Change order of aes decryption subkeys, update C and x86_64 implementations.

diff --git a/ChangeLog b/ChangeLog
index 1a891e48a4896cb7fca001031b4d147df13692bf..1e6657965936bd43e143778695b88e6a9378a286 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -19,6 +19,14 @@
 
 2024-01-21  Niels Möller  <nisse@lysator.liu.se>
 
+       * aes-invert-internal.c (_nettle_aes_invert): Don't reorder the subkeys.
+       * aes-decrypt-internal.c (_nettle_aes_decrypt): Updated to process
+       subkeys starting from the end.
+       * x86_64/aes-decrypt-internal.asm: Likewise.
+       * x86_64/aesni/aes128-decrypt.asm: Likewise.
+       * x86_64/aesni/aes192-decrypt.asm: Likewise.
+       * x86_64/aesni/aes256-decrypt.asm: Likewise.
+
        * powerpc64/machine.m4 (OPN_XXY, OPN_XXXY): New macros.
        * powerpc64/p8/aes-encrypt-internal.asm: Use macros for repeated
        instruction patterns.

diff --git a/aes-decrypt-internal.c b/aes-decrypt-internal.c
index 9e8cf34a100f773e94c4c4e35062feb3c4f00a55..fcd7289a06c630dd45fc5c26944e0181bed7b84c 100644 (file)
--- a/aes-decrypt-internal.c
+++ b/aes-decrypt-internal.c
@@ -65,12 +65,12 @@ _nettle_aes_decrypt(unsigned rounds, const uint32_t *keys,
       /* Get clear text, using little-endian byte order.
        * Also XOR with the first subkey. */
 
-      w0 = LE_READ_UINT32(src)      ^ keys[0];
-      w1 = LE_READ_UINT32(src + 4)  ^ keys[1];
-      w2 = LE_READ_UINT32(src + 8)  ^ keys[2];
-      w3 = LE_READ_UINT32(src + 12) ^ keys[3];
+      w0 = LE_READ_UINT32(src)      ^ keys[4*rounds];
+      w1 = LE_READ_UINT32(src + 4)  ^ keys[4*rounds + 1];
+      w2 = LE_READ_UINT32(src + 8)  ^ keys[4*rounds + 2];
+      w3 = LE_READ_UINT32(src + 12) ^ keys[4*rounds + 3];
 
-      for (i = 1; i < rounds; i++)
+      for (i = rounds - 1; i > 0; i--)
        {
          t0 = AES_ROUND(T, w0, w3, w2, w1, keys[4*i]);
          t1 = AES_ROUND(T, w1, w0, w3, w2, keys[4*i + 1]);
@@ -88,10 +88,10 @@ _nettle_aes_decrypt(unsigned rounds, const uint32_t *keys,
 
       /* Final round */
 
-      t0 = AES_FINAL_ROUND(T, w0, w3, w2, w1, keys[4*i]);
-      t1 = AES_FINAL_ROUND(T, w1, w0, w3, w2, keys[4*i + 1]);
-      t2 = AES_FINAL_ROUND(T, w2, w1, w0, w3, keys[4*i + 2]);
-      t3 = AES_FINAL_ROUND(T, w3, w2, w1, w0, keys[4*i + 3]);
+      t0 = AES_FINAL_ROUND(T, w0, w3, w2, w1, keys[0]);
+      t1 = AES_FINAL_ROUND(T, w1, w0, w3, w2, keys[1]);
+      t2 = AES_FINAL_ROUND(T, w2, w1, w0, w3, keys[2]);
+      t3 = AES_FINAL_ROUND(T, w3, w2, w1, w0, keys[3]);
 
       LE_WRITE_UINT32(dst, t0);
       LE_WRITE_UINT32(dst + 4, t1);

diff --git a/aes-invert-internal.c b/aes-invert-internal.c
index a2faefa4d0262f7c2ed3581f7f2b8889f0d37796..7364616cb84edaea7eacf7ac1a1f09000307d44c 100644 (file)
--- a/aes-invert-internal.c
+++ b/aes-invert-internal.c
@@ -111,9 +111,9 @@ static const uint32_t mtable[0x100] =
   0xbe805d9f,0xb58d5491,0xa89a4f83,0xa397468d,
 };
 
-#define MIX_COLUMN(T, key) do { \
+#define MIX_COLUMN(T, out, in) do {            \
     uint32_t _k, _nk, _t;      \
-    _k = (key);                        \
+    _k = (in);                 \
     _nk = T[_k & 0xff];                \
     _k >>= 8;                  \
     _t = T[_k & 0xff];         \
@@ -124,7 +124,7 @@ static const uint32_t mtable[0x100] =
     _k >>= 8;                  \
     _t = T[_k & 0xff];         \
     _nk ^= ROTL32(24, _t);     \
-    (key) = _nk;               \
+    (out) = _nk;               \
   } while(0)
   
