http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/c25f9e5c/version22/swift/TestMPIN.swift ---------------------------------------------------------------------- diff --git a/version22/swift/TestMPIN.swift b/version22/swift/TestMPIN.swift new file mode 100644 index 0000000..8df61ea --- /dev/null +++ b/version22/swift/TestMPIN.swift @@ -0,0 +1,259 @@ +/* + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +*/ + +// +// TestMPIN.swift +// +// Created by Michael Scott on 08/07/2015. +// Copyright (c) 2015 Michael Scott. All rights reserved. +// + +import Foundation +//import amcl // comment out for Xcode + +public func TestMPIN() +{ + let PERMITS=true + let PINERROR=true + let FULL=true + let SINGLE_PASS=false + + let rng=RAND() + + var RAW=[UInt8](repeating: 0,count: 100) + + for i in 0 ..< 100 {RAW[i]=UInt8((i+1)&0xff)} + rng.seed(100,RAW) + + let EGS=MPIN.EFS + let EFS=MPIN.EGS + let G1S=2*EFS+1 // Group 1 Size + let G2S=4*EFS; // Group 2 Size + let EAS=MPIN.PAS + + let sha=MPIN.HASH_TYPE + + var S=[UInt8](repeating: 0,count: EGS) + var SST=[UInt8](repeating: 0,count: G2S) + var TOKEN=[UInt8](repeating: 0,count: G1S) + var PERMIT=[UInt8](repeating: 0,count: G1S) + var SEC=[UInt8](repeating: 0,count: G1S) + var xID=[UInt8](repeating: 0,count: G1S) + var xCID=[UInt8](repeating: 0,count: G1S) + var X=[UInt8](repeating: 0,count: EGS) + var Y=[UInt8](repeating: 0,count: EGS) + var E=[UInt8](repeating: 0,count: 12*EFS) + var F=[UInt8](repeating: 0,count: 12*EFS) + var HID=[UInt8](repeating: 0,count: G1S) + var HTID=[UInt8](repeating: 0,count: G1S) + + var G1=[UInt8](repeating: 0,count: 12*EFS) + var G2=[UInt8](repeating: 0,count: 12*EFS) + var R=[UInt8](repeating: 0,count: EGS) + var Z=[UInt8](repeating: 0,count: G1S) + var W=[UInt8](repeating: 0,count: EGS) + var T=[UInt8](repeating: 0,count: G1S) + var CK=[UInt8](repeating: 0,count: EAS) + var SK=[UInt8](repeating: 0,count: EAS) + + var HSID=[UInt8]() + + // Trusted Authority set-up + + MPIN.RANDOM_GENERATE(rng,&S) + print("Master Secret s: 0x",terminator: ""); MPIN.printBinary(S) + + // Create Client Identity + let IDstr = "[email protected]" + let CLIENT_ID=[UInt8](IDstr.utf8) + + var HCID=MPIN.HASH_ID(sha,CLIENT_ID) // Either Client or TA calculates Hash(ID) - you decide! + + print("Client ID= "); MPIN.printBinary(CLIENT_ID) + + // Client and Server are issued secrets by DTA + MPIN.GET_SERVER_SECRET(S,&SST); + print("Server Secret SS: 0x",terminator: ""); MPIN.printBinary(SST); + + MPIN.GET_CLIENT_SECRET(&S,HCID,&TOKEN); + print("Client Secret CS: 0x",terminator: ""); MPIN.printBinary(TOKEN); + + // Client extracts PIN from secret to create Token + var pin:Int32=1234 + print("Client extracts PIN= \(pin)") + var rtn=MPIN.EXTRACT_PIN(sha,CLIENT_ID,pin,&TOKEN) + if rtn != 0 {print("FAILURE: EXTRACT_PIN rtn: \(rtn)")} + + print("Client Token TK: 0x",terminator: ""); MPIN.printBinary(TOKEN); + + if FULL + { + MPIN.PRECOMPUTE(TOKEN,HCID,&G1,&G2); + } + + var date:Int32=0 + if (PERMITS) + { + date=MPIN.today() + // Client gets "Time Token" permit from DTA + MPIN.GET_CLIENT_PERMIT(sha,date,S,HCID,&PERMIT) + print("Time Permit TP: 0x",terminator: ""); MPIN.printBinary(PERMIT) + + // This encoding makes Time permit look random - Elligator squared + MPIN.ENCODING(rng,&PERMIT); + print("Encoded Time Permit TP: 0x",terminator: ""); MPIN.printBinary(PERMIT) + MPIN.DECODING(&PERMIT) + print("Decoded Time Permit TP: 0x",terminator: ""); MPIN.printBinary(PERMIT) + } + + // ***** NOW ENTER PIN ******* + + pin=1234 + + // ************************** + + // Set date=0 and PERMIT=null if time permits not in use + + //Client First pass: Inputs CLIENT_ID, optional RNG, pin, TOKEN and PERMIT. Output xID =x .H(CLIENT_ID) and re-combined secret SEC + //If PERMITS are is use, then date!=0 and PERMIT is added to secret and xCID = x.(H(CLIENT_ID)+H(date|H(CLIENT_ID))) + //Random value x is supplied externally if RNG=null, otherwise generated and passed out by RNG + + //IMPORTANT: To save space and time.. + //If Time Permits OFF set xCID = null, HTID=null and use xID and HID only + //If Time permits are ON, AND pin error detection is required then all of xID, xCID, HID and HTID are required + //If Time permits are ON, AND pin error detection is NOT required, set xID=null, HID=null and use xCID and HTID only. + + + var pxID:[UInt8]?=xID + var pxCID:[UInt8]?=xCID + var pHID:[UInt8]=HID + var pHTID:[UInt8]?=HTID + var pE:[UInt8]?=E + var pF:[UInt8]?=F + var pPERMIT:[UInt8]?=PERMIT + + if date != 0 + { + if (!PINERROR) + { + pxID=nil; + // pHID=nil; + } + } + else + { + pPERMIT=nil; + pxCID=nil; + pHTID=nil; + } + if (!PINERROR) + { + pE=nil; + pF=nil; + } + + if (SINGLE_PASS) + { + print("MPIN Single Pass") + let timeValue = MPIN.GET_TIME() + + rtn=MPIN.CLIENT(sha,date,CLIENT_ID,rng,&X,pin,TOKEN,&SEC,&pxID,&pxCID,pPERMIT!,timeValue,&Y) + + if rtn != 0 {print("FAILURE: CLIENT rtn: \(rtn)")} + + if (FULL) + { + HCID=MPIN.HASH_ID(sha,CLIENT_ID); + MPIN.GET_G1_MULTIPLE(rng,1,&R,HCID,&Z); // Also Send Z=r.ID to Server, remember random r + } + rtn=MPIN.SERVER(sha,date,&pHID,&pHTID,&Y,SST,pxID,pxCID!,SEC,&pE,&pF,CLIENT_ID,timeValue) + if rtn != 0 {print("FAILURE: SERVER rtn: \(rtn)")} + + if (FULL) + { // Also send T=w.ID to client, remember random w + HSID=MPIN.HASH_ID(sha,CLIENT_ID); + if date != 0 {MPIN.GET_G1_MULTIPLE(rng,0,&W,pHTID!,&T)} + else {MPIN.GET_G1_MULTIPLE(rng,0,&W,pHID,&T)} + + } + } + else + { + print("MPIN Multi Pass"); + // Send U=x.ID to server, and recreate secret from token and pin + rtn=MPIN.CLIENT_1(sha,date,CLIENT_ID,rng,&X,pin,TOKEN,&SEC,&pxID,&pxCID,pPERMIT!) + if rtn != 0 {print("FAILURE: CLIENT_1 rtn: \(rtn)")} + + if (FULL) + { + HCID=MPIN.HASH_ID(sha,CLIENT_ID); + MPIN.GET_G1_MULTIPLE(rng,1,&R,HCID,&Z); // Also Send Z=r.ID to Server, remember random r + } + + // Server calculates H(ID) and H(T|H(ID)) (if time permits enabled), and maps them to points on the curve HID and HTID resp. + MPIN.SERVER_1(sha,date,CLIENT_ID,&pHID,&pHTID!); + + // Server generates Random number Y and sends it to Client + MPIN.RANDOM_GENERATE(rng,&Y); + + if (FULL) + { // Also send T=w.ID to client, remember random w + HSID=MPIN.HASH_ID(sha,CLIENT_ID); + if date != 0 {MPIN.GET_G1_MULTIPLE(rng,0,&W,pHTID!,&T)} + else {MPIN.GET_G1_MULTIPLE(rng,0,&W,pHID,&T)} + } + + // Client Second Pass: Inputs Client secret SEC, x and y. Outputs -(x+y)*SEC + rtn=MPIN.CLIENT_2(X,Y,&SEC); + if rtn != 0 {print("FAILURE: CLIENT_2 rtn: \(rtn)")} + + // Server Second pass. Inputs hashed client id, random Y, -(x+y)*SEC, xID and xCID and Server secret SST. E and F help kangaroos to find error. + // If PIN error not required, set E and F = null + + rtn=MPIN.SERVER_2(date,pHID,pHTID!,Y,SST,pxID!,pxCID!,SEC,&pE,&pF); + + if rtn != 0 {print("FAILURE: SERVER_1 rtn: \(rtn)")} + } + if (rtn == MPIN.BAD_PIN) + { + print("Server says - Bad Pin. I don't know you. Feck off.\n"); + if (PINERROR) + { + let err=MPIN.KANGAROO(pE!,pF!); + if err != 0 {print("(Client PIN is out by \(err))\n")} + } + return; + } + else {print("Server says - PIN is good! You really are "+IDstr)} + + if (FULL) + { + var H=MPIN.HASH_ALL(sha,HCID,pxID!,pxCID!,SEC,Y,Z,T); + MPIN.CLIENT_KEY(sha,G1,G2,pin,R,X,H,T,&CK); + print("Client Key = 0x",terminator: ""); MPIN.printBinary(CK) + + H=MPIN.HASH_ALL(sha,HSID,pxID!,pxCID!,SEC,Y,Z,T); + MPIN.SERVER_KEY(sha,Z,SST,W,H,pHID,pxID!,pxCID!,&SK); + print("Server Key = 0x",terminator: ""); MPIN.printBinary(SK) + } + +} + +//TestMPIN() // comment out for Xcode +
