF THE SOFTWARE WILL BE 17 | // UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NIST 18 | // DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF THE SOFTWARE 19 | // OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, 20 | // RELIABILITY, OR USEFULNESS OF THE SOFTWARE. 21 | // 22 | // You are solely responsible for determining the appropriateness of using and 23 | // distributing the software and you assume all risks associated with its use, 24 | // including but not limited to the risks and costs of program errors, compliance 25 | // with applicable laws, damage to or loss of data, programs or equipment, and 26 | // the unavailability or interruption of operation. This software is not intended 27 | // to be used in any situation where a failure could cause risk of injury or 28 | // damage to property. The software developed by NIST employees is not subject to 29 | // copyright protection within the United States. 30 | // 31 | 32 | // disable deprecation for sprintf and fopen 33 | #ifdef _MSC_VER 34 | #define _CRT_SECURE_NO_WARNINGS 35 | #endif 36 | 37 | #include 38 | #include 39 | 40 | #include "crypto_aead.h" 41 | #include "api.h" 42 | 43 | #define KAT_SUCCESS 0 44 | #define KAT_FILE_OPEN_ERROR -1 45 | #define KAT_DATA_ERROR -3 46 | #define KAT_CRYPTO_FAILURE -4 47 | 48 | #define MAX_FILE_NAME 256 49 | #define MAX_MESSAGE_LENGTH 32 50 | #define MAX_ASSOCIATED_DATA_LENGTH 32 51 | 52 | void init_buffer(unsigned char *buffer, unsigned long long numbytes); 53 | 54 | void fprint_bstr(FILE *fp, const char *label, const unsigned char *data, unsigned long long length); 55 | 56 | int generate_test_vectors(); 57 | 58 | int main() 59 | { 60 | int ret = generate_test_vectors(); 61 | 62 | if (ret != KAT_SUCCESS) { 63 | fprintf(stderr, "test vector generation failed with code %d\n", ret); 64 | } 65 | 66 | return ret; 67 | } 68 | 69 | int generate_test_vectors() 70 | { 71 | FILE *fp; 72 | char fileName[MAX_FILE_NAME]; 73 | unsigned char key[CRYPTO_KEYBYTES]; 74 | unsigned char nonce[CRYPTO_NPUBBYTES]; 75 | unsigned char msg[MAX_MESSAGE_LENGTH]; 76 | unsigned char msg2[MAX_MESSAGE_LENGTH]; 77 | unsigned char ad[MAX_ASSOCIATED_DATA_LENGTH]; 78 | unsigned char ct[MAX_MESSAGE_LENGTH + CRYPTO_ABYTES]; 79 | unsigned long long clen, mlen2; 80 | int count = 1; 81 | int func_ret, ret_val = KAT_SUCCESS; 82 | 83 | init_buffer(key, sizeof(key)); 84 | init_buffer(nonce, sizeof(nonce)); 85 | init_buffer(msg, sizeof(msg)); 86 | init_buffer(ad, sizeof(ad)); 87 | 88 | sprintf(fileName, "LWC_AEAD_KAT_%d_%d.txt", (CRYPTO_KEYBYTES * 8), (CRYPTO_NPUBBYTES * 8)); 89 | 90 | if ((fp = fopen(fileName, "w")) == NULL) { 91 | fprintf(stderr, "Couldn't open <%s> for write\n", fileName); 92 | return KAT_FILE_OPEN_ERROR; 93 | } 94 | 95 | for (unsigned long long mlen = 0; (mlen <= MAX_MESSAGE_LENGTH) && (ret_val == KAT_SUCCESS); mlen++) { 96 | //for (unsigned long long mlen = 0; (mlen <= 32) && (ret_val == KAT_SUCCESS); mlen++) { 97 | for (unsigned long long adlen = 0; adlen <= MAX_ASSOCIATED_DATA_LENGTH; adlen++) { 98 | //for (unsigned long long adlen = 0; adlen <= 32; adlen++) { 99 | 100 | printf("%0d\n", (int)clen); 101 | 102 | fprintf(fp, "Count = %d\n", count++); 103 | printf("Count = %d\n", count - 1); 104 | 105 | fprint_bstr(fp, "Key = ", key, CRYPTO_KEYBYTES); 106 | 107 | fprint_bstr(fp, "Nonce = ", nonce, CRYPTO_NPUBBYTES); 108 | 109 | fprint_bstr(fp, "PT = ", msg, mlen); 110 | 111 | fprint_bstr(fp, "AD = ", ad, adlen); 112 | 113 | if ((func_ret = crypto_aead_encrypt(ct, &clen, msg, mlen, ad, adlen, NULL, nonce, key)) != 0) { 114 | fprintf(fp, "crypto_aead_encrypt returned <%d>\n", func_ret); 115 | ret_val = KAT_CRYPTO_FAILURE; 116 | break; 117 | } 118 | 119 | fprint_bstr(fp, "CT = ", ct, clen); 120 | 121 | fprintf(fp, "\n"); 122 | 123 | if ((func_ret = crypto_aead_decrypt(msg2, &mlen2, NULL, ct, clen, ad, adlen, nonce, key)) != 0) { 124 | fprintf(fp, "crypto_aead_decrypt returned <%d>\n", func_ret); 125 | ret_val = KAT_CRYPTO_FAILURE; 126 | break; 127 | } 128 | 129 | if (mlen != mlen2) { 130 | fprintf(fp, "crypto_aead_decrypt returned bad 'mlen': Got <%llu>, expected <%llu>\n", mlen2, mlen); 131 | ret_val = KAT_CRYPTO_FAILURE; 132 | break; 133 | } 134 | 135 | if (memcmp(msg, msg2, mlen)) { 136 | fprintf(fp, "crypto_aead_decrypt did not recover the plaintext\n"); 137 | ret_val = KAT_CRYPTO_FAILURE; 138 | break; 139 | } 140 | } 141 | } 142 | 143 | fclose(fp); 144 | 145 | return ret_val; 146 | } 147 | 148 | 149 | void fprint_bstr(FILE *fp, const char *label, const unsigned char *data, unsigned long long length) 150 | { 151 | fprintf(fp, "%s", label); 152 | 153 | for (unsigned long long i = 0; i < length; i++) 154 | fprintf(fp, "%02X", data[i]); 155 | 156 | fprintf(fp, "\n"); 157 | } 158 | 159 | void init_buffer(unsigned char *buffer, unsigned long long numbytes) 160 | { 161 | for (unsigned long long i = 0; i < numbytes; i++) 162 | buffer[i] = (unsigned char)i; 163 | } 164 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-N1/skinny.h: -------------------------------------------------------------------------------- 1 | extern void skinny_128_384_enc (unsigned char* input, const unsigned char* userkey); 2 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-N1/variant.h: -------------------------------------------------------------------------------- 1 | #define MSG_BLK_LEN 16 2 | #define AD_BLK_LEN_ODD 16 3 | #define AD_BLK_LEN_EVN 16 4 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-N2/api.h: -------------------------------------------------------------------------------- 1 | #define CRYPTO_KEYBYTES 16 2 | #define CRYPTO_NSECBYTES 0 3 | #define CRYPTO_NPUBBYTES 12 4 | #define CRYPTO_ABYTES 16 5 | #define CRYPTO_NOOVERLAP 1 6 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-N2/crypto_aead.h: -------------------------------------------------------------------------------- 1 | extern int crypto_aead_encrypt ( 2 | unsigned char* c, unsigned long long* clen, 3 | const unsigned char* m, unsigned long long mlen, 4 | const unsigned char* ad, unsigned long long adlen, 5 | const unsigned char* nsec, 6 | const unsigned char* npub, 7 | const unsigned char* k 8 | ); 9 | 10 | 11 | extern int crypto_aead_decrypt( 12 | unsigned char *m,unsigned long long *mlen, 13 | unsigned char *nsec, 14 | const unsigned char *c,unsigned long long clen, 15 | const unsigned char *ad,unsigned long long adlen, 16 | const unsigned char *npub, 17 | const unsigned char *k 18 | ); 19 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-N2/crypto_hash.h: -------------------------------------------------------------------------------- 1 | 2 | int crypto_hash( 3 | unsigned char *out, 4 | const unsigned char *in, 5 | unsigned long long inlen 6 | ); -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-N2/genkat_aead.c: -------------------------------------------------------------------------------- 1 | // 2 | // NIST-developed software is provided by NIST as a public service. 3 | // You may use, copy and distribute copies of the software in any medium, 4 | // provided that you keep intact this entire notice. You may improve, 5 | // modify and create derivative works of the software or any portion of 6 | // the software, and you may copy and distribute such modifications or 7 | // works. Modified works should carry a notice stating that you changed 8 | // the software and should note the date and nature of any such change. 9 | // Please explicitly acknowledge the National Institute of Standards and 10 | // Technology as the source of the software. 11 | // 12 | // NIST-developed software is expressly provided "AS IS." NIST MAKES NO 13 | // WARRANTY OF ANY KIND, EXPRESS, IMPLIED, IN FACT OR ARISING BY OPERATION 14 | // OF LAW, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, 15 | // FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NIST 16 | // NEITHER REPRESENTS NOR WARRANTS THAT THE OPERATION OF THE SOFTWARE WILL BE 17 | // UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NIST 18 | // DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF THE SOFTWARE 19 | // OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, 20 | // RELIABILITY, OR USEFULNESS OF THE SOFTWARE. 21 | // 22 | // You are solely responsible for determining the appropriateness of using and 23 | // distributing the software and you assume all risks associated with its use, 24 | // including but not limited to the risks and costs of program errors, compliance 25 | // with applicable laws, damage to or loss of data, programs or equipment, and 26 | // the unavailability or interruption of operation. This software is not intended 27 | // to be used in any situation where a failure could cause risk of injury or 28 | // damage to property. The software developed by NIST employees is not subject to 29 | // copyright protection within the United States. 