 
@@ -136,29 +136,13 @@ _nettle_aes_invert(unsigned rounds, uint32_t *dst, const uint32_t *src)
 {
   unsigned i;
 
-  /* Reverse the order of subkeys, in groups of 4. */
-  /* FIXME: Instead of reordering the subkeys, change the access order
-     of aes_decrypt, since it's a separate function anyway? */
-  if (src == dst)
-    {
-      unsigned j, k;
+  /* Transform all subkeys but the first and last. */
+  for (i = 4; i < 4 * rounds; i++)
+    MIX_COLUMN (mtable, dst[i], src[i]);
 
-      for (i = 0, j = rounds * 4;
-          i < j;
-          i += 4, j -= 4)
-       for (k = 0; k<4; k++)
-         SWAP(dst[i+k], dst[j+k]);
-    }
-  else
+  if (src != dst)
     {
-      unsigned k;
-
-      for (i = 0; i <= rounds * 4; i += 4)
-       for (k = 0; k < 4; k++)
-         dst[i+k] = src[rounds * 4 - i + k];
+      dst[0] = src[0]; dst[1] = src[1]; dst[2] = src[2]; dst[3] = src[3];
+      dst[i] = src[i]; dst[i+1] = src[i+1]; dst[i+2] = src[i+2]; dst[i+3] = src[i+3];
     }
-
-  /* Transform all subkeys but the first and last. */
-  for (i = 4; i < 4 * rounds; i++)
-    MIX_COLUMN (mtable, dst[i]);
 }

diff --git a/x86_64/aes-decrypt-internal.asm b/x86_64/aes-decrypt-internal.asm
index d3bedc25ac557d163e84b4bb5afa6607d5aea84c..ed753a2c00fc596c348f009f8878fba43944e87f 100644 (file)
--- a/x86_64/aes-decrypt-internal.asm
+++ b/x86_64/aes-decrypt-internal.asm
@@ -83,8 +83,10 @@ PROLOGUE(_nettle_aes_decrypt)
        push    %r15    
 
        subl    $1, XREG(ROUNDS)
-       push    ROUNDS          C Rounds at (%rsp) 
-       
+       push    ROUNDS                  C Rounds stored at (%rsp)
+       shl     $4, XREG(ROUNDS)        C Zero-extends
+       lea     16(KEYS, ROUNDS), KEYS
+
        mov     PARAM_TABLE, TABLE
        mov     PARAM_LENGTH, LENGTH
        shr     $4, LENGTH
@@ -92,11 +94,12 @@ PROLOGUE(_nettle_aes_decrypt)
        mov     KEYS, KEY
        
        AES_LOAD(SA, SB, SC, SD, SRC, KEY)
-       add     $16, SRC        C Increment src pointer
 
+       add     $16, SRC        C  increment src pointer
        movl    (%rsp), XREG(ROUNDS)
 
-       add     $16, KEY        C  point to next key
+       sub     $16, KEY        C  point to next key
+
        ALIGN(16)
 .Lround_loop:
        AES_ROUND(TABLE, SA,SD,SC,SB, TA, TMP)
@@ -113,7 +116,7 @@ PROLOGUE(_nettle_aes_decrypt)
        xorl    8(KEY),SC
        xorl    12(KEY),SD
 
-       add     $16, KEY        C  point to next key
+       sub     $16, KEY        C  point to next key
        decl    XREG(ROUNDS)
        jnz     .Lround_loop
 

diff --git a/x86_64/aesni/aes128-decrypt.asm b/x86_64/aesni/aes128-decrypt.asm
index 79111e470fcc092495cf344547b791486985d371..b200989403f80596bd68a5a588ace74f0722115b 100644 (file)
--- a/x86_64/aesni/aes128-decrypt.asm
+++ b/x86_64/aesni/aes128-decrypt.asm
@@ -64,17 +64,17 @@ PROLOGUE(nettle_aes128_decrypt)
        test    LENGTH, LENGTH
        jz      .Lend
 