http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/c25f9e5c/version22/swift/TestRSA.swift ---------------------------------------------------------------------- diff --git a/version22/swift/TestRSA.swift b/version22/swift/TestRSA.swift new file mode 100644 index 0000000..a2a8dcb --- /dev/null +++ b/version22/swift/TestRSA.swift @@ -0,0 +1,100 @@ +/* + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +*/ + +// +// TestRSA.swift +// +// Created by Michael Scott on 25/06/2015. +// Copyright (c) 2015 Michael Scott. All rights reserved. +// + +import Foundation +//import amcl // comment out for Xcode + +public func TestRSA() +{ + let RFS=RSA.RFS + + var message="Hello World\n" + + let pub=rsa_public_key(Int(ROM.FFLEN)) + let priv=rsa_private_key(Int(ROM.HFLEN)) + + var ML=[UInt8](repeating: 0,count: RFS) + var C=[UInt8](repeating: 0,count: RFS) + var S=[UInt8](repeating: 0,count: RFS) + var RAW=[UInt8](repeating: 0,count: 100) + + let rng=RAND() + + rng.clean() + for i in 0 ..< 100 {RAW[i]=UInt8(i)} + + rng.seed(100,RAW) + + print("Generating public/private key pair") + RSA.KEY_PAIR(rng,65537,priv,pub) + + let M=[UInt8](message.utf8) + print("Encrypting test string\n"); + let E=RSA.OAEP_ENCODE(RSA.HASH_TYPE,M,rng,nil); /* OAEP encode message m to e */ + + RSA.ENCRYPT(pub,E,&C); /* encrypt encoded message */ + print("Ciphertext= 0x", terminator: ""); RSA.printBinary(C) + + print("Decrypting test string\n"); + RSA.DECRYPT(priv,C,&ML) + var MS=RSA.OAEP_DECODE(RSA.HASH_TYPE,nil,&ML) /* OAEP encode message m to e */ + + message="" + for i in 0 ..< MS.count + { + message+=String(UnicodeScalar(MS[i])) + } + print(message); + + print("Signing message") + RSA.PKCS15(RSA.HASH_TYPE,M,&C) + + RSA.DECRYPT(priv,C,&S); // create signature in S + print("Signature= 0x",terminator: ""); RSA.printBinary(S) + + RSA.ENCRYPT(pub,S,&ML); + + var cmp=true + if C.count != ML.count {cmp=false} + else + { + for j in 0 ..< C.count + { + if C[j] != ML[j] {cmp=false} + } + } + + if cmp {print("\nSignature is valid\n")} + else {print("\nSignature is INVALID\n")} + + + RSA.PRIVATE_KEY_KILL(priv); +} + +//TestRSA() // comment out for Xcode + + + http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/c25f9e5c/version22/swift/aes.swift ---------------------------------------------------------------------- diff --git a/version22/swift/aes.swift b/version22/swift/aes.swift new file mode 100644 index 0000000..0de2980 --- /dev/null +++ b/version22/swift/aes.swift @@ -0,0 +1,639 @@ +/* + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +*/ + +// +// aes.swift +// +// Created by Michael Scott on 22/06/2015. +// Copyright (c) 2015 Michael Scott. All rights reserved. +// +// AES Encryption +// + +final public class AES { + var mode:Int=0; + private var fkey=[UInt32](repeating: 0,count: 44) + private var rkey=[UInt32](repeating: 0,count: 44) + var f=[UInt8](repeating: 0,count: 16) + + static let ECB:Int=0 + static let CBC:Int=1 + static let CFB1:Int=2 + static let CFB2:Int=3 + static let CFB4:Int=5 + static let OFB1:Int=14 + static let OFB2:Int=15 + static let OFB4:Int=17 + static let OFB8:Int=21 + static let OFB16:Int=29 + static let CTR1:Int=30 + static let CTR2:Int=31 + static let CTR4:Int=33 + static let CTR8:Int=37 + static let CTR16:Int=45 + + static public let KS:Int=16; /* Key Size in bytes */ + static public let BS:Int=16; /* Block Size */ + + private static let InCo:[UInt8] = [ 0xB,0xD,0x9,0xE] /* Inverse Coefficients */ + + private static let ptab:[UInt8] = + [ 1, 3, 5, 15, 17, 51, 85, 255, 26, 46, 114, 150, 161, 248, 19, 53, + 95, 225, 56, 72, 216, 115, 149, 164, 247, 2, 6, 10, 30, 34, 102, 170, + 229, 52, 92, 228, 55, 89, 235, 38, 106, 190, 217, 112, 144, 171, 230, 49, + 83, 245, 4, 12, 20, 60, 68, 204, 79, 209, 104, 184, 211, 110, 178, 205, + 76, 212, 103, 169, 224, 59, 77, 215, 98, 166, 241, 8, 24, 40, 120, 136, + 131, 158, 185, 208, 107, 189, 220, 127, 129, 152, 179, 206, 73, 219, 118, 154, + 181, 196, 87, 249, 16, 48, 80, 240, 11, 29, 39, 105, 187, 214, 97, 163, + 254, 25, 43, 125, 135, 146, 173, 236, 47, 113, 147, 174, 233, 32, 96, 160, + 251, 22, 58, 78, 210, 109, 183, 194, 93, 231, 50, 86, 250, 21, 63, 65, + 195, 94, 226, 61, 71, 201, 64, 192, 91, 237, 44, 116, 156, 191, 218, 117, + 159, 186, 213, 100, 172, 239, 42, 126, 130, 157, 188, 223, 122, 142, 137, 128, + 155, 182, 193, 88, 232, 35, 101, 175, 234, 37, 111, 177, 200, 67, 197, 84, + 252, 31, 33, 99, 165, 244, 7, 9, 27, 45, 119, 153, 176, 203, 70, 202, + 69, 207, 74, 222, 121, 139, 134, 145, 168, 227, 62, 66, 198, 81, 243, 14, + 18, 54, 90, 238, 41, 123, 141, 140, 143, 138, 133, 148, 167, 242, 13, 23, + 57, 75, 221, 124, 132, 151, 162, 253, 28, 36, 108, 180, 199, 82, 246, 1] + + private static let ltab:[UInt8] = + [ 0, 255, 25, 1, 50, 2, 26, 198, 75, 199, 27, 104, 51, 238, 223, 3, + 100, 4, 224, 14, 52, 141, 129, 239, 76, 113, 8, 200, 248, 105, 28, 193, + 125, 194, 29, 181, 249, 185, 39, 106, 77, 228, 166, 114, 154, 201, 9, 120, + 101, 47, 138, 5, 33, 15, 225, 36, 18, 240, 130, 69, 53, 147, 218, 142, + 150, 143, 219, 189, 54, 208, 206, 148, 19, 92, 210, 241, 64, 70, 131, 56, + 102, 221, 253, 48, 191, 6, 139, 98, 179, 37, 226, 152, 34, 136, 145, 16, + 126, 110, 72, 195, 163, 182, 30, 66, 58, 107, 40, 84, 250, 133, 61, 186, + 43, 121, 10, 21, 155, 159, 94, 202, 78, 212, 172, 229, 243, 115, 167, 87, + 175, 88, 168, 80, 244, 234, 214, 116, 79, 174, 233, 213, 231, 230, 173, 232, + 44, 215, 117, 122, 235, 22, 11, 245, 89, 203, 95, 176, 156, 169, 81, 160, + 127, 12, 246, 111, 23, 196, 73, 236, 216, 67, 31, 45, 164, 118, 123, 183, + 204, 187, 62, 90, 251, 96, 177, 134, 59, 82, 161, 108, 170, 85, 41, 157, + 151, 178, 135, 144, 97, 190, 220, 252, 188, 149, 207, 205, 55, 63, 91, 209, + 83, 57, 132, 60, 65, 162, 109, 71, 20, 42, 158, 93, 86, 242, 211, 171, + 68, 17, 146, 217, 35, 32, 46, 137, 180, 124, 184, 38, 119, 153, 227, 165, + 103, 74, 237, 222, 197, 49, 254, 24, 13, 99, 140, 128, 192, 247, 112, 7] + + private static let fbsub:[UInt8] = + [ 99, 124, 119, 123, 242, 107, 111, 197, 48, 1, 103, 43, 254, 215, 171, 118, + 202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156, 164, 114, 192, + 183, 253, 147, 38, 54, 63, 247, 204, 52, 165, 229, 241, 113, 216, 49, 21, + 4, 199, 35, 195, 24, 150, 5, 154, 7, 18, 128, 226, 235, 39, 178, 117, + 9, 131, 44, 26, 27, 110, 90, 160, 82, 59, 214, 179, 41, 227, 47, 132, + 83, 209, 0, 237, 32, 252, 177, 91, 106, 203, 190, 57, 74, 76, 88, 207, + 208, 