30 | // 31 | 32 | // disable deprecation for sprintf and fopen 33 | #ifdef _MSC_VER 34 | #define _CRT_SECURE_NO_WARNINGS 35 | #endif 36 | 37 | #include 38 | #include 39 | 40 | #include "crypto_aead.h" 41 | #include "api.h" 42 | 43 | #define KAT_SUCCESS 0 44 | #define KAT_FILE_OPEN_ERROR -1 45 | #define KAT_DATA_ERROR -3 46 | #define KAT_CRYPTO_FAILURE -4 47 | 48 | #define MAX_FILE_NAME 256 49 | #define MAX_MESSAGE_LENGTH 32 50 | #define MAX_ASSOCIATED_DATA_LENGTH 32 51 | 52 | void init_buffer(unsigned char *buffer, unsigned long long numbytes); 53 | 54 | void fprint_bstr(FILE *fp, const char *label, const unsigned char *data, unsigned long long length); 55 | 56 | int generate_test_vectors(); 57 | 58 | int main() 59 | { 60 | int ret = generate_test_vectors(); 61 | 62 | if (ret != KAT_SUCCESS) { 63 | fprintf(stderr, "test vector generation failed with code %d\n", ret); 64 | } 65 | 66 | return ret; 67 | } 68 | 69 | int generate_test_vectors() 70 | { 71 | FILE *fp; 72 | char fileName[MAX_FILE_NAME]; 73 | unsigned char key[CRYPTO_KEYBYTES]; 74 | unsigned char nonce[CRYPTO_NPUBBYTES]; 75 | unsigned char msg[MAX_MESSAGE_LENGTH]; 76 | unsigned char msg2[MAX_MESSAGE_LENGTH]; 77 | unsigned char ad[MAX_ASSOCIATED_DATA_LENGTH]; 78 | unsigned char ct[MAX_MESSAGE_LENGTH + CRYPTO_ABYTES]; 79 | unsigned long long clen, mlen2; 80 | int count = 1; 81 | int func_ret, ret_val = KAT_SUCCESS; 82 | 83 | init_buffer(key, sizeof(key)); 84 | init_buffer(nonce, sizeof(nonce)); 85 | init_buffer(msg, sizeof(msg)); 86 | init_buffer(ad, sizeof(ad)); 87 | 88 | sprintf(fileName, "LWC_AEAD_KAT_%d_%d.txt", (CRYPTO_KEYBYTES * 8), (CRYPTO_NPUBBYTES * 8)); 89 | 90 | if ((fp = fopen(fileName, "w")) == NULL) { 91 | fprintf(stderr, "Couldn't open <%s> for write\n", fileName); 92 | return KAT_FILE_OPEN_ERROR; 93 | } 94 | 95 | for (unsigned long long mlen = 0; (mlen <= MAX_MESSAGE_LENGTH) && (ret_val == KAT_SUCCESS); mlen++) { 96 | //for (unsigned long long mlen = 0; (mlen <= 0) && (ret_val == KAT_SUCCESS); mlen++) { 97 | for (unsigned long long adlen = 0; adlen <= MAX_ASSOCIATED_DATA_LENGTH; adlen++) { 98 | //for (unsigned long long adlen = 0; adlen <= 1; adlen++) { 99 | 100 | printf("%0d\n", (int)clen); 101 | 102 | fprintf(fp, "Count = %d\n", count++); 103 | 104 | fprint_bstr(fp, "Key = ", key, CRYPTO_KEYBYTES); 105 | 106 | fprint_bstr(fp, "Nonce = ", nonce, CRYPTO_NPUBBYTES); 107 | 108 | fprint_bstr(fp, "PT = ", msg, mlen); 109 | 110 | fprint_bstr(fp, "AD = ", ad, adlen); 111 | 112 | if ((func_ret = crypto_aead_encrypt(ct, &clen, msg, mlen, ad, adlen, NULL, nonce, key)) != 0) { 113 | fprintf(fp, "crypto_aead_encrypt returned <%d>\n", func_ret); 114 | ret_val = KAT_CRYPTO_FAILURE; 115 | break; 116 | } 117 | 118 | fprint_bstr(fp, "CT = ", ct, clen); 119 | 120 | fprintf(fp, "\n"); 121 | 122 | if ((func_ret = crypto_aead_decrypt(msg2, &mlen2, NULL, ct, clen, ad, adlen, nonce, key)) != 0) { 123 | fprintf(fp, "crypto_aead_decrypt returned <%d>\n", func_ret); 124 | ret_val = KAT_CRYPTO_FAILURE; 125 | break; 126 | } 127 | 128 | if (mlen != mlen2) { 129 | fprintf(fp, "crypto_aead_decrypt returned bad 'mlen': Got <%llu>, expected <%llu>\n", mlen2, mlen); 130 | ret_val = KAT_CRYPTO_FAILURE; 131 | break; 132 | } 133 | 134 | if (memcmp(msg, msg2, mlen)) { 135 | fprintf(fp, "crypto_aead_decrypt did not recover the plaintext\n"); 136 | ret_val = KAT_CRYPTO_FAILURE; 137 | break; 138 | } 139 | } 140 | } 141 | 142 | fclose(fp); 143 | 144 | return ret_val; 145 | } 146 | 147 | 148 | void fprint_bstr(FILE *fp, const char *label, const unsigned char *data, unsigned long long length) 149 | { 150 | fprintf(fp, "%s", label); 151 | 152 | for (unsigned long long i = 0; i < length; i++) 153 | fprintf(fp, "%02X", data[i]); 154 | 155 | fprintf(fp, "\n"); 156 | } 157 | 158 | void init_buffer(unsigned char *buffer, unsigned long long numbytes) 159 | { 160 | for (unsigned long long i = 0; i < numbytes; i++) 161 | buffer[i] = (unsigned char)i; 162 | } 163 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-N2/skinny.h: -------------------------------------------------------------------------------- 1 | extern void skinny_128_384_enc (unsigned char* input, const unsigned char* userkey); 2 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-N2/variant.h: -------------------------------------------------------------------------------- 1 | #define MSG_BLK_LEN 16 2 | #define AD_BLK_LEN_ODD 16 3 | #define AD_BLK_LEN_EVN 12 4 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-N3/api.h: -------------------------------------------------------------------------------- 1 | #define CRYPTO_KEYBYTES 16 2 | #define CRYPTO_NSECBYTES 0 3 | #define CRYPTO_NPUBBYTES 12 4 | #define CRYPTO_ABYTES 16 5 | #define CRYPTO_NOOVERLAP 1 6 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-N3/crypto_aead.h: -------------------------------------------------------------------------------- 1 | extern int crypto_aead_encrypt ( 2 | unsigned char* c, unsigned long long* clen, 3 | const unsigned char* m, unsigned long long mlen, 4 | const unsigned char* ad, unsigned long long adlen, 5 | const unsigned char* nsec, 6 | const unsigned char* npub, 7 | const unsigned char* k 8 | ); 9 | extern int crypto_aead_decrypt( 10 | unsigned char *m,unsigned long long *mlen, 11 | unsigned char *nsec, 12 | const unsigned char *c,unsigned long long clen, 13 | const unsigned char *ad,unsigned long long adlen, 14 | const unsigned char *npub, 15 | const unsigned char *k 16 | ); 17 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-N3/crypto_hash.h: -------------------------------------------------------------------------------- 1 | 2 | int crypto_hash( 3 | unsigned char *out, 4 | const unsigned char *in, 5 | unsigned long long inlen 6 | ); -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-N3/genkat_aead.c: -------------------------------------------------------------------------------- 1 | // 2 | // NIST-developed software is provided by NIST as a public service. 3 | // You may use, copy and distribute copies of the software in any medium, 4 | // provided that you keep intact this entire notice. You may improve, 5 | // modify and create derivative works of the software or any portion of 6 | // the software, and you may copy and distribute such modifications or 7 | // works. Modified works should carry a notice stating that you changed 8 | // the software and should note the date and nature of any such change. 9 | // Please explicitly acknowledge the National Institute of Standards and 10 | // Technology as the source of the software. 11 | // 12 | // NIST-developed software is expressly provided "AS IS." NIST MAKES NO 13 | // WARRANTY OF ANY KIND, EXPRESS, IMPLIED, IN FACT OR ARISING BY OPERATION 14 | // OF LAW, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, 15 | // FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NIST 16 | // NEITHER REPRESENTS NOR WARRANTS THAT THE OPERATION OF THE SOFTWARE WILL BE 17 | // UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NIST 18 | // DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF THE SOFTWARE 19 | // OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, 20 | // RELIABILITY, OR USEFULNESS OF THE SOFTWARE. 21 | // 22 | // You are solely responsible for determining the appropriateness of using and 23 | // distributing the software and you assume all risks associated with its use, 24 | // including but not limited to the risks and costs of program errors, compliance 25 | // with applicable laws, damage to or loss of data, programs or equipment, and 26 | // the unavailability or interruption of operation. This software is not intended 27 | // to be used in any situation where a failure could cause risk of injury or 28 | // damage to property. The software developed by NIST employees is not subject to 29 | // copyright protection within the United States. 30 | // 31 | 32 | // disable deprecation for sprintf and fopen 33 | #ifdef _MSC_VER 34 | #define _CRT_SECURE_NO_WARNINGS 35 | #endif 36 | 37 | #include 38 | #include 39 | 40 | #include "crypto_aead.h" 41 | #include "api.h" 42 | 43 | #define KAT_SUCCESS 0 44 | #define KAT_FILE_OPEN_ERROR -1 45 | #define KAT_DATA_ERROR -3 46 | #define KAT_CRYPTO_FAILURE -4 47 | 48 | #define MAX_FILE_NAME 256 49 | #define MAX_MESSAGE_LENGTH 32 50 | #define MAX_ASSOCIATED_DATA_LENGTH 32 51 | 52 | void init_buffer(unsigned char *buffer, unsigned long long numbytes); 53 | 54 | void fprint_bstr(FILE *fp, const char *label, const unsigned char *data, unsigned long long length); 55 | 56 | int generate_test_vectors(); 57 | 58 | int main() 59 | { 60 | int ret = generate_test_vectors(); 61 | 62 | if (ret != KAT_SUCCESS) { 63 | fprintf(stderr, "test vector generation failed with code %d\n", ret); 64 | } 65 | 66 | return ret; 67 | } 68 | 69 | int generate_test_vectors() 70 | { 71 | FILE *fp; 72 | char fileName[MAX_FILE_NAME]; 73 | unsigned char key[CRYPTO_KEYBYTES]; 74 | unsigned char nonce[CRYPTO_NPUBBYTES]; 75 | unsigned char msg[MAX_MESSAGE_LENGTH]; 76 | unsigned char msg2[MAX_MESSAGE_LENGTH]; 77 | unsigned char ad[MAX_ASSOCIATED_DATA_LENGTH]; 78 | unsigned char ct[MAX_MESSAGE_LENGTH + CRYPTO_ABYTES]; 79 | unsigned long long clen, mlen2; 80 | int count = 1; 81 | int func_ret, ret_val = KAT_SUCCESS; 82 | 83 | init_buffer(key, sizeof(key)); 84 | init_buffer(nonce, sizeof(nonce)); 85 | init_buffer(msg, sizeof(msg)); 86 | init_buffer(ad, sizeof(ad)); 87 | 88 | sprintf(fileName, "LWC_AEAD_KAT_%d_%d.txt", (CRYPTO_KEYBYTES * 8), (CRYPTO_NPUBBYTES * 8)); 89 | 90 | if ((fp = fopen(fileName, "w")) == NULL) { 91 | fprintf(stderr, "Couldn't open <%s> for write\n", fileName); 92 | return KAT_FILE_OPEN_ERROR; 93 | } 94 | 95 | for (unsigned long long mlen = 0; (mlen <= MAX_MESSAGE_LENGTH) && (ret_val == KAT_SUCCESS); mlen++) { 96 | //for (unsigned long long mlen = 0; (mlen <= 0) && (ret_val == KAT_SUCCESS); mlen++) { 97 | for (unsigned long long adlen = 0; adlen <= MAX_ASSOCIATED_DATA_LENGTH; adlen++) { 98 | //for (unsigned long long adlen = 0; adlen <= 17; adlen++) { 99 | 100 | printf("%0d\n", (int)clen); 101 | 102 | fprintf(fp, "Count = %d\n", count++); 103 | 104 | fprint_bstr(fp, "Key = ", key, CRYPTO_KEYBYTES); 105 | 106 | fprint_bstr(fp, "Nonce = ", nonce, CRYPTO_NPUBBYTES); 107 | 108 | fprint_bstr(fp, "PT = ", msg, mlen); 109 | 110 | fprint_bstr(fp, "AD = ", ad, adlen); 111 | 112 | if ((func_ret = crypto_aead_encrypt(ct, &clen, msg, mlen, ad, adlen, NULL, nonce, key)) != 0) { 113 | fprintf(fp, "crypto_aead_encrypt returned <%d>\n", func_ret); 114 | ret_val = KAT_CRYPTO_FAILURE; 115 | break; 116 | } 117 | 118 | fprint_bstr(fp, "CT = ", ct, clen); 119 | 120 | fprintf(fp, "\n"); 121 | 122 | if ((func_ret = crypto_aead_decrypt(msg2, &mlen2, NULL, ct, clen, ad, adlen, nonce, key)) != 0) { 123 | fprintf(fp, "crypto_aead_decrypt returned <%d>\n", func_ret); 124 | ret_val = KAT_CRYPTO_FAILURE; 125 | break; 126 | } 127 | 128 | if (mlen != mlen2) { 129 | fprintf(fp, "crypto_aead_decrypt returned bad 'mlen': Got <%llu>, expected <%llu>\n", mlen2, mlen); 130 | ret_val = KAT_CRYPTO_FAILURE; 131 | break; 132 | } 133 | 134 | if (memcmp(msg, msg2, mlen)) { 135 | fprintf(fp, "crypto_aead_decrypt did not recover the plaintext\n"); 136 | ret_val = KAT_CRYPTO_FAILURE; 137 | break; 138 | } 139 | } 140 | } 141 | 142 | fclose(fp); 143 | 144 | return ret_val; 145 | } 146 | 147 | 148 | void fprint_bstr(FILE *fp, const char *label, const unsigned char *data, unsigned long long length) 149 | { 150 | fprintf(fp, "%s", label); 151 | 152 | for (unsigned long long i = 0; i < length; i++) 153 | fprintf(fp, "%02X", data[i]); 154 | 155 | fprintf(fp, "\n"); 156 | } 157 | 158 | void init_buffer(unsigned char *buffer, unsigned long long numbytes) 159 | { 160 | for (unsigned long long i = 0; i < numbytes; i++) 161 | buffer[i] = (unsigned char)i; 162 | } 163 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-N3/skinny.h: -------------------------------------------------------------------------------- 1 | extern void skinny_128_256_enc (unsigned char* input, const unsigned char* userkey); 2 | -------------------------------------------------------------------------------- /Implementations/software/ref/Previous Romulus versions/Romulus-N3/variant.h: -------------------------------------------------------------------------------- 1 | #define MSG_BLK_LEN 16 2 | #define AD_BLK_LEN_ODD 16 3 | #define AD_BLK_LEN_EVN 12 4 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-H/api.h: -------------------------------------------------------------------------------- 1 | 2 | // AEAD defines 3 | #define CRYPTO_KEYBYTES 16 4 | #define CRYPTO_NSECBYTES 0 5 | #define CRYPTO_NPUBBYTES 16 6 | #define CRYPTO_ABYTES 16 7 | #define CRYPTO_NOOVERLAP 1 8 | 9 | // Hash defines 10 | #define CRYPTO_BYTES 32 11 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-H/crypto_hash.h: -------------------------------------------------------------------------------- 1 | 2 | int crypto_hash( 3 | unsigned char *out, 4 | const unsigned char *in, 5 | unsigned long long inlen 6 | ); 7 | 8 | 9 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-H/hash.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Date: 21 April 2021 3 | * Contact: Romulus Team (Mustafa Khairallah - mustafa.khairallah@ntu.edu.sg) 4 | * Romulus-H as compliant with the Romulus v1.3 specifications. 5 | * This file icludes crypto_aead_decrypt() 6 | * It superseeds earlier versions developed by Mustafa Khairallah and maintained 7 | * by Mustafa Khairallah, Thomas Peyrin and Kazuhiko Minematsu 8 | */ 9 | 10 | #include "skinny.h" 11 | #include "api.h" 12 | #include "crypto_hash.h" 13 | 14 | 15 | // The hirose double-block length (DBL) compression function. 16 | void hirose_128_128_256 (unsigned char* h, 17 | unsigned char* g, 18 | const unsigned char* m) { 19 | unsigned char key [48]; 20 | unsigned char hh [16]; 21 | int i; 22 | 23 | for (i = 0; i < 16; i++) { // assign the key for the 24 | // hirose compresison function 25 | key[i] = g[i]; 26 | g[i] = h[i]; 27 | hh[i] = h[i]; 28 | } 29 | g[0] ^= 0x01; 30 | for (i = 0; i < 32; i++) { 31 | key[i+16] = m[i]; 32 | } 33 | 34 | skinny_128_384_plus_enc(h,key); 35 | skinny_128_384_plus_enc(g,key); 36 | 37 | for (i = 0; i < 16; i++) { 38 | h[i] ^= hh[i]; 39 | g[i] ^= hh[i]; 40 | } 41 | g[0] ^= 0x01; 42 | 43 | } 44 | 45 | // Sets the initial value to 0^2n 46 | void initialize (unsigned char* h, 47 | unsigned char* g) { 48 | unsigned char i; 49 | 50 | for (i = 0; i < 16; i++) { 51 | h[i] = 0; 52 | g[i] = 0; 53 | } 54 | } 55 | 56 | // Padding function: pads the byte length of the message mod 32 to the last incomplete block. 57 | // For complete blocks it returns the same block. For an empty block it returns a 0^2n string. 58 | // The function is called for full block messages to add a 0^2n block. This and the modulus are 59 | // the only differences compared to the use in Romulus-N 60 | void ipad_256 (const unsigned char* m, unsigned char* mp, int l, int len8) { 61 | int i; 62 | 63 | for (i = 0; i < l; i++) { 64 | if (i < len8) { 65 | mp[i] = m[i]; 66 | } 67 | else if (i == l - 1) { 68 | mp[i] = (len8 & 0x1f); 69 | } 70 | else { 71 | mp[i] = 0x00; 72 | } 73 | } 74 | 75 | } 76 | 77 | // Padding function: pads the byte length of the message mod 32 to the last incomplete block. 78 | // For complete blocks it returns the same block. For an empty block it returns a 0^2n string. 79 | // The function is called for full block messages to add a 0^2n block. This and the modulus are 80 | // the only differences compared to the use in Romulus-N 81 | void ipad_128 (const unsigned char* m, unsigned char* mp, int l, int len8) { 82 | int i; 83 | 84 | for (i = 0; i < l; i++) { 85 | if (i < len8) { 86 | mp[i] = m[i]; 87 | } 88 | else if (i == l - 1) { 89 | mp[i] = (len8 & 0xf); 90 | } 91 | else { 92 | mp[i] = 0x00; 93 | } 94 | } 95 | 96 | } 97 | 98 | 99 | int crypto_hash( 100 | unsigned char *out, 101 | const unsigned char *in, 102 | unsigned long long inlen 103 | ) 104 | { 105 | unsigned char h[16]; 106 | unsigned char g[16]; 107 | unsigned long long mlen; 108 | unsigned char p[32]; 109 | unsigned char i; 110 | 111 | mlen = inlen; 112 | 113 | initialize(h,g); 114 | while (mlen >= 32) { // Normal loop 115 | hirose_128_128_256(h,g,in); 116 | in += 32; 117 | mlen -= 32; 118 | } 119 | // Partial block (or in case there is no partial block we add a 0^2n block 120 | ipad_256(in,p,32,mlen); 121 | h[0] ^= 2; 122 | hirose_128_128_256(h,g,p); 123 | 124 | for (i = 0; i < 16; i++) { // Assign the output tag 125 | out[i] = h[i]; 126 | out[i+16] = g[i]; 127 | } 128 | 129 | return 0; 130 | } 131 | 132 | 133 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-H/skinny.h: -------------------------------------------------------------------------------- 1 | extern void skinny_128_384_plus_enc (unsigned char* input, const unsigned char* userkey); 2 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-H/variant.h: -------------------------------------------------------------------------------- 1 | #define MSG_BLK_LEN 16 2 | #define AD_BLK_LEN_ODD 16 3 | #define AD_BLK_LEN_EVN 16 4 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-M-H/api.h: -------------------------------------------------------------------------------- 1 | 2 | // AEAD defines 3 | #define CRYPTO_KEYBYTES 16 4 | #define CRYPTO_NSECBYTES 0 5 | #define CRYPTO_NPUBBYTES 16 6 | #define CRYPTO_ABYTES 16 7 | #define CRYPTO_NOOVERLAP 1 8 | 9 | // Hash defines 10 | #define CRYPTO_BYTES 32 11 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-M-H/crypto_aead.h: -------------------------------------------------------------------------------- 1 | 2 | int crypto_aead_encrypt( 3 | unsigned char *c, unsigned long long *clen, 4 | const unsigned char *m, unsigned long long mlen, 5 | const unsigned char *ad, unsigned long long adlen, 6 | const unsigned char *nsec, 7 | const unsigned char *npub, 8 | const unsigned char *k 9 | ); 10 | 11 | int crypto_aead_decrypt( 12 | unsigned char *m, unsigned long long *mlen, 13 | unsigned char *nsec, 14 | const unsigned char *c, unsigned long long clen, 15 | const unsigned char *ad, unsigned long long adlen, 16 | const unsigned char *npub, 17 | const unsigned char *k 18 | ); 19 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-M-H/crypto_hash.h: -------------------------------------------------------------------------------- 1 | 2 | int crypto_hash( 3 | unsigned char *out, 4 | const unsigned char *in, 5 | unsigned long long inlen 6 | ); 7 | 8 | 9 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-M-H/decrypt.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Date: 21 April 2021 3 | * Contact: Romulus Team (Mustafa Khairallah - mustafa.khairallah@ntu.edu.sg) 4 | * Romulus-N as compliant with the Romulus v1.3 specifications. 5 | * This file icludes crypto_aead_decrypt() 6 | * It superseeds earlier versions developed by Mustafa Khairallah and maintained 7 | * by Mustafa Khairallah, Thomas Peyrin and Kazuhiko Minematsu 8 | */ 9 | 10 | #include "crypto_aead.h" 11 | #include "romulus_m.h" 12 | 13 | 14 | 15 | int crypto_aead_decrypt( 16 | unsigned char *m,unsigned long long *mlen, 17 | unsigned char *nsec, 18 | const unsigned char *c,unsigned long long clen, 19 | const unsigned char *ad,unsigned long long adlen, 20 | const unsigned char *npub, 21 | const unsigned char *k 22 | ) 23 | { 24 | return romulus_m_decrypt(m,mlen,nsec,c,clen,ad,adlen,npub,k); 25 | } 26 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-M-H/encrypt.