feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Smaller table version of the AES encrypt/decrypt

Browse Source 
Use WOLFSSL_AES_SMALL_TABLES.
Much slower. Decrypt much slower then encrypt.
This commit is contained in:
Sean Parkinson
2020-03-27 15:53:01 +10:00
parent ddb4b5eb89
commit 9339808ea1
1 changed files with 278 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

294
wolfcrypt/src/aes.c
View File

@ -933,6 +933,7 @@ static const word32 rcon[] = {
/* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
};
#ifndef WOLFSSL_AES_SMALL_TABLES
static const word32 Te[4][256] = {
{
0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
@ -1468,8 +1469,10 @@ static const word32 Td[4][256] = {
0xcb84617bU, 0x32b670d5U, 0x6c5c7448U, 0xb85742d0U,
}
};
#endif /* HAVE_AES_DECRYPT */
#endif
#ifdef HAVE_AES_DECRYPT
#if (defined(HAVE_AES_CBC) && !defined(WOLFSSL_DEVCRYPTO_CBC)) \
|| defined(WOLFSSL_AES_DIRECT)
static const byte Td4[256] =
@ -1512,7 +1515,62 @@ static const byte Td4[256] =
#define GETBYTE(x, y) (word32)((byte)((x) >> (8 * (y))))
#ifdef WOLFSSL_AES_SMALL_TABLES
static const byte Tsbox[256] = {
0x63U, 0x7cU, 0x77U, 0x7bU, 0xf2U, 0x6bU, 0x6fU, 0xc5U,
0x30U, 0x01U, 0x67U, 0x2bU, 0xfeU, 0xd7U, 0xabU, 0x76U,
0xcaU, 0x82U, 0xc9U, 0x7dU, 0xfaU, 0x59U, 0x47U, 0xf0U,
0xadU, 0xd4U, 0xa2U, 0xafU, 0x9cU, 0xa4U, 0x72U, 0xc0U,
0xb7U, 0xfdU, 0x93U, 0x26U, 0x36U, 0x3fU, 0xf7U, 0xccU,
0x34U, 0xa5U, 0xe5U, 0xf1U, 0x71U, 0xd8U, 0x31U, 0x15U,
0x04U, 0xc7U, 0x23U, 0xc3U, 0x18U, 0x96U, 0x05U, 0x9aU,
0x07U, 0x12U, 0x80U, 0xe2U, 0xebU, 0x27U, 0xb2U, 0x75U,
0x09U, 0x83U, 0x2cU, 0x1aU, 0x1bU, 0x6eU, 0x5aU, 0xa0U,
0x52U, 0x3bU, 0xd6U, 0xb3U, 0x29U, 0xe3U, 0x2fU, 0x84U,
0x53U, 0xd1U, 0x00U, 0xedU, 0x20U, 0xfcU, 0xb1U, 0x5bU,
0x6aU, 0xcbU, 0xbeU, 0x39U, 0x4aU, 0x4cU, 0x58U, 0xcfU,
0xd0U, 0xefU, 0xaaU, 0xfbU, 0x43U, 0x4dU, 0x33U, 0x85U,
0x45U, 0xf9U, 0x02U, 0x7fU, 0x50U, 0x3cU, 0x9fU, 0xa8U,
0x51U, 0xa3U, 0x40U, 0x8fU, 0x92U, 0x9dU, 0x38U, 0xf5U,
0xbcU, 0xb6U, 0xdaU, 0x21U, 0x10U, 0xffU, 0xf3U, 0xd2U,
0xcdU, 0x0cU, 0x13U, 0xecU, 0x5fU, 0x97U, 0x44U, 0x17U,
0xc4U, 0xa7U, 0x7eU, 0x3dU, 0x64U, 0x5dU, 0x19U, 0x73U,
0x60U, 0x81U, 0x4fU, 0xdcU, 0x22U, 0x2aU, 0x90U, 0x88U,