239, 170, 251, 67, 77, 51, 133, 69, 249, 2, 127, 80, 60, 159, 168, + 81, 163, 64, 143, 146, 157, 56, 245, 188, 182, 218, 33, 16, 255, 243, 210, + 205, 12, 19, 236, 95, 151, 68, 23, 196, 167, 126, 61, 100, 93, 25, 115, + 96, 129, 79, 220, 34, 42, 144, 136, 70, 238, 184, 20, 222, 94, 11, 219, + 224, 50, 58, 10, 73, 6, 36, 92, 194, 211, 172, 98, 145, 149, 228, 121, + 231, 200, 55, 109, 141, 213, 78, 169, 108, 86, 244, 234, 101, 122, 174, 8, + 186, 120, 37, 46, 28, 166, 180, 198, 232, 221, 116, 31, 75, 189, 139, 138, + 112, 62, 181, 102, 72, 3, 246, 14, 97, 53, 87, 185, 134, 193, 29, 158, + 225, 248, 152, 17, 105, 217, 142, 148, 155, 30, 135, 233, 206, 85, 40, 223, + 140, 161, 137, 13, 191, 230, 66, 104, 65, 153, 45, 15, 176, 84, 187, 22] + + private static let rbsub:[UInt8] = + [ 82, 9, 106, 213, 48, 54, 165, 56, 191, 64, 163, 158, 129, 243, 215, 251, + 124, 227, 57, 130, 155, 47, 255, 135, 52, 142, 67, 68, 196, 222, 233, 203, + 84, 123, 148, 50, 166, 194, 35, 61, 238, 76, 149, 11, 66, 250, 195, 78, + 8, 46, 161, 102, 40, 217, 36, 178, 118, 91, 162, 73, 109, 139, 209, 37, + 114, 248, 246, 100, 134, 104, 152, 22, 212, 164, 92, 204, 93, 101, 182, 146, + 108, 112, 72, 80, 253, 237, 185, 218, 94, 21, 70, 87, 167, 141, 157, 132, + 144, 216, 171, 0, 140, 188, 211, 10, 247, 228, 88, 5, 184, 179, 69, 6, + 208, 44, 30, 143, 202, 63, 15, 2, 193, 175, 189, 3, 1, 19, 138, 107, + 58, 145, 17, 65, 79, 103, 220, 234, 151, 242, 207, 206, 240, 180, 230, 115, + 150, 172, 116, 34, 231, 173, 53, 133, 226, 249, 55, 232, 28, 117, 223, 110, + 71, 241, 26, 113, 29, 41, 197, 137, 111, 183, 98, 14, 170, 24, 190, 27, + 252, 86, 62, 75, 198, 210, 121, 32, 154, 219, 192, 254, 120, 205, 90, 244, + 31, 221, 168, 51, 136, 7, 199, 49, 177, 18, 16, 89, 39, 128, 236, 95, + 96, 81, 127, 169, 25, 181, 74, 13, 45, 229, 122, 159, 147, 201, 156, 239, + 160, 224, 59, 77, 174, 42, 245, 176, 200, 235, 187, 60, 131, 83, 153, 97, + 23, 43, 4, 126, 186, 119, 214, 38, 225, 105, 20, 99, 85, 33, 12, 125] + + private static let rco:[UInt8] = + [1,2,4,8,16,32,64,128,27,54,108,216,171,77,154,47] + + private static let ftable:[UInt32] = + [0xa56363c6,0x847c7cf8,0x997777ee,0x8d7b7bf6,0xdf2f2ff,0xbd6b6bd6, + 0xb16f6fde,0x54c5c591,0x50303060,0x3010102,0xa96767ce,0x7d2b2b56, + 0x19fefee7,0x62d7d7b5,0xe6abab4d,0x9a7676ec,0x45caca8f,0x9d82821f, + 0x40c9c989,0x877d7dfa,0x15fafaef,0xeb5959b2,0xc947478e,0xbf0f0fb, + 0xecadad41,0x67d4d4b3,0xfda2a25f,0xeaafaf45,0xbf9c9c23,0xf7a4a453, + 0x967272e4,0x5bc0c09b,0xc2b7b775,0x1cfdfde1,0xae93933d,0x6a26264c, + 0x5a36366c,0x413f3f7e,0x2f7f7f5,0x4fcccc83,0x5c343468,0xf4a5a551, + 0x34e5e5d1,0x8f1f1f9,0x937171e2,0x73d8d8ab,0x53313162,0x3f15152a, + 0xc040408,0x52c7c795,0x65232346,0x5ec3c39d,0x28181830,0xa1969637, + 0xf05050a,0xb59a9a2f,0x907070e,0x36121224,0x9b80801b,0x3de2e2df, + 0x26ebebcd,0x6927274e,0xcdb2b27f,0x9f7575ea,0x1b090912,0x9e83831d, + 0x742c2c58,0x2e1a1a34,0x2d1b1b36,0xb26e6edc,0xee5a5ab4,0xfba0a05b, + 0xf65252a4,0x4d3b3b76,0x61d6d6b7,0xceb3b37d,0x7b292952,0x3ee3e3dd, + 0x712f2f5e,0x97848413,0xf55353a6,0x68d1d1b9,0x0,0x2cededc1, + 0x60202040,0x1ffcfce3,0xc8b1b179,0xed5b5bb6,0xbe6a6ad4,0x46cbcb8d, + 0xd9bebe67,0x4b393972,0xde4a4a94,0xd44c4c98,0xe85858b0,0x4acfcf85, + 0x6bd0d0bb,0x2aefefc5,0xe5aaaa4f,0x16fbfbed,0xc5434386,0xd74d4d9a, + 0x55333366,0x94858511,0xcf45458a,0x10f9f9e9,0x6020204,0x817f7ffe, + 0xf05050a0,0x443c3c78,0xba9f9f25,0xe3a8a84b,0xf35151a2,0xfea3a35d, + 0xc0404080,0x8a8f8f05,0xad92923f,0xbc9d9d21,0x48383870,0x4f5f5f1, + 0xdfbcbc63,0xc1b6b677,0x75dadaaf,0x63212142,0x30101020,0x1affffe5, + 0xef3f3fd,0x6dd2d2bf,0x4ccdcd81,0x140c0c18,0x35131326,0x2fececc3, + 0xe15f5fbe,0xa2979735,0xcc444488,0x3917172e,0x57c4c493,0xf2a7a755, + 0x827e7efc,0x473d3d7a,0xac6464c8,0xe75d5dba,0x2b191932,0x957373e6, + 0xa06060c0,0x98818119,0xd14f4f9e,0x7fdcdca3,0x66222244,0x7e2a2a54, + 0xab90903b,0x8388880b,0xca46468c,0x29eeeec7,0xd3b8b86b,0x3c141428, + 0x79dedea7,0xe25e5ebc,0x1d0b0b16,0x76dbdbad,0x3be0e0db,0x56323264, + 0x4e3a3a74,0x1e0a0a14,0xdb494992,0xa06060c,0x6c242448,0xe45c5cb8, + 0x5dc2c29f,0x6ed3d3bd,0xefacac43,0xa66262c4,0xa8919139,0xa4959531, + 0x37e4e4d3,0x8b7979f2,0x32e7e7d5,0x43c8c88b,0x5937376e,0xb76d6dda, + 0x8c8d8d01,0x64d5d5b1,0xd24e4e9c,0xe0a9a949,0xb46c6cd8,0xfa5656ac, + 0x7f4f4f3,0x25eaeacf,0xaf6565ca,0x8e7a7af4,0xe9aeae47,0x18080810, + 0xd5baba6f,0x887878f0,0x6f25254a,0x722e2e5c,0x241c1c38,0xf1a6a657, + 0xc7b4b473,0x51c6c697,0x23e8e8cb,0x7cdddda1,0x9c7474e8,0x211f1f3e, + 0xdd4b4b96,0xdcbdbd61,0x868b8b0d,0x858a8a0f,0x907070e0,0x423e3e7c, + 0xc4b5b571,0xaa6666cc,0xd8484890,0x5030306,0x1f6f6f7,0x120e0e1c, + 0xa36161c2,0x5f35356a,0xf95757ae,0xd0b9b969,0x91868617,0x58c1c199, + 0x271d1d3a,0xb99e9e27,0x38e1e1d9,0x13f8f8eb,0xb398982b,0x33111122, + 0xbb6969d2,0x70d9d9a9,0x898e8e07,0xa7949433,0xb69b9b2d,0x221e1e3c, + 0x92878715,0x20e9e9c9,0x49cece87,0xff5555aa,0x78282850,0x7adfdfa5, + 0x8f8c8c03,0xf8a1a159,0x80898909,0x170d0d1a,0xdabfbf65,0x31e6e6d7, + 0xc6424284,0xb86868d0,0xc3414182,0xb0999929,0x772d2d5a,0x110f0f1e, + 0xcbb0b07b,0xfc5454a8,0xd6bbbb6d,0x3a16162c] + + private static let rtable:[UInt32] = + [0x50a7f451,0x5365417e,0xc3a4171a,0x965e273a,0xcb6bab3b,0xf1459d1f, + 0xab58faac,0x9303e34b,0x55fa3020,0xf66d76ad,0x9176cc88,0x254c02f5, + 0xfcd7e54f,0xd7cb2ac5,0x80443526,0x8fa362b5,0x495ab1de,0x671bba25, + 0x980eea45,0xe1c0fe5d,0x2752fc3,0x12f04c81,0xa397468d,0xc6f9d36b, + 0xe75f8f03,0x959c9215,0xeb7a6dbf,0xda595295,0x2d83bed4,0xd3217458, + 0x2969e049,0x44c8c98e,0x6a89c275,0x78798ef4,0x6b3e5899,0xdd71b927, + 0xb64fe1be,0x17ad88f0,0x66ac20c9,0xb43ace7d,0x184adf63,0x82311ae5, + 0x60335197,0x457f5362,0xe07764b1,0x84ae6bbb,0x1ca081fe,0x942b08f9, + 0x58684870,0x19fd458f,0x876cde94,0xb7f87b52,0x23d373ab,0xe2024b72, + 0x578f1fe3,0x2aab5566,0x728ebb2,0x3c2b52f,0x9a7bc586,0xa50837d3, + 0xf2872830,0xb2a5bf23,0xba6a0302,0x5c8216ed,0x2b1ccf8a,0x92b479a7, + 0xf0f207f3,0xa1e2694e,0xcdf4da65,0xd5be0506,0x1f6234d1,0x8afea6c4, + 0x9d532e34,0xa055f3a2,0x32e18a05,0x75ebf6a4,0x39ec830b,0xaaef6040, + 0x69f715e,0x51106ebd,0xf98a213e,0x3d06dd96,0xae053edd,0x46bde64d, + 0xb58d5491,0x55dc471,0x6fd40604,0xff155060,0x24fb9819,0x97e9bdd6, + 0xcc434089,0x779ed967,0xbd42e8b0,0x888b8907,0x385b19e7,0xdbeec879, + 0x470a7ca1,0xe90f427c,0xc91e84f8,0x0,0x83868009,0x48ed2b32, + 0xac70111e,0x4e725a6c,0xfbff0efd,0x5638850f,0x1ed5ae3d,0x27392d36, + 0x64d90f0a,0x21a65c68,0xd1545b9b,0x3a2e3624,0xb1670a0c,0xfe75793, + 0xd296eeb4,0x9e919b1b,0x4fc5c080,0xa220dc61,0x694b775a,0x161a121c, + 0xaba93e2,0xe52aa0c0,0x43e0223c,0x1d171b12,0xb0d090e,0xadc78bf2, + 0xb9a8b62d,0xc8a91e14,0x8519f157,0x4c0775af,0xbbdd99ee,0xfd607fa3, + 0x9f2601f7,0xbcf5725c,0xc53b6644,0x347efb5b,0x7629438b,0xdcc623cb, + 0x68fcedb6,0x63f1e4b8,0xcadc31d7,0x10856342,0x40229713,0x2011c684, + 0x7d244a85,0xf83dbbd2,0x1132f9ae,0x6da129c7,0x4b2f9e1d,0xf330b2dc, + 0xec52860d,0xd0e3c177,0x6c16b32b,0x99b970a9,0xfa489411,0x2264e947, + 0xc48cfca8,0x1a3ff0a0,0xd82c7d56,0xef903322,0xc74e4987,0xc1d138d9, + 0xfea2ca8c,0x360bd498,0xcf81f5a6,0x28de7aa5,0x268eb7da,0xa4bfad3f, + 