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Date: 21 April 2021 3 | * Contact: Romulus Team (Mustafa Khairallah - mustafa.khairallah@ntu.edu.sg) 4 | * Romulus-M as compliant with the Romulus v1.3 specifications. 5 | * This file icludes crypto_aead_encrypt() 6 | * It superseeds earlier versions developed by Mustafa Khairallah and maintained 7 | * by Mustafa Khairallah, Thomas Peyrin and Kazuhiko Minematsu 8 | */ 9 | 10 | #include "crypto_aead.h" 11 | #include "romulus_m.h" 12 | 13 | 14 | 15 | int crypto_aead_encrypt ( 16 | unsigned char* c, unsigned long long* clen, 17 | const unsigned char* m, unsigned long long mlen, 18 | const unsigned char* ad, unsigned long long adlen, 19 | const unsigned char* nsec, 20 | const unsigned char* npub, 21 | const unsigned char* k 22 | ) 23 | { 24 | return romulus_m_encrypt(c,clen,m,mlen,ad,adlen,nsec,npub,k); 25 | } 26 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-M-H/hash.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Date: 21 April 2021 3 | * Contact: Romulus Team (Mustafa Khairallah - mustafa.khairallah@ntu.edu.sg) 4 | * Romulus-H as compliant with the Romulus v1.3 specifications. 5 | * This file icludes crypto_aead_decrypt() 6 | * It superseeds earlier versions developed by Mustafa Khairallah and maintained 7 | * by Mustafa Khairallah, Thomas Peyrin and Kazuhiko Minematsu 8 | */ 9 | 10 | #include "skinny.h" 11 | #include "api.h" 12 | #include "crypto_hash.h" 13 | 14 | 15 | // The hirose double-block length (DBL) compression function. 16 | void hirose_128_128_256 (unsigned char* h, 17 | unsigned char* g, 18 | const unsigned char* m) { 19 | unsigned char key [48]; 20 | unsigned char hh [16]; 21 | int i; 22 | 23 | for (i = 0; i < 16; i++) { // assign the key for the 24 | // hirose compresison function 25 | key[i] = g[i]; 26 | g[i] = h[i]; 27 | hh[i] = h[i]; 28 | } 29 | g[0] ^= 0x01; 30 | for (i = 0; i < 32; i++) { 31 | key[i+16] = m[i]; 32 | } 33 | 34 | skinny_128_384_plus_enc(h,key); 35 | skinny_128_384_plus_enc(g,key); 36 | 37 | for (i = 0; i < 16; i++) { 38 | h[i] ^= hh[i]; 39 | g[i] ^= hh[i]; 40 | } 41 | g[0] ^= 0x01; 42 | 43 | } 44 | 45 | // Sets the initial value to 0^2n 46 | void initialize (unsigned char* h, 47 | unsigned char* g) { 48 | unsigned char i; 49 | 50 | for (i = 0; i < 16; i++) { 51 | h[i] = 0; 52 | g[i] = 0; 53 | } 54 | } 55 | 56 | // Padding function: pads the byte length of the message mod 32 to the last incomplete block. 57 | // For complete blocks it returns the same block. For an empty block it returns a 0^2n string. 58 | // The function is called for full block messages to add a 0^2n block. This and the modulus are 59 | // the only differences compared to the use in Romulus-N 60 | void ipad_256 (const unsigned char* m, unsigned char* mp, int l, int len8) { 61 | int i; 62 | 63 | for (i = 0; i < l; i++) { 64 | if (i < len8) { 65 | mp[i] = m[i]; 66 | } 67 | else if (i == l - 1) { 68 | mp[i] = (len8 & 0x1f); 69 | } 70 | else { 71 | mp[i] = 0x00; 72 | } 73 | } 74 | 75 | } 76 | 77 | // Padding function: pads the byte length of the message mod 32 to the last incomplete block. 78 | // For complete blocks it returns the same block. For an empty block it returns a 0^2n string. 79 | // The function is called for full block messages to add a 0^2n block. This and the modulus are 80 | // the only differences compared to the use in Romulus-N 81 | void ipad_128 (const unsigned char* m, unsigned char* mp, int l, int len8) { 82 | int i; 83 | 84 | for (i = 0; i < l; i++) { 85 | if (i < len8) { 86 | mp[i] = m[i]; 87 | } 88 | else if (i == l - 1) { 89 | mp[i] = (len8 & 0xf); 90 | } 91 | else { 92 | mp[i] = 0x00; 93 | } 94 | } 95 | 96 | } 97 | 98 | 99 | int crypto_hash( 100 | unsigned char *out, 101 | const unsigned char *in, 102 | unsigned long long inlen 103 | ) 104 | { 105 | unsigned char h[16]; 106 | unsigned char g[16]; 107 | unsigned long long mlen; 108 | unsigned char p[32]; 109 | unsigned char i; 110 | 111 | mlen = inlen; 112 | 113 | initialize(h,g); 114 | while (mlen >= 32) { // Normal loop 115 | hirose_128_128_256(h,g,in); 116 | in += 32; 117 | mlen -= 32; 118 | } 119 | // Partial block (or in case there is no partial block we add a 0^2n block 120 | ipad_256(in,p,32,mlen); 121 | h[0] ^= 2; 122 | hirose_128_128_256(h,g,p); 123 | 124 | for (i = 0; i < 16; i++) { // Assign the output tag 125 | out[i] = h[i]; 126 | out[i+16] = g[i]; 127 | } 128 | 129 | return 0; 130 | } 131 | 132 | 133 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-M-H/romulus_m.h: -------------------------------------------------------------------------------- 1 | int romulus_m_encrypt ( 2 | unsigned char* c, unsigned long long* clen, 3 | const unsigned char* m, unsigned long long mlen, 4 | const unsigned char* ad, unsigned long long adlen, 5 | const unsigned char* nsec, 6 | const unsigned char* npub, 7 | const unsigned char* k 8 | ); 9 | 10 | int romulus_m_decrypt( 11 | unsigned char *m,unsigned long long *mlen, 12 | unsigned char *nsec, 13 | const unsigned char *c,unsigned long long clen, 14 | const unsigned char *ad,unsigned long long adlen, 15 | const unsigned char *npub, 16 | const unsigned char *k 17 | ); 18 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-M-H/skinny.h: -------------------------------------------------------------------------------- 1 | extern void skinny_128_384_plus_enc (unsigned char* input, const unsigned char* userkey); 2 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-M-H/variant.h: -------------------------------------------------------------------------------- 1 | #define MSG_BLK_LEN 16 2 | #define AD_BLK_LEN_ODD 16 3 | #define AD_BLK_LEN_EVN 16 4 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-M/api.h: -------------------------------------------------------------------------------- 1 | 2 | // AEAD defines 3 | #define CRYPTO_KEYBYTES 16 4 | #define CRYPTO_NSECBYTES 0 5 | #define CRYPTO_NPUBBYTES 16 6 | #define CRYPTO_ABYTES 16 7 | #define CRYPTO_NOOVERLAP 1 8 | 9 | // Hash defines 10 | #define CRYPTO_BYTES 32 11 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-M/crypto_aead.h: -------------------------------------------------------------------------------- 1 | 2 | int crypto_aead_encrypt( 3 | unsigned char *c, unsigned long long *clen, 4 | const unsigned char *m, unsigned long long mlen, 5 | const unsigned char *ad, unsigned long long adlen, 6 | const unsigned char *nsec, 7 | const unsigned char *npub, 8 | const unsigned char *k 9 | ); 10 | 11 | int crypto_aead_decrypt( 12 | unsigned char *m, unsigned long long *mlen, 13 | unsigned char *nsec, 14 | const unsigned char *c, unsigned long long clen, 15 | const unsigned char *ad, unsigned long long adlen, 16 | const unsigned char *npub, 17 | const unsigned char *k 18 | ); 19 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-M/decrypt.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Date: 21 April 2021 3 | * Contact: Romulus Team (Mustafa Khairallah - mustafa.khairallah@ntu.edu.sg) 4 | * Romulus-N as compliant with the Romulus v1.3 specifications. 5 | * This file icludes crypto_aead_decrypt() 6 | * It superseeds earlier versions developed by Mustafa Khairallah and maintained 7 | * by Mustafa Khairallah, Thomas Peyrin and Kazuhiko Minematsu 8 | */ 9 | 10 | #include "crypto_aead.h" 11 | #include "romulus_m.h" 12 | 13 | 14 | 15 | int crypto_aead_decrypt( 16 | unsigned char *m,unsigned long long *mlen, 17 | unsigned char *nsec, 18 | const unsigned char *c,unsigned long long clen, 19 | const unsigned char *ad,unsigned long long adlen, 20 | const unsigned char *npub, 21 | const unsigned char *k 22 | ) 23 | { 24 | return romulus_m_decrypt(m,mlen,nsec,c,clen,ad,adlen,npub,k); 25 | } 26 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-M/encrypt.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Date: 21 April 2021 3 | * Contact: Romulus Team (Mustafa Khairallah - mustafa.khairallah@ntu.edu.sg) 4 | * Romulus-M as compliant with the Romulus v1.3 specifications. 5 | * This file icludes crypto_aead_encrypt() 6 | * It superseeds earlier versions developed by Mustafa Khairallah and maintained 7 | * by Mustafa Khairallah, Thomas Peyrin and Kazuhiko Minematsu 8 | */ 9 | 10 | #include "crypto_aead.h" 11 | #include "romulus_m.h" 12 | 13 | 14 | 15 | int crypto_aead_encrypt ( 16 | unsigned char* c, unsigned long long* clen, 17 | const unsigned char* m, unsigned long long mlen, 18 | const unsigned char* ad, unsigned long long adlen, 19 | const unsigned char* nsec, 20 | const unsigned char* npub, 21 | const unsigned char* k 22 | ) 23 | { 24 | return romulus_m_encrypt(c,clen,m,mlen,ad,adlen,nsec,npub,k); 25 | } 26 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-M/romulus_m.h: -------------------------------------------------------------------------------- 1 | int romulus_m_encrypt ( 2 | unsigned char* c, unsigned long long* clen, 3 | const unsigned char* m, unsigned long long mlen, 4 | const unsigned char* ad, unsigned long long adlen, 5 | const unsigned char* nsec, 6 | const unsigned char* npub, 7 | const unsigned char* k 8 | ); 9 | 10 | int romulus_m_decrypt( 11 | unsigned char *m,unsigned long long *mlen, 12 | unsigned char *nsec, 13 | const unsigned char *c,unsigned long long clen, 14 | const unsigned char *ad,unsigned long long adlen, 15 | const unsigned char *npub, 16 | const unsigned char *k 17 | ); 18 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-M/skinny.h: -------------------------------------------------------------------------------- 1 | extern void skinny_128_384_plus_enc (unsigned char* input, const unsigned