0x46U, 0xeeU, 0xb8U, 0x14U, 0xdeU, 0x5eU, 0x0bU, 0xdbU,
0xe0U, 0x32U, 0x3aU, 0x0aU, 0x49U, 0x06U, 0x24U, 0x5cU,
0xc2U, 0xd3U, 0xacU, 0x62U, 0x91U, 0x95U, 0xe4U, 0x79U,
0xe7U, 0xc8U, 0x37U, 0x6dU, 0x8dU, 0xd5U, 0x4eU, 0xa9U,
0x6cU, 0x56U, 0xf4U, 0xeaU, 0x65U, 0x7aU, 0xaeU, 0x08U,
0xbaU, 0x78U, 0x25U, 0x2eU, 0x1cU, 0xa6U, 0xb4U, 0xc6U,
0xe8U, 0xddU, 0x74U, 0x1fU, 0x4bU, 0xbdU, 0x8bU, 0x8aU,
0x70U, 0x3eU, 0xb5U, 0x66U, 0x48U, 0x03U, 0xf6U, 0x0eU,
0x61U, 0x35U, 0x57U, 0xb9U, 0x86U, 0xc1U, 0x1dU, 0x9eU,
0xe1U, 0xf8U, 0x98U, 0x11U, 0x69U, 0xd9U, 0x8eU, 0x94U,
0x9bU, 0x1eU, 0x87U, 0xe9U, 0xceU, 0x55U, 0x28U, 0xdfU,
0x8cU, 0xa1U, 0x89U, 0x0dU, 0xbfU, 0xe6U, 0x42U, 0x68U,
0x41U, 0x99U, 0x2dU, 0x0fU, 0xb0U, 0x54U, 0xbbU, 0x16U
};
#define AES_XTIME(x) ((byte)((byte)((x) << 1) ^ ((0 - ((x) >> 7)) & 0x1b)))
static word32 col_mul(word32 t, int i2, int i3, int ia, int ib)
{
byte t3 = GETBYTE(t, i3);
byte tm = AES_XTIME(GETBYTE(t, i2) ^ t3);
return GETBYTE(t, ia) ^ GETBYTE(t, ib) ^ t3 ^ tm;
}
static word32 inv_col_mul(word32 t, int i9, int ib, int id, int ie)
{
byte t9 = GETBYTE(t, i9);
byte tb = GETBYTE(t, ib);
byte td = GETBYTE(t, id);
byte te = GETBYTE(t, ie);
byte t0 = t9 ^ tb ^ td;
return t0 ^ AES_XTIME(AES_XTIME(AES_XTIME(t0 ^ te) ^ td ^ te) ^ tb ^ te);
}
#endif
#if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) || defined(HAVE_AESGCM)
@ -1527,6 +1585,7 @@ static const byte Td4[256] =
#endif
#ifndef WOLFSSL_AES_SMALL_TABLES
/* load 4 Te Tables into cache by cache line stride */
static WC_INLINE word32 PreFetchTe(void)
{
@ -1541,6 +1600,19 @@ static WC_INLINE word32 PreFetchTe(void)
}
return x;
}
#else
/* load sbox into cache by cache line stride */
static WC_INLINE word32 PreFetchSBox(void)
{
word32 x = 0;
int i;
for (i = 0; i < 256; i += WC_CACHE_LINE_SZ/4) {
x &= Tsbox[i];
}
return x;
}
#endif
/* Software AES - ECB Encrypt */
static void wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
@ -1620,11 +1692,13 @@ static void wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
s3 = ByteReverseWord32(s3);
#endif
/* AddRoundKey */
s0 ^= rk[0];
s1 ^= rk[1];
s2 ^= rk[2];
s3 ^= rk[3];
#ifndef WOLFSSL_AES_SMALL_TABLES
s0 |= PreFetchTe();
/*