-       movups  (CTX), KEY0
-       movups  16(CTX), KEY1
-       movups  32(CTX), KEY2
-       movups  48(CTX), KEY3
-       movups  64(CTX), KEY4
+       movups  160(CTX), KEY0
+       movups  144(CTX), KEY1
+       movups  128(CTX), KEY2
+       movups  112(CTX), KEY3
+       movups  96(CTX), KEY4
        movups  80(CTX), KEY5
-       movups  96(CTX), KEY6
-       movups  112(CTX), KEY7
-       movups  128(CTX), KEY8
-       movups  144(CTX), KEY9
-       movups  160(CTX), KEY10
+       movups  64(CTX), KEY6
+       movups  48(CTX), KEY7
+       movups  32(CTX), KEY8
+       movups  16(CTX), KEY9
+       movups  (CTX), KEY10
        shr     LENGTH
        jnc     .Lblock_loop
 

diff --git a/x86_64/aesni/aes192-decrypt.asm b/x86_64/aesni/aes192-decrypt.asm
index 399f89b6ebe11d5473161eaecb22fa3d7951836b..24c178278876ccae8ab0a684651824cfd5340a53 100644 (file)
--- a/x86_64/aesni/aes192-decrypt.asm
+++ b/x86_64/aesni/aes192-decrypt.asm
@@ -66,19 +66,19 @@ PROLOGUE(nettle_aes192_decrypt)
        test    LENGTH, LENGTH
        jz      .Lend
 
-       movups  (CTX), KEY0
-       movups  16(CTX), KEY1
-       movups  32(CTX), KEY2
-       movups  48(CTX), KEY3
-       movups  64(CTX), KEY4
-       movups  80(CTX), KEY5
+       movups  192(CTX), KEY0
+       movups  176(CTX), KEY1
+       movups  160(CTX), KEY2
+       movups  144(CTX), KEY3
+       movups  128(CTX), KEY4
+       movups  112(CTX), KEY5
        movups  96(CTX), KEY6
-       movups  112(CTX), KEY7
-       movups  128(CTX), KEY8
-       movups  144(CTX), KEY9
-       movups  160(CTX), KEY10
-       movups  176(CTX), KEY11
-       movups  192(CTX), KEY12
+       movups  80(CTX), KEY7
+       movups  64(CTX), KEY8
+       movups  48(CTX), KEY9
+       movups  32(CTX), KEY10
+       movups  16(CTX), KEY11
+       movups  (CTX), KEY12
        shr     LENGTH
        jnc     .Lblock_loop
 

diff --git a/x86_64/aesni/aes256-decrypt.asm b/x86_64/aesni/aes256-decrypt.asm
index 0fc5ad2a705f191a35982c5d9d3dda3328fee4f2..247655a33eec578954adb2772f3fe5659449d2c1 100644 (file)
--- a/x86_64/aesni/aes256-decrypt.asm
+++ b/x86_64/aesni/aes256-decrypt.asm
@@ -67,20 +67,20 @@ PROLOGUE(nettle_aes256_decrypt)
        test    LENGTH, LENGTH
        jz      .Lend
 
-       movups  (CTX), KEY0_7
-       movups  16(CTX), KEY1
-       movups  32(CTX), KEY2
-       movups  48(CTX), KEY3
-       movups  64(CTX), KEY4
-       movups  80(CTX), KEY5
-       movups  96(CTX), KEY6
-       movups  128(CTX), KEY8
-       movups  144(CTX), KEY9
-       movups  160(CTX), KEY10
-       movups  176(CTX), KEY11
-       movups  192(CTX), KEY12
-       movups  208(CTX), KEY13
-       movups  224(CTX), KEY14
+       movups  224(CTX), KEY0_7
+       movups  208(CTX), KEY1
+       movups  192(CTX), KEY2
+       movups  176(CTX), KEY3
+       movups  160(CTX), KEY4
+       movups  144(CTX), KEY5
+       movups  128(CTX), KEY6
+       movups  96(CTX), KEY8
+       movups  80(CTX), KEY9
+       movups  64(CTX), KEY10
+       movups  48(CTX), KEY11
+       movups  32(CTX), KEY12
+       movups  16(CTX), KEY13
+       movups  (CTX), KEY14
 
        shr     LENGTH
        jnc     .Lblock_loop
@@ -95,7 +95,7 @@ PROLOGUE(nettle_aes256_decrypt)
        aesdec  KEY5, X
        aesdec  KEY6, X
        aesdec  KEY0_7, X
-       movups  (CTX), KEY0_7
+       movups  224(CTX), KEY0_7
        aesdec  KEY8, X
        aesdec  KEY9, X
        aesdec  KEY10, X
@@ -130,7 +130,7 @@ PROLOGUE(nettle_aes256_decrypt)
        aesdec  KEY6, Y
        aesdec  KEY0_7, X
        aesdec  KEY0_7, Y
-       movups  (CTX), KEY0_7
+       movups  224(CTX), KEY0_7
        aesdec  KEY8, X
        aesdec  KEY8, Y
        aesdec  KEY9, X