char* userkey); 2 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-M/variant.h: -------------------------------------------------------------------------------- 1 | #define MSG_BLK_LEN 16 2 | #define AD_BLK_LEN_ODD 16 3 | #define AD_BLK_LEN_EVN 16 4 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-N-H/api.h: -------------------------------------------------------------------------------- 1 | 2 | // AEAD defines 3 | #define CRYPTO_KEYBYTES 16 4 | #define CRYPTO_NSECBYTES 0 5 | #define CRYPTO_NPUBBYTES 16 6 | #define CRYPTO_ABYTES 16 7 | #define CRYPTO_NOOVERLAP 1 8 | 9 | // Hash defines 10 | #define CRYPTO_BYTES 32 11 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-N-H/crypto_aead.h: -------------------------------------------------------------------------------- 1 | 2 | int crypto_aead_encrypt( 3 | unsigned char *c, unsigned long long *clen, 4 | const unsigned char *m, unsigned long long mlen, 5 | const unsigned char *ad, unsigned long long adlen, 6 | const unsigned char *nsec, 7 | const unsigned char *npub, 8 | const unsigned char *k 9 | ); 10 | 11 | int crypto_aead_decrypt( 12 | unsigned char *m, unsigned long long *mlen, 13 | unsigned char *nsec, 14 | const unsigned char *c, unsigned long long clen, 15 | const unsigned char *ad, unsigned long long adlen, 16 | const unsigned char *npub, 17 | const unsigned char *k 18 | ); -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-N-H/crypto_hash.h: -------------------------------------------------------------------------------- 1 | 2 | int crypto_hash( 3 | unsigned char *out, 4 | const unsigned char *in, 5 | unsigned long long inlen 6 | ); 7 | 8 | 9 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-N-H/decrypt.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Date: 21 April 2021 3 | * Contact: Romulus Team (Mustafa Khairallah - mustafa.khairallah@ntu.edu.sg) 4 | * Romulus-N as compliant with the Romulus v1.3 specifications. 5 | * This file icludes crypto_aead_decrypt() 6 | * It superseeds earlier versions developed by Mustafa Khairallah and maintained 7 | * by Mustafa Khairallah, Thomas Peyrin and Kazuhiko Minematsu 8 | */ 9 | 10 | #include "crypto_aead.h" 11 | #include "api.h" 12 | #include "variant.h" 13 | #include "skinny.h" 14 | #include "romulus_n.h" 15 | 16 | int crypto_aead_decrypt( 17 | unsigned char *m,unsigned long long *mlen, 18 | unsigned char *nsec, 19 | const unsigned char *c,unsigned long long clen, 20 | const unsigned char *ad,unsigned long long adlen, 21 | const unsigned char *npub, 22 | const unsigned char *k 23 | ) 24 | { 25 | 26 | return romulus_n_decrypt(m,mlen,nsec,c,clen,ad,adlen,npub,k); 27 | 28 | } 29 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-N-H/encrypt.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Date: 21 April 2021 3 | * Contact: Romulus Team (Mustafa Khairallah - mustafa.khairallah@ntu.edu.sg) 4 | * Romulus-N as compliant with the Romulus v1.3 specifications. 5 | * This file icludes crypto_aead_encrypt() 6 | * It superseeds earlier versions developed by Mustafa Khairallah and maintained 7 | * by Mustafa Khairallah, Thomas Peyrin and Kazuhiko Minematsu 8 | */ 9 | 10 | #include "crypto_aead.h" 11 | #include "api.h" 12 | #include "variant.h" 13 | #include "skinny.h" 14 | #include "romulus_n.h" 15 | 16 | 17 | int crypto_aead_encrypt ( 18 | unsigned char* c, unsigned long long* clen, 19 | const unsigned char* m, unsigned long long mlen, 20 | const unsigned char* ad, unsigned long long adlen, 21 | const unsigned char* nsec, 22 | const unsigned char* npub, 23 | const unsigned char* k 24 | ) 25 | { 26 | return romulus_n_encrypt(c,clen,m,mlen,ad,adlen,nsec,npub,k); 27 | } 28 | 29 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-N-H/hash.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Date: 21 April 2021 3 | * Contact: Romulus Team (Mustafa Khairallah - mustafa.khairallah@ntu.edu.sg) 4 | * Romulus-H as compliant with the Romulus v1.3 specifications. 5 | * This file icludes crypto_aead_decrypt() 6 | * It superseeds earlier versions developed by Mustafa Khairallah and maintained 7 | * by Mustafa Khairallah, Thomas Peyrin and Kazuhiko Minematsu 8 | */ 9 | 10 | #include "skinny.h" 11 | #include "api.h" 12 | #include "crypto_hash.h" 13 | 14 | 15 | // The hirose double-block length (DBL) compression function. 16 | void hirose_128_128_256 (unsigned char* h, 17 | unsigned char* g, 18 | const unsigned char* m) { 19 | unsigned char key [48]; 20 | unsigned char hh [16]; 21 | int i; 22 | 23 | for (i = 0; i < 16; i++) { // assign the key for the 24 | // hirose compresison function 25 | key[i] = g[i]; 26 | g[i] = h[i]; 27 | hh[i] = h[i]; 28 | } 29 | g[0] ^= 0x01; 30 | for (i = 0; i < 32; i++) { 31 | key[i+16] = m[i]; 32 | } 33 | 34 | skinny_128_384_plus_enc(h,key); 35 | skinny_128_384_plus_enc(g,key); 36 | 37 | for (i = 0; i < 16; i++) { 38 | h[i] ^= hh[i]; 39 | g[i] ^= hh[i]; 40 | } 41 | g[0] ^= 0x01; 42 | 43 | } 44 | 45 | // Sets the initial value to 0^2n 46 | void initialize (unsigned char* h, 47 | unsigned char* g) { 48 | unsigned char i; 49 | 50 | for (i = 0; i < 16; i++) { 51 | h[i] = 0; 52 | g[i] = 0; 53 | } 54 | } 55 | 56 | // Padding function: pads the byte length of the message mod 32 to the last incomplete block. 57 | // For complete blocks it returns the same block. For an empty block it returns a 0^2n string. 58 | // The function is called for full block messages to add a 0^2n block. This and the modulus are 59 | // the only differences compared to the use in Romulus-N 60 | void ipad_256 (const unsigned char* m, unsigned char* mp, int l, int len8) { 61 | int i; 62 | 63 | for (i = 0; i < l; i++) { 64 | if (i < len8) { 65 | mp[i] = m[i]; 66 | } 67 | else if (i == l - 1) { 68 | mp[i] = (len8 & 0x1f); 69 | } 70 | else { 71 | mp[i] = 0x00; 72 | } 73 | } 74 | 75 | } 76 | 77 | // Padding function: pads the byte length of the message mod 32 to the last incomplete block. 78 | // For complete blocks it returns the same block. For an empty block it returns a 0^2n string. 79 | // The function is called for full block messages to add a 0^2n block. This and the modulus are 80 | // the only differences compared to the use in Romulus-N 81 | void ipad_128 (const unsigned char* m, unsigned char* mp, int l, int len8) { 82 | int i; 83 | 84 | for (i = 0; i < l; i++) { 85 | if (i < len8) { 86 | mp[i] = m[i]; 87 | } 88 | else if (i == l - 1) { 89 | mp[i] = (len8 & 0xf); 90 | } 91 | else { 92 | mp[i] = 0x00; 93 | } 94 | } 95 | 96 | } 97 | 98 | 99 | int crypto_hash( 100 | unsigned char *out, 101 | const unsigned char *in, 102 | unsigned long long inlen 103 | ) 104 | { 105 | unsigned char h[16]; 106 | unsigned char g[16]; 107 | unsigned long long mlen; 108 | unsigned char p[32]; 109 | unsigned char i; 110 | 111 | mlen = inlen; 112 | 113 | initialize(h,g); 114 | while (mlen >= 32) { // Normal loop 115 | hirose_128_128_256(h,g,in); 116 | in += 32; 117 | mlen -= 32; 118 | } 119 | // Partial block (or in case there is no partial block we add a 0^2n block 120 | ipad_256(in,p,32,mlen); 121 | h[0] ^= 2; 122 | hirose_128_128_256(h,g,p); 123 | 124 | for (i = 0; i < 16; i++) { // Assign the output tag 125 | out[i] = h[i]; 126 | out[i+16] = g[i]; 127 | } 128 | 129 | return 0; 130 | } 131 | 132 | 133 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-N-H/romulus_n.h: -------------------------------------------------------------------------------- 1 | int romulus_n_encrypt ( 2 | unsigned char* c, unsigned long long* clen, 3 | const unsigned char* m, unsigned long long mlen, 4 | const unsigned char* ad, unsigned long long adlen, 5 | const unsigned char* nsec, 6 | const unsigned char* npub, 7 | const unsigned char* k 8 | ); 9 | 10 | int romulus_n_decrypt( 11 | unsigned char *m,unsigned long long *mlen, 12 | unsigned char *nsec, 13 | const unsigned char *c,unsigned long long clen, 14 | const unsigned char *ad,unsigned long long adlen, 15 | const unsigned char *npub, 16 | const unsigned char *k 17 | ); 18 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-N-H/skinny.h: -------------------------------------------------------------------------------- 1 | extern void skinny_128_384_plus_enc (unsigned char* input, const unsigned char* userkey); 2 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-N-H/variant.h: -------------------------------------------------------------------------------- 1 | #define MSG_BLK_LEN 16 2 | #define AD_BLK_LEN_ODD 16 3 | #define AD_BLK_LEN_EVN 16 4 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-N/api.h: -------------------------------------------------------------------------------- 1 | 2 | // AEAD defines 3 | #define CRYPTO_KEYBYTES 16 4 | #define CRYPTO_NSECBYTES 0 5 | #define CRYPTO_NPUBBYTES 16 6 | #define CRYPTO_ABYTES 16 7 | #define CRYPTO_NOOVERLAP 1 8 | 9 | // Hash defines 10 | #define CRYPTO_BYTES 32 11 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-N/crypto_aead.h: -------------------------------------------------------------------------------- 1 | 2 | int crypto_aead_encrypt( 3 | unsigned char *c, unsigned long long *clen, 4 | const unsigned char *m, unsigned long long mlen, 5 | const unsigned char *ad, unsigned long long adlen, 6 | const unsigned char *nsec, 7 | const unsigned char *npub, 8 | const unsigned char *k 9 | ); 10 | 11 | int crypto_aead_decrypt( 12 | unsigned char *m, unsigned long long *mlen, 13 | unsigned char *nsec, 14 | const unsigned char *c, unsigned long long clen, 15 | const unsigned char *ad, unsigned long long adlen, 16 | const unsigned char *npub, 17 | const unsigned char *k 18 | ); -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-N/decrypt.