@ -1633,28 +1707,28 @@ static void wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
for (;;) {
t0 =
Te[0][GETBYTE(s0, 3)] ^
Te[1][GETBYTE(s1, 2)] ^
Te[2][GETBYTE(s2, 1)] ^
Te[3][GETBYTE(s3, 0)] ^
Te[0][GETBYTE(s0, 3)] ^
Te[1][GETBYTE(s1, 2)] ^
Te[2][GETBYTE(s2, 1)] ^
Te[3][GETBYTE(s3, 0)] ^
rk[4];
t1 =
Te[0][GETBYTE(s1, 3)] ^
Te[1][GETBYTE(s2, 2)] ^
Te[2][GETBYTE(s3, 1)] ^
Te[3][GETBYTE(s0, 0)] ^
Te[0][GETBYTE(s1, 3)] ^
Te[1][GETBYTE(s2, 2)] ^
Te[2][GETBYTE(s3, 1)] ^
Te[3][GETBYTE(s0, 0)] ^
rk[5];
t2 =
Te[0][GETBYTE(s2, 3)] ^
Te[1][GETBYTE(s3, 2)] ^
Te[2][GETBYTE(s0, 1)] ^
Te[3][GETBYTE(s1, 0)] ^
Te[1][GETBYTE(s3, 2)] ^
Te[2][GETBYTE(s0, 1)] ^
Te[3][GETBYTE(s1, 0)] ^
rk[6];
t3 =
Te[0][GETBYTE(s3, 3)] ^
Te[1][GETBYTE(s0, 2)] ^
Te[2][GETBYTE(s1, 1)] ^
Te[3][GETBYTE(s2, 0)] ^
Te[1][GETBYTE(s0, 2)] ^
Te[2][GETBYTE(s1, 1)] ^
Te[3][GETBYTE(s2, 0)] ^
rk[7];
rk += 8;
@ -1717,6 +1791,84 @@ static void wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
(Te[0][GETBYTE(t1, 1)] & 0x0000ff00) ^
(Te[1][GETBYTE(t2, 0)] & 0x000000ff) ^
rk[3];
#else
s0 |= PreFetchSBox();
r *= 2;
/* Two rounds at a time */
for (rk += 4; r > 1; r--, rk += 4) {
t0 =
((word32)Tsbox[GETBYTE(s0, 3)] << 24) ^
((word32)Tsbox[GETBYTE(s1, 2)] << 16) ^
((word32)Tsbox[GETBYTE(s2, 1)] << 8) ^
((word32)Tsbox[GETBYTE(s3, 0)]);
t1 =
((word32)Tsbox[GETBYTE(s1, 3)] << 24) ^
((word32)Tsbox[GETBYTE(s2, 2)] << 16) ^
((word32)Tsbox[GETBYTE(s3, 1)] << 8) ^
((word32)Tsbox[GETBYTE(s0, 0)]);
t2 =
((word32)Tsbox[GETBYTE(s2, 3)] << 24) ^
((word32)Tsbox[GETBYTE(s3, 2)] << 16) ^
((word32)Tsbox[GETBYTE(s0, 1)] << 8) ^
((word32)Tsbox[GETBYTE(s1, 0)]);
t3 =
((word32)Tsbox[GETBYTE(s3, 3)] << 24) ^
((word32)Tsbox[GETBYTE(s0, 2)] << 16) ^
((word32)Tsbox[GETBYTE(s1, 1)] << 8) ^
((word32)Tsbox[GETBYTE(s2, 0)]);
s0 =
(col_mul(t0, 3, 2, 0, 1) << 24) ^
(col_mul(t0, 2, 1, 0, 3) << 16) ^
(col_mul(t0, 1, 0, 2, 3) << 8) ^
(col_mul(t0, 0, 3, 2, 1) ) ^
rk[0];
s1 =
(col_mul(t1, 3, 2, 0, 1) << 24) ^
(col_mul(t1, 2, 1, 0, 3) << 16) ^
(col_mul(t1, 1, 0, 2, 3) << 8) ^
(col_mul(t1, 0, 3, 2, 1) ) ^
rk[1];
s2 =
(col_mul(t2, 3, 2, 0, 1) << 24) ^
(col_mul(t2, 2, 1, 0, 3) << 16) ^
(col_mul(t2, 1, 0, 2, 3) << 8) ^
(col_mul(t2, 0, 3, 2, 1) ) ^
rk[2];
s3 =