0xe49d3a2c,0xd927850,0x9bcc5f6a,0x62467e54,0xc2138df6,0xe8b8d890, + 0x5ef7392e,0xf5afc382,0xbe805d9f,0x7c93d069,0xa92dd56f,0xb31225cf, + 0x3b99acc8,0xa77d1810,0x6e639ce8,0x7bbb3bdb,0x97826cd,0xf418596e, + 0x1b79aec,0xa89a4f83,0x656e95e6,0x7ee6ffaa,0x8cfbc21,0xe6e815ef, + 0xd99be7ba,0xce366f4a,0xd4099fea,0xd67cb029,0xafb2a431,0x31233f2a, + 0x3094a5c6,0xc066a235,0x37bc4e74,0xa6ca82fc,0xb0d090e0,0x15d8a733, + 0x4a9804f1,0xf7daec41,0xe50cd7f,0x2ff69117,0x8dd64d76,0x4db0ef43, + 0x544daacc,0xdf0496e4,0xe3b5d19e,0x1b886a4c,0xb81f2cc1,0x7f516546, + 0x4ea5e9d,0x5d358c01,0x737487fa,0x2e410bfb,0x5a1d67b3,0x52d2db92, + 0x335610e9,0x1347d66d,0x8c61d79a,0x7a0ca137,0x8e14f859,0x893c13eb, + 0xee27a9ce,0x35c961b7,0xede51ce1,0x3cb1477a,0x59dfd29c,0x3f73f255, + 0x79ce1418,0xbf37c773,0xeacdf753,0x5baafd5f,0x146f3ddf,0x86db4478, + 0x81f3afca,0x3ec468b9,0x2c342438,0x5f40a3c2,0x72c31d16,0xc25e2bc, + 0x8b493c28,0x41950dff,0x7101a839,0xdeb30c08,0x9ce4b4d8,0x90c15664, + 0x6184cb7b,0x70b632d5,0x745c6c48,0x4257b8d0] + + /* Rotates 32-bit word left by 1, 2 or 3 byte */ + + private static func ROTL8(_ x: UInt32) -> UInt32 + { + return (((x)<<8)|((x)>>24)) + } + + private static func ROTL16(_ x: UInt32) -> UInt32 + { + return (((x)<<16)|((x)>>16)) + } + + private static func ROTL24(_ x: UInt32) -> UInt32 + { + return (((x)<<24)|((x)>>8)) + } + + private static func pack(_ b: [UInt8]) -> UInt32 + { /* pack bytes into a 32-bit Word */ + var r=((UInt32(b[3])&0xff)<<24)|((UInt32(b[2])&0xff)<<16) + r = r|((UInt32(b[1])&0xff)<<8)|(UInt32(b[0])&0xff) + return r + } + + private static func unpack(_ a: UInt32) -> [UInt8] + { /* unpack bytes from a word */ + let b:[UInt8]=[UInt8(a&0xff),UInt8((a>>8)&0xff),UInt8((a>>16)&0xff),UInt8((a>>24)&0xff)]; + return b; + } + + private static func bmul(_ x: UInt8,_ y:UInt8) -> UInt8 + { /* x.y= AntiLog(Log(x) + Log(y)) */ + + let ix=Int(x)&0xff + let iy=Int(y)&0xff + let lx=Int(ltab[ix])&0xff + let ly=Int(ltab[iy])&0xff + + if x != 0 && y != 0 {return ptab[(lx+ly)%255]} + else {return UInt8(0)} + } + + private static func SubByte(_ a: UInt32) -> UInt32 + { + var b=unpack(a) + b[0]=fbsub[Int(b[0])] + b[1]=fbsub[Int(b[1])] + b[2]=fbsub[Int(b[2])] + b[3]=fbsub[Int(b[3])] + return pack(b); + } + + private static func product(_ x: UInt32,_ y: UInt32) -> UInt8 + { /* dot product of two 4-byte arrays */ + var xb=unpack(x); + var yb=unpack(y); + + return (bmul(xb[0],yb[0])^bmul(xb[1],yb[1])^bmul(xb[2],yb[2])^bmul(xb[3],yb[3])) + } + + private static func InvMixCol(_ x: UInt32) -> UInt32 + { /* matrix Multiplication */ + var b=[UInt8](repeating: 0,count: 4) + var m=pack(InCo); + b[3]=product(m,x); + m=ROTL24(m); + b[2]=product(m,x); + m=ROTL24(m); + b[1]=product(m,x); + m=ROTL24(m); + b[0]=product(m,x); + let y=pack(b) + return y + } + + private static func increment(_ f:inout [UInt8]) + { + for i in 0 ..< 16 + { + f[i]+=1 + if f[i] != 0 {break} + } + } + + /* reset cipher */ + func reset(_ m: Int,_ iv:[UInt8]?) + { /* reset mode, or reset iv */ + mode=m; + for i in 0 ..< 16 {f[i]=0} + if (mode != AES.ECB) && (iv != nil) + {for i in 0 ..< 16 {f[i]=iv![i]}} /*??*/ + } + + func init_it(_ m:Int,_ key:[UInt8],_ iv:[UInt8]?) + { /* Key=16 bytes */ + /* Key Scheduler. Create expanded encryption key */ + var CipherKey=[UInt32](repeating: 0,count: 4) + var b=[UInt8](repeating: 0,count: 4) + let nk=4; + reset(m,iv); + let N=44; + + var j=0 + for i in 0 ..< nk + { + for k in 0 ..< 4 {b[k]=key[j+k]} + CipherKey[i]=AES.pack(b); + j+=4; + } + for i in 0 ..< nk {fkey[i]=CipherKey[i]} + j=nk + var k=0 + while j<N + { + fkey[j]=fkey[j-nk]^AES.SubByte(AES.ROTL24(fkey[j-1]))^UInt32(AES.rco[k]) + var i=1 + while i<nk && (i+j)<N + { + fkey[i+j]=fkey[i+j-nk]^fkey[i+j-1] + i+=1 + } + j+=nk + k+=1 + } + + /* now for the expanded decrypt key in reverse order */ + + for j in 0 ..< 4 {rkey[j+N-4]=fkey[j]} + var i=4 + while i<N-4 + { + let k=N-4-i; + for j in 0 ..< 4 {rkey[k+j]=AES.InvMixCol(fkey[i+j])} + i+=4 + } + for j in N-4 ..< N {rkey[j-N+4]=fkey[j]} + } + + func getreg() -> [UInt8] + { + var ir=[UInt8](repeating: 0,count: 16) + for i in 0 ..< 16 {ir[i]=f[i]} + return ir; + } + + /* Encrypt a single block */ + func ecb_encrypt(_ buff:inout [UInt8]) + { + var b=[UInt8](repeating: 0,count: 4) + var p=[UInt32](repeating: 0,count: 4) + var q=[UInt32](repeating: 0,count: 4) + + var j=0 + for i in 0 ..< 4 + { + for k in 0 ..< 4 {b[k]=buff[j+k]} + p[i]=AES.pack(b); + p[i]^=fkey[i]; + j+=4 + } + + var k=4; + + /* State alternates between p and q */ + for _ in 1 ..< 10 + { + q[0]=fkey[k]^AES.ftable[Int(p[0]&0xff)]^AES.ROTL8(AES.ftable[Int((p[1]>>8)&0xff)])^AES.ROTL16(AES.ftable[Int((p[2]>>16)&0xff)])^AES.ROTL24(AES.ftable[Int((p[3]>>24)&0xff)]) + + q[1]=fkey[k+1]^AES.ftable[Int(p[1]&0xff)]^AES.ROTL8(AES.ftable[Int((p[2]>>8)&0xff)])^AES.ROTL16(AES.ftable[Int((p[3]>>16)&0xff)])^AES.ROTL24(AES.ftable[Int((p[0]>>24)&0xff)]) + + q[2]=fkey[k+2]^AES.ftable[Int(p[2]&0xff)]^AES.ROTL8(AES.ftable[Int((p[3]>>8)&0xff)])^AES.ROTL16(AES.ftable[Int((p[0]>>16)&0xff)])^AES.ROTL24(AES.ftable[Int((p[1]>>24)&0xff)]) + + q[3]=fkey[k+3]^AES.ftable[Int(p[3]&0xff)]^AES.ROTL8(AES.ftable[Int((p[0]>>8)&0xff)])^AES.ROTL16(AES.ftable[Int((p[1]>>16)&0xff)])^AES.ROTL24(AES.ftable[Int((p[2]>>24)&0xff)]) + + k+=4; + for j in 0 ..< 4 + { + let t=p[j]; p[j]=q[j]; q[j]=t; + } + } + + /* Last Round */ + + q[0]=fkey[k]^UInt32(AES.fbsub[Int(p[0]&0xff)])^AES.ROTL8(UInt32(AES.fbsub[Int((p[1]>>8)&0xff)]))^AES.ROTL16(UInt32(AES.fbsub[Int((p[2]>>16)&0xff)]))^AES.ROTL24(UInt32(AES.fbsub[Int((p[3]>>24)&0xff)])) + + q[1]=fkey[k+1]^UInt32(AES.fbsub[Int(p[1]&0xff)])^AES.ROTL8(UInt32(AES.fbsub[Int((p[2]>>8)&0xff)]))^AES.ROTL16(UInt32(AES.fbsub[Int((p[3]>>16)&0xff)]))^AES.ROTL24(UInt32(AES.fbsub[Int((p[0]>>24)&0xff)])) + + q[2]=fkey[k+2]^UInt32(AES.fbsub[Int(p[2]&0xff)])^AES.ROTL8(UInt32(AES.fbsub[Int((p[3]>>8)&0xff)]))^AES.ROTL16(UInt32(AES.fbsub[Int((p[0]>>16)&0xff)]))^AES.ROTL24(UInt32(AES.fbsub[Int((p[1]>>24)&0xff)])) + + q[3]=fkey[k+3]^UInt32(AES.fbsub[Int((p[3])&0xff)])^AES.ROTL8(UInt32(AES.fbsub[Int((p[0]>>8)&0xff)]))^AES.ROTL16(UInt32(AES.fbsub[Int((p[1]>>16)&0xff)]))^AES.ROTL24(UInt32(AES.fbsub[Int((p[2]>>24)&0xff)])) + + j=0 + for i in 0 ..< 4 + { + b=AES.unpack(q[i]) + for k in 0 ..< 4 {buff[j+k]=b[k]} + j+=4 + } + } + + /* Decrypt a single block */ + func ecb_decrypt(_ buff:inout [UInt8]) + { + var b=[UInt8](repeating: 0,count: 4) + var p=[UInt32](repeating: 0,count: 4) + var q=[UInt32](repeating: 0,count: 4) + + var j=0 + for i in 0 ..< 4 + { + for k in 0 ..< 4 {b[k]=buff[j+k]} + p[i]=AES.pack(b); + p[i]^=rkey[i]; + j+=4 + } + + var k=4 + + /* State alternates between p and q */ + for _ in 1 ..