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Date: 21 April 2021 3 | * Contact: Romulus Team (Mustafa Khairallah - mustafa.khairallah@ntu.edu.sg) 4 | * Romulus-N as compliant with the Romulus v1.3 specifications. 5 | * This file icludes crypto_aead_decrypt() 6 | * It superseeds earlier versions developed by Mustafa Khairallah and maintained 7 | * by Mustafa Khairallah, Thomas Peyrin and Kazuhiko Minematsu 8 | */ 9 | 10 | #include "crypto_aead.h" 11 | #include "api.h" 12 | #include "variant.h" 13 | #include "skinny.h" 14 | #include "romulus_n.h" 15 | 16 | int crypto_aead_decrypt( 17 | unsigned char *m,unsigned long long *mlen, 18 | unsigned char *nsec, 19 | const unsigned char *c,unsigned long long clen, 20 | const unsigned char *ad,unsigned long long adlen, 21 | const unsigned char *npub, 22 | const unsigned char *k 23 | ) 24 | { 25 | 26 | return romulus_n_decrypt(m,mlen,nsec,c,clen,ad,adlen,npub,k); 27 | 28 | } 29 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-N/encrypt.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Date: 21 April 2021 3 | * Contact: Romulus Team (Mustafa Khairallah - mustafa.khairallah@ntu.edu.sg) 4 | * Romulus-N as compliant with the Romulus v1.3 specifications. 5 | * This file icludes crypto_aead_encrypt() 6 | * It superseeds earlier versions developed by Mustafa Khairallah and maintained 7 | * by Mustafa Khairallah, Thomas Peyrin and Kazuhiko Minematsu 8 | */ 9 | 10 | #include "crypto_aead.h" 11 | #include "api.h" 12 | #include "variant.h" 13 | #include "skinny.h" 14 | #include "romulus_n.h" 15 | 16 | 17 | int crypto_aead_encrypt ( 18 | unsigned char* c, unsigned long long* clen, 19 | const unsigned char* m, unsigned long long mlen, 20 | const unsigned char* ad, unsigned long long adlen, 21 | const unsigned char* nsec, 22 | const unsigned char* npub, 23 | const unsigned char* k 24 | ) 25 | { 26 | return romulus_n_encrypt(c,clen,m,mlen,ad,adlen,nsec,npub,k); 27 | } 28 | 29 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-N/romulus_n.h: -------------------------------------------------------------------------------- 1 | int romulus_n_encrypt ( 2 | unsigned char* c, unsigned long long* clen, 3 | const unsigned char* m, unsigned long long mlen, 4 | const unsigned char* ad, unsigned long long adlen, 5 | const unsigned char* nsec, 6 | const unsigned char* npub, 7 | const unsigned char* k 8 | ); 9 | 10 | int romulus_n_decrypt( 11 | unsigned char *m,unsigned long long *mlen, 12 | unsigned char *nsec, 13 | const unsigned char *c,unsigned long long clen, 14 | const unsigned char *ad,unsigned long long adlen, 15 | const unsigned char *npub, 16 | const unsigned char *k 17 | ); 18 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-N/skinny.h: -------------------------------------------------------------------------------- 1 | extern void skinny_128_384_plus_enc (unsigned char* input, const unsigned char* userkey); 2 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-N/variant.h: -------------------------------------------------------------------------------- 1 | #define MSG_BLK_LEN 16 2 | #define AD_BLK_LEN_ODD 16 3 | #define AD_BLK_LEN_EVN 16 4 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-T-H/api.h: -------------------------------------------------------------------------------- 1 | 2 | // AEAD defines 3 | #define CRYPTO_KEYBYTES 16 4 | #define CRYPTO_NSECBYTES 0 5 | #define CRYPTO_NPUBBYTES 16 6 | #define CRYPTO_ABYTES 16 7 | #define CRYPTO_NOOVERLAP 1 8 | 9 | // Hash defines 10 | #define CRYPTO_BYTES 32 11 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-T-H/crypto_aead.h: -------------------------------------------------------------------------------- 1 | 2 | int crypto_aead_encrypt( 3 | unsigned char *c, unsigned long long *clen, 4 | const unsigned char *m, unsigned long long mlen, 5 | const unsigned char *ad, unsigned long long adlen, 6 | const unsigned char *nsec, 7 | const unsigned char *npub, 8 | const unsigned char *k 9 | ); 10 | 11 | int crypto_aead_decrypt( 12 | unsigned char *m, unsigned long long *mlen, 13 | unsigned char *nsec, 14 | const unsigned char *c, unsigned long long clen, 15 | const unsigned char *ad, unsigned long long adlen, 16 | const unsigned char *npub, 17 | const unsigned char *k 18 | ); 19 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-T-H/crypto_hash.h: -------------------------------------------------------------------------------- 1 | 2 | int crypto_hash( 3 | unsigned char *out, 4 | const unsigned char *in, 5 | unsigned long long inlen 6 | ); 7 | 8 | 9 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-T-H/decrypt.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Date: 21 April 2021 3 | * Contact: Romulus Team (Mustafa Khairallah - mustafa.khairallah@ntu.edu.sg) 4 | * Romulus-N as compliant with the Romulus v1.3 specifications. 5 | * This file icludes crypto_aead_decrypt() 6 | * It superseeds earlier versions developed by Mustafa Khairallah and maintained 7 | * by Mustafa Khairallah, Thomas Peyrin and Kazuhiko Minematsu 8 | */ 9 | 10 | #include "crypto_aead.h" 11 | #include "api.h" 12 | #include "variant.h" 13 | #include "skinny.h" 14 | #include "romulus_t.h" 15 | 16 | int crypto_aead_decrypt( 17 | unsigned char *m,unsigned long long *mlen, 18 | unsigned char *nsec, 19 | const unsigned char *c,unsigned long long clen, 20 | const unsigned char *ad,unsigned long long adlen, 21 | const unsigned char *npub, 22 | const unsigned char *k 23 | ) 24 | { 25 | 26 | return romulus_t_decrypt(m,mlen,nsec,c,clen,ad,adlen,npub,k); 27 | 28 | } 29 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-T-H/encrypt.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Date: 21 April 2021 3 | * Contact: Romulus Team (Mustafa Khairallah - mustafa.khairallah@ntu.edu.sg) 4 | * Romulus-N as compliant with the Romulus v1.3 specifications. 5 | * This file icludes crypto_aead_encrypt() 6 | * It superseeds earlier versions developed by Mustafa Khairallah and maintained 7 | * by Mustafa Khairallah, Thomas Peyrin and Kazuhiko Minematsu 8 | */ 9 | 10 | #include "crypto_aead.h" 11 | #include "api.h" 12 | #include "variant.h" 13 | #include "skinny.h" 14 | #include "romulus_t.h" 15 | 16 | 17 | int crypto_aead_encrypt ( 18 | unsigned char* c, unsigned long long* clen, 19 | const unsigned char* m, unsigned long long mlen, 20 | const unsigned char* ad, unsigned long long adlen, 21 | const unsigned char* nsec, 22 | const unsigned char* npub, 23 | const unsigned char* k 24 | ) 25 | { 26 | return romulus_t_encrypt(c,clen,m,mlen,ad,adlen,nsec,npub,k); 27 | } 28 | 29 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-T-H/hash.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Date: 21 April 2021 3 | * Contact: Romulus Team (Mustafa Khairallah - mustafa.khairallah@ntu.edu.sg) 4 | * Romulus-H as compliant with the Romulus v1.3 specifications. 5 | * This file icludes crypto_aead_decrypt() 6 | * It superseeds earlier versions developed by Mustafa Khairallah and maintained 7 | * by Mustafa Khairallah, Thomas Peyrin and Kazuhiko Minematsu 8 | */ 9 | 10 | #include "skinny.h" 11 | #include "api.h" 12 | #include "crypto_hash.h" 13 | 14 | 15 | // The hirose double-block length (DBL) compression function. 16 | void hirose_128_128_256 (unsigned char* h, 17 | unsigned char* g, 18 | const unsigned char* m) { 19 | unsigned char key [48]; 20 | unsigned char hh [16]; 21 | int i; 22 | 23 | for (i = 0; i < 16; i++) { // assign the key for the 24 | // hirose compresison function 25 | key[i] = g[i]; 26 | g[i] = h[i]; 27 | hh[i] = h[i]; 28 | } 29 | g[0] ^= 0x01; 30 | for (i = 0; i < 32; i++) { 31 | key[i+16] = m[i]; 32 | } 33 | 34 | skinny_128_384_plus_enc(h,key); 35 | skinny_128_384_plus_enc(g,key); 36 | 37 | for (i = 0; i < 16; i++) { 38 | h[i] ^= hh[i]; 39 | g[i] ^= hh[i]; 40 | } 41 | g[0] ^= 0x01; 42 | 43 | } 44 | 45 | // Sets the initial value to 0^2n 46 | void initialize (unsigned char* h, 47 | unsigned char* g) { 48 | unsigned char i; 49 | 50 | for (i = 0; i < 16; i++) { 51 | h[i] = 0; 52 | g[i] = 0; 53 | } 54 | } 55 | 56 | // Padding function: pads the byte length of the message mod 32 to the last incomplete block. 57 | // For complete blocks it returns the same block. For an empty block it returns a 0^2n string. 58 | // The function is called for full block messages to add a 0^2n block. This and the modulus are 59 | // the only differences compared to the use in Romulus-N 60 | void ipad_256 (const unsigned char* m, unsigned char* mp, int l, int len8) { 61 | int i; 62 | 63 | for (i = 0; i < l; i++) { 64 | if (i < len8) { 65 | mp[i] = m[i]; 66 | } 67 | else if (i == l - 1) { 68 | mp[i] = (len8 & 0x1f); 69 | } 70 | else { 71 | mp[i] = 0x00; 72 | } 73 | } 74 | 75 | } 76 | 77 | // Padding function: pads the byte length of the message mod 32 to the last incomplete block. 78 | // For complete blocks it returns the same block. For an empty block it returns a 0^2n string. 