(col_mul(t3, 3, 2, 0, 1) << 24) ^
(col_mul(t3, 2, 1, 0, 3) << 16) ^
(col_mul(t3, 1, 0, 2, 3) << 8) ^
(col_mul(t3, 0, 3, 2, 1) ) ^
rk[3];
}
t0 =
((word32)Tsbox[GETBYTE(s0, 3)] << 24) ^
((word32)Tsbox[GETBYTE(s1, 2)] << 16) ^
((word32)Tsbox[GETBYTE(s2, 1)] << 8) ^
((word32)Tsbox[GETBYTE(s3, 0)]);
t1 =
((word32)Tsbox[GETBYTE(s1, 3)] << 24) ^
((word32)Tsbox[GETBYTE(s2, 2)] << 16) ^
((word32)Tsbox[GETBYTE(s3, 1)] << 8) ^
((word32)Tsbox[GETBYTE(s0, 0)]);
t2 =
((word32)Tsbox[GETBYTE(s2, 3)] << 24) ^
((word32)Tsbox[GETBYTE(s3, 2)] << 16) ^
((word32)Tsbox[GETBYTE(s0, 1)] << 8) ^
((word32)Tsbox[GETBYTE(s1, 0)]);
t3 =
((word32)Tsbox[GETBYTE(s3, 3)] << 24) ^
((word32)Tsbox[GETBYTE(s0, 2)] << 16) ^
((word32)Tsbox[GETBYTE(s1, 1)] << 8) ^
((word32)Tsbox[GETBYTE(s2, 0)]);
s0 = t0 ^ rk[0];
s1 = t1 ^ rk[1];
s2 = t2 ^ rk[2];
s3 = t3 ^ rk[3];
#endif
/* write out */
#ifdef LITTLE_ENDIAN_ORDER
@ -1738,6 +1890,7 @@ static void wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
#if (defined(HAVE_AES_CBC) && !defined(WOLFSSL_DEVCRYPTO_CBC)) || \
defined(WOLFSSL_AES_DIRECT)
#ifndef WOLFSSL_AES_SMALL_TABLES
/* load 4 Td Tables into cache by cache line stride */
static WC_INLINE word32 PreFetchTd(void)
{
@ -1752,6 +1905,7 @@ static WC_INLINE word32 PreFetchTd(void)
}
return x;
}
#endif
/* load Td Table4 into cache by cache line stride */
static WC_INLINE word32 PreFetchTd4(void)
@ -1826,6 +1980,7 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
s2 ^= rk[2];
s3 ^= rk[3];
#ifndef WOLFSSL_AES_SMALL_TABLES
s0 |= PreFetchTd();
/*
@ -1919,6 +2074,83 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
((word32)Td4[GETBYTE(t1, 1)] << 8) ^
((word32)Td4[GETBYTE(t0, 0)]) ^
rk[3];
#else
s0 |= PreFetchTd4();
r *= 2;
for (rk += 4; r > 1; r--, rk += 4) {
t0 =
((word32)Td4[GETBYTE(s0, 3)] << 24) ^
((word32)Td4[GETBYTE(s3, 2)] << 16) ^
((word32)Td4[GETBYTE(s2, 1)] << 8) ^
((word32)Td4[GETBYTE(s1, 0)]) ^
rk[0];
t1 =
((word32)Td4[GETBYTE(s1, 3)] << 24) ^
((word32)Td4[GETBYTE(s0, 2)] << 16) ^
((word32)Td4[GETBYTE(s3, 1)] << 8) ^
((word32)Td4[GETBYTE(s2, 0)]) ^
rk[1];
t2 =
((word32)Td4[GETBYTE(s2, 3)] << 24) ^
((word32)Td4[GETBYTE(s1, 2)] << 16) ^
((word32)Td4[GETBYTE(s0, 1)] << 8) ^