< 10 + { + + q[0]=rkey[k]^AES.rtable[Int(p[0]&0xff)]^AES.ROTL8(AES.rtable[Int((p[3]>>8)&0xff)])^AES.ROTL16(AES.rtable[Int((p[2]>>16)&0xff)])^AES.ROTL24(AES.rtable[Int((p[1]>>24)&0xff)]) + + q[1]=rkey[k+1]^AES.rtable[Int(p[1]&0xff)]^AES.ROTL8(AES.rtable[Int((p[0]>>8)&0xff)])^AES.ROTL16(AES.rtable[Int((p[3]>>16)&0xff)])^AES.ROTL24(AES.rtable[Int((p[2]>>24)&0xff)]) + + + q[2]=rkey[k+2]^AES.rtable[Int(p[2]&0xff)]^AES.ROTL8(AES.rtable[Int((p[1]>>8)&0xff)])^AES.ROTL16(AES.rtable[Int((p[0]>>16)&0xff)])^AES.ROTL24(AES.rtable[Int((p[3]>>24)&0xff)]) + + q[3]=rkey[k+3]^AES.rtable[Int(p[3]&0xff)]^AES.ROTL8(AES.rtable[Int((p[2]>>8)&0xff)])^AES.ROTL16(AES.rtable[Int((p[1]>>16)&0xff)])^AES.ROTL24(AES.rtable[Int((p[0]>>24)&0xff)]) + + + k+=4; + for j in 0 ..< 4 + { + let t=p[j]; p[j]=q[j]; q[j]=t; + } + } + + /* Last Round */ + + q[0]=rkey[k]^UInt32(AES.rbsub[Int(p[0]&0xff)])^AES.ROTL8(UInt32(AES.rbsub[Int((p[3]>>8)&0xff)]))^AES.ROTL16(UInt32(AES.rbsub[Int((p[2]>>16)&0xff)]))^AES.ROTL24(UInt32(AES.rbsub[Int((p[1]>>24)&0xff)])) + + q[1]=rkey[k+1]^UInt32(AES.rbsub[Int(p[1]&0xff)])^AES.ROTL8(UInt32(AES.rbsub[Int((p[0]>>8)&0xff)]))^AES.ROTL16(UInt32(AES.rbsub[Int((p[3]>>16)&0xff)]))^AES.ROTL24(UInt32(AES.rbsub[Int((p[2]>>24)&0xff)])) + + + q[2]=rkey[k+2]^UInt32(AES.rbsub[Int(p[2]&0xff)])^AES.ROTL8(UInt32(AES.rbsub[Int((p[1]>>8)&0xff)]))^AES.ROTL16(UInt32(AES.rbsub[Int((p[0]>>16)&0xff)]))^AES.ROTL24(UInt32(AES.rbsub[Int((p[3]>>24)&0xff)])) + + q[3]=rkey[k+3]^UInt32(AES.rbsub[Int((p[3])&0xff)])^AES.ROTL8(UInt32(AES.rbsub[Int((p[2]>>8)&0xff)]))^AES.ROTL16(UInt32(AES.rbsub[Int((p[1]>>16)&0xff)]))^AES.ROTL24(UInt32(AES.rbsub[Int((p[0]>>24)&0xff)])) + + j=0 + for i in 0 ..< 4 + { + b=AES.unpack(q[i]); + for k in 0 ..< 4 {buff[j+k]=b[k]} + j+=4 + } + } + + /* Encrypt using selected mode of operation */ + func encrypt(_ buff:inout [UInt8]) -> UInt32 + { + var st=[UInt8](repeating: 0,count: 16) + + // Supported Modes of Operation + + var fell_off:UInt32=0; + switch (mode) + { + case AES.ECB: + ecb_encrypt(&buff) + return 0 + case AES.CBC: + for j in 0 ..< 16 {buff[j]^=f[j]} + ecb_encrypt(&buff); + for j in 0 ..< 16 {f[j]=buff[j]} + return 0; + + case AES.CFB1: + fallthrough + case AES.CFB2: + fallthrough + case AES.CFB4: + let bytes=mode-AES.CFB1+1 + for j in 0 ..< bytes {fell_off=(fell_off<<8)|UInt32(f[j])} + for j in 0 ..< 16 {st[j]=f[j]} + for j in bytes ..< 16 {f[j-bytes]=f[j]} + ecb_encrypt(&st); + for j in 0 ..< bytes + { + buff[j]^=st[j]; + f[16-bytes+j]=buff[j]; + } + return fell_off; + + case AES.OFB1: + fallthrough + case AES.OFB2: + fallthrough + case AES.OFB4: + fallthrough + case AES.OFB8: + fallthrough + case AES.OFB16: + + let bytes=mode-AES.OFB1+1 + ecb_encrypt(&f) + for j in 0 ..< bytes {buff[j]^=f[j]} + return 0; + + case AES.CTR1: + fallthrough + case AES.CTR2: + fallthrough + case AES.CTR4: + fallthrough + case AES.CTR8: + fallthrough + case AES.CTR16: + let bytes=mode-AES.CTR1+1 + for j in 0 ..< 16 {st[j]=f[j]} + ecb_encrypt(&st) + for j in 0 ..< bytes {buff[j]^=st[j]} + AES.increment(&f) + return 0 + + default: + return 0; + } + } + + /* Decrypt using selected mode of operation */ + func decrypt(_ buff:inout [UInt8]) -> UInt32 + { + + var st=[UInt8](repeating: 0,count: 16) + + // Supported Modes of Operation + + var fell_off:UInt32=0; + switch (mode) + { + case AES.ECB: + ecb_decrypt(&buff); + return 0; + case AES.CBC: + for j in 0 ..< 16 + { + st[j]=f[j]; + f[j]=buff[j]; + } + ecb_decrypt(&buff); + for j in 0 ..< 16 + { + buff[j]^=st[j]; + st[j]=0; + } + return 0; + case AES.CFB1: + fallthrough + case AES.CFB2: + fallthrough + case AES.CFB4: + let bytes=mode-AES.CFB1+1; + for j in 0 ..< bytes {fell_off=(fell_off<<8)|UInt32(f[j])} + for j in 0 ..< 16 {st[j]=f[j]} + for j in bytes ..< 16 {f[j-bytes]=f[j]} + ecb_encrypt(&st); + for j in 0 ..< bytes + { + f[16-bytes+j]=buff[j] + buff[j]^=st[j] + } + return fell_off + case AES.OFB1: + fallthrough + case AES.OFB2: + fallthrough + case AES.OFB4: + fallthrough + case AES.OFB8: + fallthrough + case AES.OFB16: + let bytes=mode-AES.OFB1+1 + ecb_encrypt(&f); + for j in 0 ..< bytes {buff[j]^=f[j]} + return 0; + + case AES.CTR1: + fallthrough + case AES.CTR2: + fallthrough + case AES.CTR4: + fallthrough + case AES.CTR8: + fallthrough + case AES.CTR16: + let bytes=mode-AES.CTR1+1 + for j in 0 ..< 16 {st[j]=f[j]} + ecb_encrypt(&st) + for j in 0 ..< bytes {buff[j]^=st[j]} + AES.increment(&f) + return 0 + + default: + return 0; + } + } + + /* Clean up and delete left-overs */ + func end() + { // clean up + for i in 0 ..< 44 + {fkey[i]=0; rkey[i]=0} + for i in 0 ..< 16 + {f[i]=0} + } + +} http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/c25f9e5c/version22/swift/big.swift ---------------------------------------------------------------------- diff --git a/version22/swift/big.swift b/version22/swift/big.swift new file mode 100644 index 0000000..11fe17a --- /dev/null +++ b/version22/swift/big.swift @@ -0,0 +1,1169 @@ +/* + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +*/ + +// +// big.swift +// +// Created by Michael Scott on 12/06/2015. +// Copyright (c) 2015 Michael Scott. All rights reserved. +// BIG number class +// + +final class BIG{ + var w=[Chunk](repeating: 0,count: ROM.NLEN) +/* Constructors */ + init() { + for i in 0 ..< ROM.NLEN {w[i]=0} + } + init(_ x: Int) + { + w[0]=Chunk(x); + for i in 1 ..< ROM.NLEN {w[i]=0} + } + init(_ x: BIG) + { + for i in 0 ..< ROM.NLEN {w[i]=x.w[i]} + } + init(_ x: DBIG) + { + for i in 0 ..< ROM.NLEN {w[i]=x.w[i]} + } + init(_ x: [Chunk]) + { + for i in 0 ..< ROM.NLEN {w[i]=x[i]} + } + func get(_ i: Int) -> Chunk + { + return w[i] + } + func set(_ i: Int,_ x: Chunk) + { + w[i]=x + } + func xortop(_ x: Chunk) + { + w[ROM.NLEN-1]^=x + } + func ortop(_ x: Chunk) + { + w[ROM.NLEN-1]|=x + } +/* calculate Field Excess */ + static func EXCESS(_ a: BIG) -> Chunk + { + return ((a.w[ROM.NLEN-1] & ROM.OMASK)>>Chunk(ROM.MODBITS%ROM.BASEBITS)) + } + static func FF_EXCESS(_ a: BIG) -> Chunk + { + return ((a.w[ROM.NLEN-1] & ROM.P_OMASK)>>Chunk(ROM.P_MBITS%ROM.BASEBITS)) + } +#if D32 + static func pexceed(_ a: BIG,_ b : BIG) -> Bool + { + let ea=BIG.EXCESS(a) + let eb=BIG.EXCESS(b) + if (DChunk(ea)+1)*(DChunk(eb)+1) > DChunk(ROM.FEXCESS) {return true} + return false; + } + static func sexceed(_ a: BIG) -> Bool + { + let ea=BIG.EXCESS(a) + if (DChunk(ea)+1)*(DChunk(ea)+1) > DChunk(ROM.FEXCESS) {return true} + return false; + } + + static func ff_pexceed(_ a: BIG,_ b : BIG) -> Bool + { + let ea=BIG.FF_EXCESS(a) + let eb=BIG.FF_EXCESS(b) + if (DChunk(ea)+1)*(DChunk(eb)+1) > DChunk(ROM.P_FEXCESS) {return true} + return false; + } + static func ff_sexceed(_ a: BIG) -> Bool + { + let ea=BIG.FF_EXCESS(a) + if (DChunk(ea)+1)*(DChunk(ea)+1) > DChunk(ROM.P_FEXCESS) {return true} + return false; + } + static func muladd(_ a: Chunk,_ b: Chunk,_ c: Chunk,_ r: Chunk) -> (Chunk,Chunk) + { + let prod:DChunk = DChunk(a)*DChunk(b)+DChunk(c)+DChunk(r) + let bot=Chunk(prod&DChunk(ROM.BMASK)) + let top=Chunk(prod>>DChunk(ROM.BASEBITS)) + return (top,bot) + } +#endif +#if D64 + + static func pexceed(_ a: BIG,_ b : BIG) -> Bool + { + let ea=BIG.EXCESS(a) + let eb=BIG.EXCESS(b) + if (ea+1) > ROM.FEXCESS/(eb+1) {return true} + return false; + } + static func sexceed(_ a: BIG) -> Bool + { + let ea=BIG.EXCESS(a) + if (ea+1) > ROM.FEXCESS/(ea+1) {return true} + return false; + } + + static func ff_pexceed(_ a: BIG,_ b : BIG) -> Bool + { + let ea=BIG.FF_EXCESS(a) + let eb=BIG.FF_EXCESS(b) + if (ea+1) > ROM.P_FEXCESS/(eb+1) {return true} + return false; + } + static func ff_sexceed(_ a: BIG) -> Bool + { + let ea=BIG.FF_EXCESS(a) + if (ea+1) > ROM.P_FEXCESS/(ea+1) {return true} + return false; + } + + static func muladd(_ a: Chunk,_ b: Chunk,_ c: Chunk,_ r: Chunk) -> (Chunk,Chunk) + { + let x0=a&ROM.HMASK; + let x1=(a>>Chunk(ROM.HBITS)) + let y0=b&ROM.HMASK; + let y1=(b>>Chunk(ROM.HBITS)) + var bot=x0*y0 + var top=x1*y1 + let mid=x0*y1+x1*y0 + let u0=mid&ROM.HMASK + let u1=(mid>>Chunk(ROM.HBITS)) + bot=bot+(u0<<Chunk(ROM.HBITS)) + bot+=c; bot+=r + top+=u1 + let carry=bot>>Chunk(ROM.BASEBITS) + bot &= ROM.BMASK + top+=carry + return (top,bot) + } + +#endif + /* test for zero */ + func iszilch() -> Bool + { + for i in 0 ..