gf128mul.h 8.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200
  1. /* gf128mul.h - GF(2^128) multiplication functions
  2. *
  3. * Copyright (c) 2003, Dr Brian Gladman, Worcester, UK.
  4. * Copyright (c) 2006 Rik Snel <rsnel@cube.dyndns.org>
  5. *
  6. * Based on Dr Brian Gladman's (GPL'd) work published at
  7. * http://fp.gladman.plus.com/cryptography_technology/index.htm
  8. * See the original copyright notice below.
  9. *
  10. * This program is free software; you can redistribute it and/or modify it
  11. * under the terms of the GNU General Public License as published by the Free
  12. * Software Foundation; either version 2 of the License, or (at your option)
  13. * any later version.
  14. */
  15. /*
  16. ---------------------------------------------------------------------------
  17. Copyright (c) 2003, Dr Brian Gladman, Worcester, UK. All rights reserved.
  18. LICENSE TERMS
  19. The free distribution and use of this software in both source and binary
  20. form is allowed (with or without changes) provided that:
  21. 1. distributions of this source code include the above copyright
  22. notice, this list of conditions and the following disclaimer;
  23. 2. distributions in binary form include the above copyright
  24. notice, this list of conditions and the following disclaimer
  25. in the documentation and/or other associated materials;
  26. 3. the copyright holder's name is not used to endorse products
  27. built using this software without specific written permission.
  28. ALTERNATIVELY, provided that this notice is retained in full, this product
  29. may be distributed under the terms of the GNU General Public License (GPL),
  30. in which case the provisions of the GPL apply INSTEAD OF those given above.
  31. DISCLAIMER
  32. This software is provided 'as is' with no explicit or implied warranties
  33. in respect of its properties, including, but not limited to, correctness
  34. and/or fitness for purpose.
  35. ---------------------------------------------------------------------------
  36. Issue Date: 31/01/2006
  37. An implementation of field multiplication in Galois Field GF(128)
  38. */
  39. #ifndef _CRYPTO_GF128MUL_H
  40. #define _CRYPTO_GF128MUL_H
  41. #include <crypto/b128ops.h>
  42. #include <linux/slab.h>
  43. /* Comment by Rik:
  44. *
  45. * For some background on GF(2^128) see for example:
  46. * http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
  47. *
  48. * The elements of GF(2^128) := GF(2)[X]/(X^128-X^7-X^2-X^1-1) can
  49. * be mapped to computer memory in a variety of ways. Let's examine
  50. * three common cases.
  51. *
  52. * Take a look at the 16 binary octets below in memory order. The msb's
  53. * are left and the lsb's are right. char b[16] is an array and b[0] is
  54. * the first octet.
  55. *
  56. * 80000000 00000000 00000000 00000000 .... 00000000 00000000 00000000
  57. * b[0] b[1] b[2] b[3] b[13] b[14] b[15]
  58. *
  59. * Every bit is a coefficient of some power of X. We can store the bits
  60. * in every byte in little-endian order and the bytes themselves also in
  61. * little endian order. I will call this lle (little-little-endian).
  62. * The above buffer represents the polynomial 1, and X^7+X^2+X^1+1 looks
  63. * like 11100001 00000000 .... 00000000 = { 0xE1, 0x00, }.
  64. * This format was originally implemented in gf128mul and is used
  65. * in GCM (Galois/Counter mode) and in ABL (Arbitrary Block Length).
  66. *
  67. * Another convention says: store the bits in bigendian order and the
  68. * bytes also. This is bbe (big-big-endian). Now the buffer above
  69. * represents X^127. X^7+X^2+X^1+1 looks like 00000000 .... 10000111,
  70. * b[15] = 0x87 and the rest is 0. LRW uses this convention and bbe
  71. * is partly implemented.
  72. *
  73. * Both of the above formats are easy to implement on big-endian
  74. * machines.
  75. *
  76. * EME (which is patent encumbered) uses the ble format (bits are stored
  77. * in big endian order and the bytes in little endian). The above buffer
  78. * represents X^7 in this case and the primitive polynomial is b[0] = 0x87.
  79. *
  80. * The common machine word-size is smaller than 128 bits, so to make
  81. * an efficient implementation we must split into machine word sizes.
  82. * This file uses one 32bit for the moment. Machine endianness comes into
  83. * play. The lle format in relation to machine endianness is discussed
  84. * below by the original author of gf128mul Dr Brian Gladman.
  85. *
  86. * Let's look at the bbe and ble format on a little endian machine.