79 | // The function is called for full block messages to add a 0^2n block. This and the modulus are 80 | // the only differences compared to the use in Romulus-N 81 | void ipad_128 (const unsigned char* m, unsigned char* mp, int l, int len8) { 82 | int i; 83 | 84 | for (i = 0; i < l; i++) { 85 | if (i < len8) { 86 | mp[i] = m[i]; 87 | } 88 | else if (i == l - 1) { 89 | mp[i] = (len8 & 0xf); 90 | } 91 | else { 92 | mp[i] = 0x00; 93 | } 94 | } 95 | 96 | } 97 | 98 | 99 | int crypto_hash( 100 | unsigned char *out, 101 | const unsigned char *in, 102 | unsigned long long inlen 103 | ) 104 | { 105 | unsigned char h[16]; 106 | unsigned char g[16]; 107 | unsigned long long mlen; 108 | unsigned char p[32]; 109 | unsigned char i; 110 | 111 | mlen = inlen; 112 | 113 | initialize(h,g); 114 | while (mlen >= 32) { // Normal loop 115 | hirose_128_128_256(h,g,in); 116 | in += 32; 117 | mlen -= 32; 118 | } 119 | // Partial block (or in case there is no partial block we add a 0^2n block 120 | ipad_256(in,p,32,mlen); 121 | h[0] ^= 2; 122 | hirose_128_128_256(h,g,p); 123 | 124 | for (i = 0; i < 16; i++) { // Assign the output tag 125 | out[i] = h[i]; 126 | out[i+16] = g[i]; 127 | } 128 | 129 | return 0; 130 | } 131 | 132 | 133 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-T-H/romulus_t.h: -------------------------------------------------------------------------------- 1 | int romulus_t_encrypt ( 2 | unsigned char* c, unsigned long long* clen, 3 | const unsigned char* m, unsigned long long mlen, 4 | const unsigned char* ad, unsigned long long adlen, 5 | const unsigned char* nsec, 6 | const unsigned char* npub, 7 | const unsigned char* k 8 | ); 9 | 10 | int romulus_t_decrypt( 11 | unsigned char *m,unsigned long long *mlen, 12 | unsigned char *nsec, 13 | const unsigned char *c,unsigned long long clen, 14 | const unsigned char *ad,unsigned long long adlen, 15 | const unsigned char *npub, 16 | const unsigned char *k 17 | ); 18 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-T-H/romulus_t_hash.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | void hirose_128_128_256 (unsigned char* h, 4 | unsigned char* g, 5 | const unsigned char* m); 6 | 7 | void initialize (unsigned char* h, 8 | unsigned char* g); 9 | 10 | void ipad_256 (const unsigned char* m, unsigned char* mp, int l, int len8); 11 | 12 | void ipad_128 (const unsigned char* m, unsigned char* mp, int l, int len8); 13 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-T-H/skinny.h: -------------------------------------------------------------------------------- 1 | extern void skinny_128_384_plus_enc (unsigned char* input, const unsigned char* userkey); 2 | -------------------------------------------------------------------------------- /Implementations/software/ref/Romulus-T-H/variant.h: -------------------------------------------------------------------------------- 1 | #define MSG_BLK_LEN 16 2 | #define AD_BLK_LEN_ODD 16 3 | #define AD_BLK_LEN_EVN 16 4 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 romulusae 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | theme: jekyll-theme-slate 2 | title: Romulus Authenticated Encryption / Hash 3 | footer: false 4 | description: "Romulus Authenticated Encryption / Hash" 5 | 6 | encoding: UTF-8 7 | 8 | # Conversion 9 | markdown: kramdown 10 | highlighter: rouge 11 | lsi: false 12 | excerpt_separator: "\n\n" 13 | incremental: false 14 | 15 | 16 | # Markdown Processing 17 | kramdown: 18 | input: GFM 19 | hard_wrap: false 20 | auto_ids: true 21 | footnote_nr: 1 22 | entity_output: as_char 23 | toc_levels: 1..6 24 | smart_quotes: lsquo,rsquo,ldquo,rdquo 25 | enable_coderay: false 26 | 27 | # Plugins (previously gems:) 28 | plugins: 29 | - jekyll-paginate 30 | - jekyll-sitemap 31 | - jekyll-gist 32 | #- jekyll-feed 33 | - jemoji 34 | - jekyll-include-cache 35 | - jekyll-titles-from-headings 36 | 37 | # mimic GitHub Pages with --safe 38 | whitelist: 39 | - jekyll-paginate 40 | - jekyll-sitemap 41 | - jekyll-gist 42 | #- jekyll-feed 43 | - jemoji 44 | - jekyll-include-cache 45 | 46 | # HTML Compression 47 | # - http://jch.penibelst.de/ 48 | compress_html: 49 | clippings: all 50 | ignore: 51 | envs: development 52 | 53 | -------------------------------------------------------------------------------- /_layouts/default.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | {% seo %} 11 | 12 | 13 | 14 | 15 | 16 |
17 |
18 |

{{ site.title | default: site.github.repository_name }}

19 |
20 |
21 | 22 | 23 |
24 |
25 | {{ content }} 26 |
27 |
28 | 29 | 30 | 38 | 39 | {% if site.google_analytics %} 40 | 48 | {% endif %} 49 | 50 | 51 | -------------------------------------------------------------------------------- /assets/css/style.scss: -------------------------------------------------------------------------------- 1 | --- 2 | --- 3 | 4 | @import "{{ site.theme }}"; 5 | 6 | .inner { 7 | max-width: 42%; 8 | } 9 | 10 | footer { 11 | display: none; 12 | } 13 | 14 | -------------------------------------------------------------------------------- /contact.md: -------------------------------------------------------------------------------- 1 | [Home](https://romulusae.github.io/romulus/)   - -   [Specs/Features](https://romulusae.github.io/romulus/specs)   - -   [Security](https://romulusae.github.io/romulus/security)   - -   [Implementations](https://romulusae.github.io/romulus/impl)   - -   [Contact](https://romulusae.github.io/romulus/contact) 2 | 3 |     4 | 5 | --- 6 | 7 |   8 | 9 | # Our Team 10 | 11 | - **[Chun Guo](https://faculty.sdu.edu.cn/chun_guo_sk/en/index.htm)**, Shandong University, China 12 | - **[Tetsu Iwata](http://www.nuee.nagoya-u.ac.jp/labs/tiwata/)**, Nagoya University, Japan 13 | - **[Mustafa Khairallah](https://www.mustafa-khairallah.com/)**, Nanyang Technological University, Singapore 14 | - **[Kazuhiko Minematsu](https://www.nec.com/en/global/rd/people/kazuhiko_minematsu.html)**, NEC, Japan 15 | - **[Thomas Peyrin](https://sites.google.com/site/thomaspeyrin/)**, Nanyang Technological University, Singapore 16 | 17 | You can contact us on [remus-and-romulus@googlegroups.com](mailto:remus-and-romulus@googlegroups.com) 18 | -------------------------------------------------------------------------------- /docs/NIST_LWC_2022.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/romulusae/romulus/d0957f82666c32033e435c358e922681c951acdc/docs/NIST_LWC_2022.pdf -------------------------------------------------------------------------------- /docs/Romulus_T_proof.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/romulusae/romulus/d0957f82666c32033e435c358e922681c951acdc/docs/Romulus_T_proof.pdf -------------------------------------------------------------------------------- /docs/Romulusv1.2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/romulusae/romulus/d0957f82666c32033e435c358e922681c951acdc/docs/Romulusv1.2.pdf -------------------------------------------------------------------------------- /docs/Romulusv1.3.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/romulusae/romulus/d0957f82666c32033e435c358e922681c951acdc/docs/Romulusv1.3.pdf -------------------------------------------------------------------------------- /docs/Security_evaluation_Romulus_Jooyoung_Lee.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/romulusae/romulus/d0957f82666c32033e435c358e922681c951acdc/docs/Security_evaluation_Romulus_Jooyoung_Lee.pdf -------------------------------------------------------------------------------- /docs/modeH.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/romulusae/romulus/d0957f82666c32033e435c358e922681c951acdc/docs/modeH.png -------------------------------------------------------------------------------- /docs/modeM_simplified.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/romulusae/romulus/d0957f82666c32033e435c358e922681c951acdc/docs/modeM_simplified.png -------------------------------------------------------------------------------- /docs/modeN_simplified.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/romulusae/romulus/d0957f82666c32033e435c358e922681c951acdc/docs/modeN_simplified.png -------------------------------------------------------------------------------- /docs/modeT.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/romulusae/romulus/d0957f82666c32033e435c358e922681c951acdc/docs/modeT.png -------------------------------------------------------------------------------- /impl.md: -------------------------------------------------------------------------------- 1 | [Home](https://romulusae.github.io/romulus/)   - -   [Specs/Features](https://romulusae.github.io/romulus/specs)   - -   [Security](https://romulusae.github.io/romulus/security)   - -   [Implementations](https://romulusae.github.io/romulus/impl)   - -   [Contact](https://romulusae.github.io/romulus/contact) 2 | 3 |                                           [Hardware](https://romulusae.github.io/romulus/impl#hardware)   - -   [Software](https://romulusae.github.io/romulus/impl#software) 4 | 5 | --- 6 | 7 |   8 | 9 | # Hardware 10 | 11 | You can find RTL implementation of Romulus in the hardware implementations section of [our Github repo](https://github.com/romulusae/romulus). 12 | 13 | # Software 14 | 15 | You can find reference implementations of Romulus in C and Python, together with test vectors, in [our Github repo](https://github.com/romulusae/romulus). 