< ROM.NLEN {if w[i] != 0 {return false}} + return true + } +/* set to zero */ + func zero() + { + for i in 0 ..< ROM.NLEN {w[i] = 0} + } +/* set to one */ + func one() + { + w[0]=1 + for i in 1 ..< ROM.NLEN {w[i]=0} + } +/* Test for equal to one */ + func isunity() -> Bool + { + for i in 1 ..< ROM.NLEN {if w[i] != 0 {return false}} + if w[0] != 1 {return false} + return true + } +/* Copy from another BIG */ + func copy(_ x: BIG) + { + for i in 0 ..< ROM.NLEN {w[i] = x.w[i]} + } + func copy(_ x: DBIG) + { + for i in 0 ..< ROM.NLEN {w[i] = x.w[i]} + } +/* Conditional swap of two bigs depending on d using XOR - no branches */ + func cswap(_ b: BIG,_ d: Int) + { + var c = Chunk(d) + c = ~(c-1) + for i in 0 ..< ROM.NLEN + { + let t=c&(w[i]^b.w[i]) + w[i]^=t + b.w[i]^=t + } + } + func cmove(_ g: BIG,_ d: Int) + { + let b=Chunk(-d) + for i in 0 ..< ROM.NLEN + { + w[i]^=(w[i]^g.w[i])&b; + } + } +/* normalise BIG - force all digits < 2^BASEBITS */ + func norm() -> Chunk + { + var carry=Chunk(0); + for i in 0 ..< ROM.NLEN-1 + { + let d=w[i]+carry + w[i]=d&ROM.BMASK + carry=d>>Chunk(ROM.BASEBITS) + } + w[ROM.NLEN-1]+=carry + return (w[ROM.NLEN-1]>>Chunk((8*ROM.MODBYTES)%ROM.BASEBITS)) + } +/* Shift right by less than a word */ + func fshr(_ k: UInt) -> Int + { + let kw=Chunk(k); + let r=w[0]&((Chunk(1)<<kw)-1) + for i in 0 ..< ROM.NLEN-1 + { + w[i]=(w[i]>>kw)|((w[i+1]<<(Chunk(ROM.BASEBITS)-kw))&ROM.BMASK) + } + w[ROM.NLEN-1]>>=kw; + return Int(r) + } +/* general shift right */ + func shr(_ k: UInt) + { + let n=k%ROM.BASEBITS + let m=Int(k/ROM.BASEBITS) + for i in 0 ..< ROM.NLEN-m-1 + { + w[i]=(w[m+i]>>Chunk(n))|((w[m+i+1]<<Chunk(ROM.BASEBITS-n))&ROM.BMASK) + } + w[ROM.NLEN - m - 1]=w[ROM.NLEN-1]>>Chunk(n) + for i in ROM.NLEN - m ..< ROM.NLEN {w[i]=0} + } +/* Shift right by less than a word */ + func fshl(_ k: Int) -> Int + { + let kw=Chunk(k) + w[ROM.NLEN-1]=((w[ROM.NLEN-1]<<kw))|(w[ROM.NLEN-2]>>(Chunk(ROM.BASEBITS)-kw)) + for i in (1...ROM.NLEN-2).reversed() + { + w[i]=((w[i]<<kw)&ROM.BMASK)|(w[i-1]>>(Chunk(ROM.BASEBITS)-kw)) + } + w[0]=(w[0]<<kw)&ROM.BMASK + return Int(w[ROM.NLEN-1]>>Chunk((8*ROM.MODBYTES)%ROM.BASEBITS)) + } +/* general shift left */ + func shl(_ k: UInt) + { + let n=k%ROM.BASEBITS + let m=Int(k/ROM.BASEBITS) + + w[ROM.NLEN-1]=(w[ROM.NLEN-1-m]<<Chunk(n)) + if ROM.NLEN>=m+2 {w[ROM.NLEN-1]|=(w[ROM.NLEN-m-2]>>Chunk(ROM.BASEBITS-n))} + for i in (m+1...ROM.NLEN-2).reversed() + { + w[i]=((w[i-m]<<Chunk(n))&ROM.BMASK)|(w[i-m-1]>>Chunk(ROM.BASEBITS-n)) + } + w[m]=(w[0]<<Chunk(n))&ROM.BMASK + for i in 0 ..< m {w[i]=0} + } +/* return number of bits */ + func nbits() -> Int + { + var k=(ROM.NLEN-1) + norm() + while k>=0 && w[k]==0 {k -= 1} + if k<0 {return 0} + var bts=Int(ROM.BASEBITS)*k + var c=w[k]; + while c != 0 {c/=2; bts += 1} + return bts + } + func toRawString() -> String + { + var s:String="(" + for i in 0 ..< ROM.NLEN-1 + { + let n=String(w[i],radix:16,uppercase:false) + s+=n + s+="," + + } + let n=String(w[ROM.NLEN-1],radix:16,uppercase:false) + s+=n + s+=")" + return s + } +/* Convert to Hex String */ + func toString() -> String + { + _ = BIG() + var s:String="" + var len=nbits() + if len%4 == 0 {len/=4} + else {len/=4; len += 1} + if len<2*Int(ROM.MODBYTES) {len=2*Int(ROM.MODBYTES)} + + for i in (0...len-1).reversed() + { + let b = BIG(self) + b.shr(UInt(i*4)) + let n=String(b.w[0]&15,radix:16,uppercase:false) + s+=n + } + + return s + } +/* return this+x */ + func plus(_ x: BIG) -> BIG + { + let s=BIG() + for i in 0 ..< ROM.NLEN + { + s.w[i]=w[i]+x.w[i] + } + return s + } +/* this+=x */ + func add(_ x: BIG) + { + for i in 0 ..< ROM.NLEN + { + w[i]+=x.w[i] + } + } +/* this+=x, where x is int */ + func inc(_ x: Int) { + norm(); + w[0]+=Chunk(x); + } +/* return this.x */ + func minus(_ x: BIG) -> BIG + { + let d=BIG(); + for i in 0 ..< ROM.NLEN + { + d.w[i]=w[i]-x.w[i]; + } + return d; + } +/* this-=x */ + func sub(_ x: BIG) + { + for i in 0 ..< ROM.NLEN + { + w[i]-=x.w[i] + } + } +/* reverse subtract this=x-this */ + func rsub(_ x: BIG) + { + for i in 0 ..< ROM.NLEN + { + w[i]=x.w[i]-w[i] + } + } +/* this-=x where x is int */ + func dec(_ x: Int) { + norm(); + w[0]-=Chunk(x); + } +/* this*=x, where x is small int<NEXCESS */ + func imul(_ c: Int) + { + for i in 0 ..< ROM.NLEN {w[i]*=Chunk(c)} + } +/* convert this BIG to byte array */ + func tobytearray(_ b: inout [UInt8],_ n: Int) + { + norm(); + let c=BIG(self); + for i in (0...Int(ROM.MODBYTES)-1).reversed() + { + b[i+n]=UInt8(c.w[0]&0xff); + c.fshr(8); + } + } +/* convert from byte array to BIG */ + static func frombytearray(_ b: [UInt8],_ n: Int) -> BIG + { + let m=BIG(); + + for i in 0 ..< Int(ROM.MODBYTES) + { + m.fshl(8) + m.w[0]+=Chunk(b[i+n])&0xff //(int)b[i+n]&0xff; + } + return m; + } + func toBytes(_ b: inout [UInt8]) + { + tobytearray(&b,0) + } + static func fromBytes(_ b: [UInt8]) -> BIG + { + return frombytearray(b,0) + } +/* set this[i]+=x*y+c, and return high part + func muladd(_ x: Int32,_ y: Int32,_ c: Int32,_ i: Int) -> Int32 + { + let prod:DChunk = DChunk(x)*DChunk(y)+DChunk(c)+DChunk(w[i]) + w[i]=Int32(prod&DChunk(ROM.BMASK)) + return Int32(prod>>DChunk(ROM.BASEBITS)) + } */ + +/* this*=x, where x is >NEXCESS */ + func pmul(_ c: Int) -> Chunk + { + var carry=Chunk(0); + norm(); + for i in 0 ..< ROM.NLEN + { + let ak=w[i] + let (top,bot)=BIG.muladd(ak,Chunk(c),carry,Chunk(0)) + carry=top; w[i]=bot; + //carry=muladd(ak,Chunk(c),carry,i); + + } + return carry; + } +/* this*=c and catch overflow in DBIG */ + func pxmul(_ c: Int) -> DBIG + { + let m=DBIG() + var carry=Chunk(0) + for j in 0 ..< ROM.NLEN + { + let (top,bot)=BIG.muladd(w[j],Chunk(c),carry,m.w[j]) + carry=top; m.w[j]=bot + // carry=m.muladd(w[j],c,carry,j) + } + m.w[ROM.NLEN]=carry + return m; + } +/* divide by 3 */ + func div3() -> Chunk + { + var carry=Chunk(0) + norm(); + let base=Chunk(1<<ROM.BASEBITS); + for i in (0...ROM.NLEN-1).reversed() + { + let ak=(carry*base+w[i]); + w[i]=ak/3; + carry=ak%3; + } + return carry; + } +/* return a*b where result fits in a BIG */ + static func smul(_ a: BIG,_ b: BIG) -> BIG + { + let c=BIG() + for i in 0 ..