((word32)Td4[GETBYTE(s3, 0)]) ^
rk[2];
t3 =
((word32)Td4[GETBYTE(s3, 3)] << 24) ^
((word32)Td4[GETBYTE(s2, 2)] << 16) ^
((word32)Td4[GETBYTE(s1, 1)] << 8) ^
((word32)Td4[GETBYTE(s0, 0)]) ^
rk[3];
s0 =
(inv_col_mul(t0, 0, 2, 1, 3) << 24) ^
(inv_col_mul(t0, 3, 1, 0, 2) << 16) ^
(inv_col_mul(t0, 2, 0, 3, 1) << 8) ^
(inv_col_mul(t0, 1, 3, 2, 0) );
s1 =
(inv_col_mul(t1, 0, 2, 1, 3) << 24) ^
(inv_col_mul(t1, 3, 1, 0, 2) << 16) ^
(inv_col_mul(t1, 2, 0, 3, 1) << 8) ^
(inv_col_mul(t1, 1, 3, 2, 0) );
s2 =
(inv_col_mul(t2, 0, 2, 1, 3) << 24) ^
(inv_col_mul(t2, 3, 1, 0, 2) << 16) ^
(inv_col_mul(t2, 2, 0, 3, 1) << 8) ^
(inv_col_mul(t2, 1, 3, 2, 0) );
s3 =
(inv_col_mul(t3, 0, 2, 1, 3) << 24) ^
(inv_col_mul(t3, 3, 1, 0, 2) << 16) ^
(inv_col_mul(t3, 2, 0, 3, 1) << 8) ^
(inv_col_mul(t3, 1, 3, 2, 0) );
}
t0 =
((word32)Td4[GETBYTE(s0, 3)] << 24) ^
((word32)Td4[GETBYTE(s3, 2)] << 16) ^
((word32)Td4[GETBYTE(s2, 1)] << 8) ^
((word32)Td4[GETBYTE(s1, 0)]);
t1 =
((word32)Td4[GETBYTE(s1, 3)] << 24) ^
((word32)Td4[GETBYTE(s0, 2)] << 16) ^
((word32)Td4[GETBYTE(s3, 1)] << 8) ^
((word32)Td4[GETBYTE(s2, 0)]);
t2 =
((word32)Td4[GETBYTE(s2, 3)] << 24) ^
((word32)Td4[GETBYTE(s1, 2)] << 16) ^
((word32)Td4[GETBYTE(s0, 1)] << 8) ^
((word32)Td4[GETBYTE(s3, 0)]);
t3 =
((word32)Td4[GETBYTE(s3, 3)] << 24) ^
((word32)Td4[GETBYTE(s2, 2)] << 16) ^
((word32)Td4[GETBYTE(s1, 1)] << 8) ^
((word32)Td4[GETBYTE(s0, 0)]);
s0 = t0 ^ rk[0];
s1 = t1 ^ rk[1];
s2 = t2 ^ rk[2];
s3 = t3 ^ rk[3];
#endif
/* write out */
#ifdef LITTLE_ENDIAN_ORDER
@ -2319,10 +2551,17 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
{
temp = rk[3];
rk[4] = rk[0] ^
#ifndef WOLFSSL_AES_SMALL_TABLES
(Te[2][GETBYTE(temp, 2)] & 0xff000000) ^
(Te[3][GETBYTE(temp, 1)] & 0x00ff0000) ^
(Te[0][GETBYTE(temp, 0)] & 0x0000ff00) ^
(Te[1][GETBYTE(temp, 3)] & 0x000000ff) ^
#else
((word32)Tsbox[GETBYTE(temp, 2)] << 24) ^
((word32)Tsbox[GETBYTE(temp, 1)] << 16) ^
((word32)Tsbox[GETBYTE(temp, 0)] << 8) ^
((word32)Tsbox[GETBYTE(temp, 3)]) ^
#endif
rcon[i];
rk[5] = rk[1] ^ rk[4];
rk[6] = rk[2] ^ rk[5];
@ -2342,10 +2581,17 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
{
temp = rk[ 5];
rk[ 6] = rk[ 0] ^
#ifndef WOLFSSL_AES_SMALL_TABLES