  87. *
  88. * bbe on a little endian machine u32 x[4]:
  89. *
  90. * MS x[0] LS MS x[1] LS
  91. * ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls
  92. * 103..96 111.104 119.112 127.120 71...64 79...72 87...80 95...88
  93. *
  94. * MS x[2] LS MS x[3] LS
  95. * ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls
  96. * 39...32 47...40 55...48 63...56 07...00 15...08 23...16 31...24
  97. *
  98. * ble on a little endian machine
  99. *
  100. * MS x[0] LS MS x[1] LS
  101. * ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls
  102. * 31...24 23...16 15...08 07...00 63...56 55...48 47...40 39...32
  103. *
  104. * MS x[2] LS MS x[3] LS
  105. * ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls
  106. * 95...88 87...80 79...72 71...64 127.120 199.112 111.104 103..96
  107. *
  108. * Multiplications in GF(2^128) are mostly bit-shifts, so you see why
  109. * ble (and lbe also) are easier to implement on a little-endian
  110. * machine than on a big-endian machine. The converse holds for bbe
  111. * and lle.
  112. *
  113. * Note: to have good alignment, it seems to me that it is sufficient
  114. * to keep elements of GF(2^128) in type u64[2]. On 32-bit wordsize
  115. * machines this will automatically aligned to wordsize and on a 64-bit
  116. * machine also.
  117. */
  118. /* Multiply a GF128 field element by x. Field elements are held in arrays
  119. of bytes in which field bits 8n..8n + 7 are held in byte[n], with lower
  120. indexed bits placed in the more numerically significant bit positions
  121. within bytes.
  122. On little endian machines the bit indexes translate into the bit
  123. positions within four 32-bit words in the following way
  124. MS x[0] LS MS x[1] LS
  125. ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls
  126. 24...31 16...23 08...15 00...07 56...63 48...55 40...47 32...39
  127. MS x[2] LS MS x[3] LS
  128. ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls
  129. 88...95 80...87 72...79 64...71 120.127 112.119 104.111 96..103
  130. On big endian machines the bit indexes translate into the bit
  131. positions within four 32-bit words in the following way
  132. MS x[0] LS MS x[1] LS
  133. ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls
  134. 00...07 08...15 16...23 24...31 32...39 40...47 48...55 56...63
  135. MS x[2] LS MS x[3] LS
  136. ms ls ms ls ms ls ms ls ms ls ms ls ms ls ms ls
  137. 64...71 72...79 80...87 88...95 96..103 104.111 112.119 120.127
  138. */
  139. /* A slow generic version of gf_mul, implemented for lle and bbe
  140. * It multiplies a and b and puts the result in a */
  141. void gf128mul_lle(be128 *a, const be128 *b);
  142. void gf128mul_bbe(be128 *a, const be128 *b);
  143. /* multiply by x in ble format, needed by XTS */
  144. void gf128mul_x_ble(be128 *a, const be128 *b);
  145. /* 4k table optimization */
  146. struct gf128mul_4k {
  147. be128 t[256];
  148. };
  149. struct gf128mul_4k *gf128mul_init_4k_lle(const be128 *g);
  150. struct gf128mul_4k *gf128mul_init_4k_bbe(const be128 *g);
  151. void gf128mul_4k_lle(be128 *a, struct gf128mul_4k *t);
  152. void gf128mul_4k_bbe(be128 *a, struct gf128mul_4k *t);
  153. static inline void gf128mul_free_4k(struct gf128mul_4k *t)
  154. {
  155. kfree(t);
  156. }
  157. /* 64k table optimization, implemented for lle and bbe */
  158. struct gf128mul_64k {
  159. struct gf128mul_4k *t[16];
  160. };
  161. /* first initialize with the constant factor with which you
  162. * want to multiply and then call gf128_64k_lle with the other
  163. * factor in the first argument, the table in the second and a
  164. * scratch register in the third. Afterwards *a = *r. */
  165. struct gf128mul_64k *gf128mul_init_64k_lle(const be128 *g);
  166. struct gf128mul_64k *gf128mul_init_64k_bbe(const be128 *g);
  167. void gf128mul_free_64k(struct gf128mul_64k *t);
  168. void gf128mul_64k_lle(be128 *a, struct gf128mul_64k *t);
  169. void gf128mul_64k_bbe(be128 *a, struct gf128mul_64k *t);
  170. #endif /* _CRYPTO_GF128MUL_H */