< ROM.NLEN + { + var carry=Chunk(0) + for j in 0 ..< ROM.NLEN + { + if (i+j<ROM.NLEN) { + let (top,bot)=BIG.muladd(a.w[i],b.w[j],carry,c.w[i+j]) + carry=top; c.w[i+j]=bot + //carry=c.muladd(a.w[i],b.w[j],carry,i+j) + } + } + } + return c; + } +/* Compare a and b, return 0 if a==b, -1 if a<b, +1 if a>b. Inputs must be normalised */ + static func comp(_ a: BIG,_ b: BIG) -> Int + { + for i in (0...ROM.NLEN-1).reversed() + { + if (a.w[i]==b.w[i]) {continue} + if (a.w[i]>b.w[i]) {return 1} + else {return -1} + } + return 0; + } +/* set x = x mod 2^m */ + func mod2m(_ m: UInt) + { + let wd=Int(m/ROM.BASEBITS) + let bt=m%ROM.BASEBITS + let msk=Chunk(1<<bt)-1; + w[wd]&=msk; + for i in wd+1 ..< ROM.NLEN {w[i]=0} + } +/* Arazi and Qi inversion mod 256 */ + static func invmod256(_ a: Int) -> Int + { + var t1:Int=0 + var c=(a>>1)&1 + t1+=c + t1&=1 + t1=2-t1 + t1<<=1 + var U=t1+1 + + // i=2 + var b=a&3 + t1=U*b; t1>>=2 + c=(a>>2)&3 + var t2=(U*c)&3 + t1+=t2 + t1*=U; t1&=3 + t1=4-t1 + t1<<=2 + U+=t1 + + // i=4 + b=a&15 + t1=U*b; t1>>=4 + c=(a>>4)&15 + t2=(U*c)&15 + t1+=t2 + t1*=U; t1&=15 + t1=16-t1 + t1<<=4 + U+=t1 + + return U + } +/* return parity */ + func parity() -> Int + { + return Int(w[0]%2) + } + +/* return n-th bit */ + func bit(_ n: UInt) -> Int + { + if ((w[Int(n/ROM.BASEBITS)]&(1<<Chunk(n%ROM.BASEBITS)))>0) {return 1;} + else {return 0;} + } + + /* return n last bits */ + func lastbits(_ n: UInt) -> Int + { + let msk=(1<<Chunk(n))-1; + norm(); + return Int((w[0])&msk) + } +/* a=1/a mod 2^256. This is very fast! */ + func invmod2m() + { + let U=BIG() + var b=BIG() + let c=BIG() + + U.inc(BIG.invmod256(lastbits(8))) + + var i=UInt(8) + while (i<ROM.BIGBITS) + { + b.copy(self) + b.mod2m(i) + let t1=BIG.smul(U,b) + t1.shr(i) + c.copy(self) + c.shr(i) + c.mod2m(i) + + let t2=BIG.smul(U,c) + t2.mod2m(i) + t1.add(t2) + b=BIG.smul(t1,U) + t1.copy(b) + t1.mod2m(i) + + t2.one(); t2.shl(i); t1.rsub(t2); t1.norm() + t1.shl(i) + U.add(t1) + i<<=1 + } + U.mod2m(ROM.BIGBITS) + self.copy(U) + self.norm() + } + /* reduce this mod m */ + func mod(_ m: BIG) + { + var k=0 + let r=BIG(0) + norm() + if (BIG.comp(self,m)<0) {return} + repeat + { + m.fshl(1) + k += 1 + } while (BIG.comp(self,m)>=0) + + while (k>0) + { + m.fshr(1) + + r.copy(self) + r.sub(m) + r.norm() + cmove(r,Int(1-((r.w[ROM.NLEN-1]>>Chunk(ROM.CHUNK-1))&1))) +/* + if (BIG.comp(self,m)>=0) + { + sub(m) + norm() + } */ + k -= 1 + } + } + /* divide this by m */ + func div(_ m: BIG) + { + var k=0 + norm() + let e=BIG(1) + let b=BIG(self) + let r=BIG(0) + zero() + + while (BIG.comp(b,m)>=0) + { + e.fshl(1) + m.fshl(1) + k += 1 + } + + while (k>0) + { + m.fshr(1) + e.fshr(1) + + r.copy(b) + r.sub(m) + r.norm() + let d=Int(1-((r.w[ROM.NLEN-1]>>Chunk(ROM.CHUNK-1))&1)) + b.cmove(r,d) + r.copy(self) + r.add(e) + r.norm() + cmove(r,d) +/* + if (BIG.comp(b,m)>=0) + { + add(e) + norm() + b.sub(m) + b.norm() + } */ + k -= 1; + } + } + /* get 8*MODBYTES size random number */ + static func random(_ rng: RAND) -> BIG + { + let m=BIG(); + var j:Int=0 + var r:UInt8=0 + /* generate random BIG */ + for _ in 0 ..< Int(8*ROM.MODBYTES) + { + if (j==0) {r=rng.getByte()} + else {r>>=1} + + let b=Chunk(r&1); + m.shl(1); m.w[0]+=b;// m.inc(b); + j += 1; j&=7; + } + return m; + } + + /* Create random BIG in portable way, one bit at a time, less than q */ + static func randomnum(_ q: BIG,_ rng: RAND) -> BIG + { + let d=DBIG(0); + var j:Int=0 + var r:UInt8=0 + + for _ in 0 ..< Int(2*ROM.MODBITS) + { + if (j==0) {r=rng.getByte()} + else {r>>=1} + + let b=Chunk(r&1); + d.shl(1); d.w[0]+=b; // m.inc(b); + j += 1; j&=7; + } + let m=d.mod(q); + return m; + } + + /* return NAF value as +/- 1, 3 or 5. x and x3 should be normed. + nbs is number of bits processed, and nzs is number of trailing 0s detected + static func nafbits(_ x: BIG,_ x3:BIG ,i:Int) -> [Chunk] + { + var j:Int + var n=[Chunk](repeating: 0,count: 3) + var nb=x3.bit(UInt(i))-x.bit(UInt(i)) + n[1]=1; + n[0]=0; + if (nb==0) {n[0]=0; return n} + if (i==0) {n[0]=Chunk(nb); return n} + if (nb>0) {n[0]=1} + else {n[0]=(-1)} + + j=i-1 + while (true) + { + n[1] += 1 + n[0]*=2 + nb=x3.bit(UInt(j))-x.bit(UInt(j)) + if (nb>0) {n[0]+=1} + if (nb<0) {n[0]-=1} + if (n[0]>5 || n[0] < -5) {break} + j-=1 + if j==0 {break} + } + + if ((n[0]%2 != 0) && (j != 0)) + { /* backtrack */ + if (nb>0) {n[0]=(n[0]-1)/2} + if (nb<0) {n[0]=(n[0]+1)/2} + n[1] -= 1; + } + while (n[0]%2==0) + { /* remove trailing zeros */ + n[0]/=2 + n[2] += 1 + n[1] -= 1 + } + return n; + } */ + + /* Jacobi Symbol (this/p). Returns 0, 1 or -1 */ + func jacobi(_ p: BIG) -> Int + { + var n8:Int + var k:Int + var m:Int=0; + let t=BIG() + let x=BIG() + let n=BIG() + let zilch=BIG() + let one=BIG(1) + if (p.parity()==0 || BIG.comp(self,zilch)==0 || BIG.comp(p,one)<=0) {return 0} + norm() + x.copy(self) + n.copy(p) + x.mod(p) + + while (BIG.comp(n,one)>0) + { + if (BIG.comp(x,zilch)==0) {return 0} + n8=n.lastbits(3) + k=0 + while (x.parity()==0) + { + k += 1 + x.shr(1) + } + if (k%2==1) {m+=((n8*n8-1)/8)} + let w=Int(x.lastbits(2)-1) + m+=(n8-1)*w/4 + t.copy(n) + t.mod(x) + n.copy(x) + x.copy(t) + m%=2 + + } + if (m==0) {return 1} + else {return -1} + } + /* this=1/this mod p. Binary method */ + func invmodp(_ p: BIG) + { + mod(p) + let u=BIG(self) + let v=BIG(p) + let x1=BIG(1) + let x2=BIG() + let t=BIG() + let one=BIG(1) + + while ((BIG.comp(u,one) != 0 ) && (BIG.comp(v,one) != 0 )) + { + while (u.parity()==0) + { + u.shr(1); + if (x1.parity() != 0 ) + { + x1.add(p); + x1.norm(); + } + x1.shr(1); + } + while (v.parity()==0) + { + v.shr(1); + if (x2.parity() != 0 ) + { + x2.add(p); + x2.norm(); + } + x2.shr(1); + } + if (BIG.comp(u,v)>=0) + { + u.sub(v); + u.norm(); + if (BIG.comp(x1,x2)>=0) {x1.sub(x2)} + else + { + t.copy(p); + t.sub(x2); + x1.add(t); + } + x1.norm(); + } + else + { + v.sub(u); + v.norm(); + if (BIG.comp(x2,x1)>=0) {x2.sub(x1)} + else + { + t.copy(p); + t.sub(x1); + x2.add(t); + } + x2.norm(); + } + } + if (BIG.comp(u,one)==0) {copy(x1)} + else {copy(x2)} + } + /* return a*b as DBIG */ +#if D32 + static func mul(_ a: BIG,_ b:BIG) -> DBIG + { + var t:DChunk + var co:DChunk + let c=DBIG() + let RM:DChunk=DChunk(ROM.BMASK); + let RB:DChunk=DChunk(ROM.BASEBITS) + // a.norm(); + // b.norm(); + + var d=[DChunk](repeating: 0,count: ROM.NLEN) + var s:DChunk + for i in 0 ..< ROM.NLEN + { + d[i]=DChunk(a.w[i])*DChunk(b.w[i]); + } + s=d[0] + t=s; c.w[0]=Chunk(t&RM); co=t>>RB + for k in 1 ..< ROM.NLEN + { + s+=d[k]; t=co+s; + for i in 1+k/2...k + {t+=DChunk(a.w[i]-a.w[k-i])*DChunk(b.w[k-i]-b.w[i])} + c.w[k]=Chunk(t&RM); co=t>>RB + } + for k in ROM.NLEN ..