(Te[2][GETBYTE(temp, 2)] & 0xff000000) ^
(Te[3][GETBYTE(temp, 1)] & 0x00ff0000) ^
(Te[0][GETBYTE(temp, 0)] & 0x0000ff00) ^
(Te[1][GETBYTE(temp, 3)] & 0x000000ff) ^
#else
((word32)Tsbox[GETBYTE(temp, 2)] << 24) ^
((word32)Tsbox[GETBYTE(temp, 1)] << 16) ^
((word32)Tsbox[GETBYTE(temp, 0)] << 8) ^
((word32)Tsbox[GETBYTE(temp, 3)]) ^
#endif
rcon[i];
rk[ 7] = rk[ 1] ^ rk[ 6];
rk[ 8] = rk[ 2] ^ rk[ 7];
@ -2366,10 +2612,17 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
{
temp = rk[ 7];
rk[ 8] = rk[ 0] ^
#ifndef WOLFSSL_AES_SMALL_TABLES
(Te[2][GETBYTE(temp, 2)] & 0xff000000) ^
(Te[3][GETBYTE(temp, 1)] & 0x00ff0000) ^
(Te[0][GETBYTE(temp, 0)] & 0x0000ff00) ^
(Te[1][GETBYTE(temp, 3)] & 0x000000ff) ^
#else
((word32)Tsbox[GETBYTE(temp, 2)] << 24) ^
((word32)Tsbox[GETBYTE(temp, 1)] << 16) ^
((word32)Tsbox[GETBYTE(temp, 0)] << 8) ^
((word32)Tsbox[GETBYTE(temp, 3)]) ^
#endif
rcon[i];
rk[ 9] = rk[ 1] ^ rk[ 8];
rk[10] = rk[ 2] ^ rk[ 9];
@ -2378,10 +2631,17 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
break;
temp = rk[11];
rk[12] = rk[ 4] ^
#ifndef WOLFSSL_AES_SMALL_TABLES
(Te[2][GETBYTE(temp, 3)] & 0xff000000) ^
(Te[3][GETBYTE(temp, 2)] & 0x00ff0000) ^
(Te[0][GETBYTE(temp, 1)] & 0x0000ff00) ^
(Te[1][GETBYTE(temp, 0)] & 0x000000ff);
#else
((word32)Tsbox[GETBYTE(temp, 3)] << 24) ^
((word32)Tsbox[GETBYTE(temp, 2)] << 16) ^
((word32)Tsbox[GETBYTE(temp, 1)] << 8) ^
((word32)Tsbox[GETBYTE(temp, 0)]);
#endif
rk[13] = rk[ 5] ^ rk[12];
rk[14] = rk[ 6] ^ rk[13];
rk[15] = rk[ 7] ^ rk[14];
@ -2395,7 +2655,7 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
return BAD_FUNC_ARG;
} /* switch */
#ifdef HAVE_AES_DECRYPT
#if defined(HAVE_AES_DECRYPT)
if (dir == AES_DECRYPTION) {
unsigned int j;
rk = aes->key;
@ -2407,6 +2667,7 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp;
temp = rk[i + 3]; rk[i + 3] = rk[j + 3]; rk[j + 3] = temp;
}
#if !defined(WOLFSSL_AES_SMALL_TABLES)
/* apply the inverse MixColumn transform to all round keys but the
first and the last: */
for (i = 1; i < aes->rounds; i++) {
@ -2432,6 +2693,7 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
Td[2][Te[1][GETBYTE(rk[3], 1)] & 0xff] ^
Td[3][Te[1][GETBYTE(rk[3], 0)] & 0xff];
}
#endif
}
#else
(void)dir;