16 | 17 | You can find optimized implementations of Romulus in the following Github repos: 18 | - [Alexandre Adomnicai](https://github.com/aadomn/skinny) - Cortex-M and 32-bit optimised implementations 19 | - [Rhys Weatherley](https://github.com/rweather/lightweight-crypto) - Cortex-M and AVR optimised implementations 20 | -------------------------------------------------------------------------------- /index.md: -------------------------------------------------------------------------------- 1 | [Home](https://romulusae.github.io/romulus/)   - -   [Specs/Features](https://romulusae.github.io/romulus/specs)   - -   [Security](https://romulusae.github.io/romulus/security)   - -   [Implementations](https://romulusae.github.io/romulus/impl)   - -   [Contact](https://romulusae.github.io/romulus/contact) 2 | 3 |     4 | 5 | --- 6 | 7 |   8 | 9 | Romulus is a submission to the [NIST lightweight competition](https://csrc.nist.gov/projects/lightweight-cryptography), currently in the final round. You can find the latest v1.3 specifications [here](https://romulusae.github.io/romulus/docs/Romulusv1.3.pdf) (and the previous v1.2 specifications [here](https://romulusae.github.io/romulus/docs/Romulusv1.2.pdf)). You can also check: 10 | * our NIST LWC Worksop 2022 [slides](https://github.com/romulusae/romulus/raw/master/docs/NIST_LWC_2022.pdf) 11 | * our Transactions on Symmetric-key Cryptology 2020 [paper](https://tosc.iacr.org/index.php/ToSC/article/view/8560/8131) and corresponding [talk](https://www.youtube.com/watch?v=3ML5g8tnP6A&ab_channel=TheIACR) at FSE 2020 12 | * our NIST LWC Worksop 2020 [paper](https://csrc.nist.gov/CSRC/media/Events/lightweight-cryptography-workshop-2020/documents/papers/new-results-romulus-lwc2020.pdf) and [slides](https://csrc.nist.gov/CSRC/media/Presentations/new-results-on-romulus/images-media/session-2-peyrin-new-results-rolmulus.pdf) 13 | * our NIST LWC Worksop 2019 [paper](https://csrc.nist.gov/CSRC/media/Events/lightweight-cryptography-workshop-2019/documents/papers/updates-on-romulus-remus-tgif-lwc2019.pdf) and [slides](https://csrc.nist.gov/CSRC/media/Presentations/updates-on-romulus-remus-and-tgif/images-media/session9-minematsu-updates-romulus-remus-tgif.pdf) 14 | * **(NEW)** The third-party security analysis of the Romulus-N and Romulus-M operating modes by [Jooyoung Lee](https://cs.kaist.ac.kr/people/view?idx=536&kind=faculty&menu=167) (see document [here](https://romulusae.github.io/romulus/docs/Security_evaluation_Romulus_Jooyoung_Lee.pdf)) 15 | * **(NEW)** A new security proof for the MDPH mode used in Romulus-H ([ePrint](https://eprint.iacr.org/2021/1469) and [IET Info Sec](https://ietresearch.onlinelibrary.wiley.com/doi/full/10.1049/ise2.12058)) 16 | * **(NEW)** A security proof for the Romulus-T mode (see document [here](https://romulusae.github.io/romulus/docs/Romulus_T_proof.pdf)) 17 | 18 | Romulus is composed of 4 variants, each using the tweakable block cipher Skinny-128/384+ internally: 19 | - Romulus-N, a nonce-based AEAD (NAE) 20 | - Romulus-M, a nonce misuse-resistant AEAD (MRAE) 21 | - Romulus-T, a leakage-resilient AEAD 22 | - Romulus-H, a hash function 23 | 24 | -------------------------------------------------------------------------------- /specs.md: -------------------------------------------------------------------------------- 1 | [Home](https://romulusae.github.io/romulus/)   - -   [Specs/Features](https://romulusae.github.io/romulus/specs)   - -   [Security](https://romulusae.github.io/romulus/security)   - -   [Implementations](https://romulusae.github.io/romulus/impl)   - -   [Contact](https://romulusae.github.io/romulus/contact) 2 | 3 |     [Specifications](https://romulusae.github.io/romulus/specs#specifications)   - -   [Features](https://romulusae.github.io/romulus/specs#features)   - -   [Rationale](https://romulusae.github.io/romulus/specs#rationale) 4 | 5 | 6 | --- 7 | 8 |   9 | 10 | # Specifications 11 | 12 | Romulus is composed of 4 variants, each using the tweakable block cipher Skinny-128/384+ internally: 13 | - Romulus-N, a nonce-based AEAD (NAE) 14 | - Romulus-M, a nonce misuse-resistant AEAD (MRAE) 15 | - Romulus-T, a leakage-resilient AEAD 16 | - Romulus-H, a hash function 17 | 18 | 19 | ![alt text](https://romulusae.github.io/romulus/docs/modeN_simplified.png "Romulus-N") 20 | Romulus-N AEAD 21 | 22 | ![alt text](https://romulusae.github.io/romulus/docs/modeM_simplified.png "Romulus-M") 23 | Romulus-M AEAD 24 | 25 | ![alt text](https://romulusae.github.io/romulus/docs/modeT.png "Romulus-T") 26 | Romulus-T AEAD 27 | 28 | ![alt text](https://romulusae.github.io/romulus/docs/modeH.png "Romulus-H") 29 | Romulus-H hash function 30 | 31 | # Features 32 | 33 | Romulus is built on a **tweakable block cipher** (TBC), which is an extension of classical block cipher introduced by Liskov, Rivest and Wagner at Crypto 2003. Romulus adopts a mode of operation which was designed particularly with lightweight applications in mind. The underlying TBC is [Skinny](https://eprint.iacr.org/2016/660.pdf) proposed at CRYPTO 2016, a high security primitive specifically designed to be very efficient in constrained environments, and which received an important amount of third-party analysis since its publication. 34 | 35 | Romulus presents several interesting features: 36 | 37 | - **Small operating state size.** The state size refers to the amount of working memory needed to implement the scheme. Romulus's state size is the same as what is needed to implement the TBC alone. It is essentially the minimum as a TBC-based mode. 38 | 39 | - **Rate-1 operation.** The speed of an operating mode can be measured by the rate, which is the number of input blocks processed per internal primitive call. Romulus-N has rate 1, thus it needs an n-bit block TBC call to process an n-bit message block, which is optimal. We also remark that, for associated data (AD) blocks it is even more efficient (i.e. it can process (n+t) bits by one TBC call of n-bit block and t-bit tweak). For Romulus-M it has rate below 1 (note: rate of 1 is impossible for MRAE secrutiy notion) but is superior to other known TBC modes. 40 | 41 | - **Small overhead for short messages.** There is no pre-processing TBC call that adds computation overhead. For example, when Romulus-N receives 1-block AD and 1-block message, the encryption takes only three TBC calls. 42 | 43 | - **Highly Reliable Security.** The security of Romulus (for N and M variants) is provably reduced to the computational security (TPRP security) of the TBC in the single-key model. This is called Standard Model Security. Unlike those based on (e.g.) random permutation model or ideal-cipher model, there is no gap between the security model and the instantiation. The security for Romulus-N/H is n bits for n=128, and for Romulus-M it has n-bit nonce-respecting security and n/2-bit nonce-misuse security. 44 | 45 | - **Misuse-resistant security.** Romulus-M is an MRAE and has a strong resistance against potential nonce repeat by adopting a variant of SIV/SCT structure. Moreover its security only gracefully degrades depending on the maximum repetition of nonce, from n bits to n/2-bit as mentioned above, which is a desirable feature for MRAE. 46 | 47 | - **leakage resiliance.** Romulus-T is an AEAD which offers full leakage-resistance: it limits the exploitability of physical leakages via side-channel attacks, even if these leakages happen during every message encryption and decryption operation. It is based on the provably secure TBC-based [TEDT construction](https://eprint.iacr.org/2019/137), which offers what is currently considered as the highest possible security notions in the presence of leakage, namely beyond birthday bound CIML2 and security against Chosen Ciphertext Attacks with nonce-misuse-resilience and Leakage using levelled implementations (CCAmL2). In addition, it provides beyond birthday bound black-box and leakage-resilient security guarantees. TEDT leads to an energy-efficient leakage-resilient solution as two TBCs are implemented: the first one needs strong and energy demanding protections against side-channel attacks but is used in a limited way, while the other only requires weak and energy-efficient protections and performs the bulk of the computation. 48 | 49 | # Rationale 50 | 51 | - **Operating modes.** The Romulus-N mode is designed to simultaneously achieve rate 1 and a small state size. It is based on (a TBC variant of) [COFB](https://eprint.iacr.org/2017/649.pdf) by Chakraborty et al., although the team conducted a thorough revising/simplification to optimize its performance. In particular the algorithm is streamlined so that any redundant logic (e.g. multiplexers) is removed in hardware. The Romulus-M mode is a variant of [SIV](https://web.cs.ucdavis.edu/~rogaway/papers/siv.pdf) by Shrimpton and Rogaway, with certain performance boosts due to the use of TBC. It reuses Romulus-N mode, which enables a combined N/M implementation with a small overhead. Romulus-T is an update of the [TEDT construction](https://eprint.iacr.org/2019/137) from Berti et al., adapted to use Romulus-H as internal hash function. The Romulus-H is the [MDPH construction](https://link.springer.com/chapter/10.1007/978-3-030-30530-7_4) from Naito, which consists of Hirose’s well known [Double-Block-Length (DBL) compression function](https://www.iacr.org/archive/fse2006/40470213/40470213.pdf) plugged into the Merkle-Damgard with Permutation ([MDP](https://www.iacr.org/archive/asiacrypt2007/48330111/48330111.pdf)) domain extender. 52 | 53 | - **Internal primitive.** We adopted Skinny for TBC, which has been published at CRYPTO 2016 and received extensive third-party security analysis (see below). More precicely, we use Skinny-128/384+ as only internal primitive, which consist of Skinny-128/384 with the number of rounds reduced from 56 to 40 (Skinny-128/384 having an extremly large security margin). 54 | 55 | --------------------------------------------------------------------------------