< 2*ROM.NLEN-1 + { + s-=d[k-ROM.NLEN]; t=co+s; + + //for var i=ROM.NLEN-1;i>=1+k/2;i-- + var i=1+k/2 + while i<ROM.NLEN + //for i in 1+k/2...ROM.NLEN-1 + { + t+=DChunk(a.w[i]-a.w[k-i])*DChunk(b.w[k-i]-b.w[i]) + i+=1 + } + + c.w[k]=Chunk(t&RM); co=t>>RB + } + c.w[2*ROM.NLEN-1]=Chunk(co); + + return c + } + + /* return a^2 as DBIG */ + static func sqr(_ a: BIG) -> DBIG + { + var t:DChunk + var co:DChunk + let c=DBIG() + let RM:DChunk=DChunk(ROM.BMASK); + let RB:DChunk=DChunk(ROM.BASEBITS) + // a.norm(); + + t=DChunk(a.w[0])*DChunk(a.w[0]) + c.w[0]=Chunk(t&RM); co=t>>RB + t=DChunk(a.w[1])*DChunk(a.w[0]); t+=t; t+=co + c.w[1]=Chunk(t&RM); co=t>>RB + + var j:Int + let last=ROM.NLEN-(ROM.NLEN%2) + j=2 + //for j=2;j<last;j+=2 + while (j<last) + { + t=DChunk(a.w[j])*DChunk(a.w[0]); for i in 1 ..< (j+1)/2 {t+=DChunk(a.w[j-i])*DChunk(a.w[i])} ; t+=t; t+=co; t+=DChunk(a.w[j/2])*DChunk(a.w[j/2]) + c.w[j]=Chunk(t&RM); co=t>>RB + t=DChunk(a.w[j+1])*DChunk(a.w[0]); for i in 1 ..< (j+2)/2 {t+=DChunk(a.w[j+1-i])*DChunk(a.w[i])} ; t+=t; t+=co + c.w[j+1]=Chunk(t&RM); co=t>>RB + j+=2 + } + j=last + if (ROM.NLEN%2)==1 + { + t=DChunk(a.w[j])*DChunk(a.w[0]); for i in 1 ..< (j+1)/2 {t+=DChunk(a.w[j-i])*DChunk(a.w[i])} ; t+=t; t+=co; t+=DChunk(a.w[j/2])*DChunk(a.w[j/2]) + c.w[j]=Chunk(t&RM); co=t>>RB; j += 1 + t=DChunk(a.w[ROM.NLEN-1])*DChunk(a.w[j-ROM.NLEN+1]); for i in j-ROM.NLEN+2 ..< (j+1)/2 {t+=DChunk(a.w[j-i])*DChunk(a.w[i])}; t+=t; t+=co + c.w[j]=Chunk(t&RM); co=t>>RB; j += 1 + } + while (j<ROM.DNLEN-2) + { + t=DChunk(a.w[ROM.NLEN-1])*DChunk(a.w[j-ROM.NLEN+1]); for i in j-ROM.NLEN+2 ..< (j+1)/2 {t+=DChunk(a.w[j-i])*DChunk(a.w[i])} ; t+=t; t+=co; t+=DChunk(a.w[j/2])*DChunk(a.w[j/2]) + c.w[j]=Chunk(t&RM); co=t>>RB + t=DChunk(a.w[ROM.NLEN-1])*DChunk(a.w[j-ROM.NLEN+2]); for i in j-ROM.NLEN+3 ..< (j+2)/2 {t+=DChunk(a.w[j+1-i])*DChunk(a.w[i])} ; t+=t; t+=co + c.w[j+1]=Chunk(t&RM); co=t>>RB + j+=2 + } + t=DChunk(a.w[ROM.NLEN-1])*DChunk(a.w[ROM.NLEN-1])+co + c.w[ROM.DNLEN-2]=Chunk(t&RM); co=t>>RB + c.w[ROM.DNLEN-1]=Chunk(co) + + return c; + } + static func monty(_ d:DBIG) -> BIG + { + let md=BIG(ROM.Modulus); + let RM:DChunk=DChunk(ROM.BMASK) + let RB:DChunk=DChunk(ROM.BASEBITS) + + + var t:DChunk + var s:DChunk + var c:DChunk + var dd=[DChunk](repeating: 0,count: ROM.NLEN) + var v=[Chunk](repeating: 0,count: ROM.NLEN) + let b=BIG(0) + + t=DChunk(d.w[0]); v[0]=(Chunk(t&RM)&*ROM.MConst)&ROM.BMASK; t+=DChunk(v[0])*DChunk(md.w[0]); c=DChunk(d.w[1])+(t>>RB); s=0 + for k in 1 ..< ROM.NLEN + { + t=c+s+DChunk(v[0])*DChunk(md.w[k]) + //for i in 1+k/2...k-1 + //for var i=k-1;i>k/2;i-- + var i=1+k/2 + while i<k + { + t+=DChunk(v[k-i]-v[i])*DChunk(md.w[i]-md.w[k-i]) + i+=1 + } + v[k]=(Chunk(t&RM)&*ROM.MConst)&ROM.BMASK; t+=DChunk(v[k])*DChunk(md.w[0]); c=DChunk(d.w[k+1])+(t>>RB) + dd[k]=DChunk(v[k])*DChunk(md.w[k]); s+=dd[k] + } + for k in ROM.NLEN ..< 2*ROM.NLEN-1 + { + t=c+s; + //for i in 1+k/2...ROM.NLEN-1 + //for var i=ROM.NLEN-1;i>=1+k/2;i-- + var i=1+k/2 + while i<ROM.NLEN + { + t+=DChunk(v[k-i]-v[i])*DChunk(md.w[i]-md.w[k-i]) + i+=1 + } + b.w[k-ROM.NLEN]=Chunk(t&RM); c=DChunk(d.w[k+1])+(t>>RB); s-=dd[k-ROM.NLEN+1] + } + b.w[ROM.NLEN-1]=Chunk(c&RM) + b.norm() + return b; + } +#endif +#if D64 + static func mul(_ a: BIG,_ b:BIG) -> DBIG + { + let c=DBIG() + var carry:Chunk + for i in 0 ..< ROM.NLEN { + carry=0 + for j in 0..<ROM.NLEN { + let (top,bot)=BIG.muladd(a.w[i],b.w[j],carry,c.w[i+j]) + carry=top; c.w[i+j]=bot + } + c.w[ROM.NLEN+i]=carry + } + return c + } + static func sqr(_ a: BIG) -> DBIG + { + let c=DBIG() + var carry:Chunk + for i in 0 ..< ROM.NLEN { + carry=0 + for j in i+1 ..< ROM.NLEN { + let (top,bot)=BIG.muladd(2*a.w[i],a.w[j],carry,c.w[i+j]) + carry=top; c.w[i+j]=bot + } + c.w[ROM.NLEN+i]=carry + } + for i in 0 ..< ROM.NLEN { + let (top,bot)=BIG.muladd(a.w[i],a.w[i],Chunk(0),c.w[2*i]) + c.w[2*i]=bot + c.w[2*i+1]+=top + } + c.norm() + return c + } + static func monty(_ d:DBIG) -> BIG + { + let b=BIG() + let md=BIG(ROM.Modulus); + var carry:Chunk + var m:Chunk + for i in 0 ..< ROM.NLEN { + if ROM.MConst == -1 { + m=(-d.w[i])&ROM.BMASK + } else { + if ROM.MConst == 1 { + m=d.w[i] + } else { + m=(ROM.MConst&*d.w[i])&ROM.BMASK; + } + } + carry=0 + for j in 0 ..< ROM.NLEN { + let (top,bot)=BIG.muladd(m,md.w[j],carry,d.w[i+j]) + carry=top; d.w[i+j]=bot + } + d.w[ROM.NLEN+i]+=carry + } + for i in 0 ..< ROM.NLEN { + b.w[i]=d.w[ROM.NLEN+i] + } + b.norm(); + return b + } +#endif + /* reduce a DBIG to a BIG using the appropriate form of the modulus */ + static func mod(_ d: DBIG) -> BIG + { + + if ROM.MODTYPE==ROM.PSEUDO_MERSENNE + { + let t=d.split(ROM.MODBITS) + var b=BIG(d) + let v=t.pmul(Int(ROM.MConst)) + let tw=t.w[ROM.NLEN-1] + t.w[ROM.NLEN-1] &= ROM.TMASK + t.inc(Int(ROM.MConst*((tw>>Chunk(ROM.TBITS))+(v<<Chunk(ROM.BASEBITS-ROM.TBITS))))) + + b.add(t) + b.norm() + return b + } + if ROM.MODTYPE==ROM.MONTGOMERY_FRIENDLY + { + for i in 0 ..< ROM.NLEN { + let (top,bot)=BIG.muladd(d.w[i],ROM.MConst-1,d.w[i],d.w[ROM.NLEN+i-1]) + d.w[ROM.NLEN+i]+=top; d.w[ROM.NLEN+i-1]=bot + // d.w[ROM.NLEN+i]+=d.muladd(d.w[i],ROM.MConst-1,d.w[i],ROM.NLEN+i-1) + } + + var b=BIG(0); + + for i in 0 ..< ROM.NLEN + { + b.w[i]=d.w[ROM.NLEN+i] + } + b.norm() + return b; + } + if ROM.MODTYPE==ROM.GENERALISED_MERSENNE + { // GoldiLocks Only + let t=d.split(ROM.MODBITS) + let RM2=ROM.MODBITS/2 + var b=BIG(d) + b.add(t) + let dd=DBIG(t) + dd.shl(RM2) + + let tt=dd.split(ROM.MODBITS) + let lo=BIG(dd) + b.add(tt) + b.add(lo) + b.norm() + tt.shl(RM2) + b.add(tt) + + let carry=b.w[ROM.NLEN-1]>>Chunk(ROM.TBITS) + b.w[ROM.NLEN-1]&=ROM.TMASK + b.w[0]+=carry + + b.w[Int(224/ROM.BASEBITS)]+=carry<<Chunk(224%ROM.BASEBITS) + b.norm() + return b; + } + if ROM.MODTYPE==ROM.NOT_SPECIAL + { + return BIG.monty(d) + } + return BIG(0) + } + + /* return a*b mod m */ + static func modmul(_ a: BIG,_ b :BIG,_ m: BIG) -> BIG + { + a.mod(m) + b.mod(m) + let d=mul(a,b) + return d.mod(m) + } + + /* return a^2 mod m */ + static func modsqr(_ a: BIG,_ m: BIG) -> BIG + { + a.mod(m) + let d=sqr(a) + return d.mod(m) + } + + /* return -a mod m */ + static func modneg(_ a: BIG,_ m: BIG) -> BIG + { + a.mod(m) + return m.minus(a) + } + + /* return this^e mod m */ + func powmod(_ e: BIG,_ m: BIG) -> BIG + { + norm(); + e.norm(); + var a=BIG(1) + let z=BIG(e) + var s=BIG(self) + while (true) + { + let bt=z.parity(); + z.fshr(1) + if bt==1 {a=BIG.modmul(a,s,m)} + if (z.iszilch()) {break} + s=BIG.modsqr(s,m) + } + return a + } +} http://git-wip-us.apache.org/repos/asf/incubator-milagro-crypto/blob/c25f9e5c/version22/swift/dbig.swift ---------------------------------------------------------------------- diff --git a/version22/swift/dbig.swift b/version22/swift/dbig.swift new file mode 100644 index 0000000..8a1ac64 --- /dev/null +++ b/version22/swift/dbig.swift @@ -0,0 +1,265 @@ +/* + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +*/ + +// +// dbig.swift +// +// Created by Michael Scott on 13/06/2015. +// Copyright (c) 2015 Michael Scott. All rights reserved. +// + +final class DBIG{ + var w=[Chunk](repeating: 0,count: ROM.DNLEN) + init() { + for i in 0 ..< ROM.DNLEN {w[i]=0} + } + init(_ x: Int) + { + w[0]=Chunk(x); + for i in 1 ..< ROM.DNLEN {w[i]=0} + } + init(_ x: BIG) + { + for i in 0 ..< ROM.NLEN {w[i]=x.w[i]} + w[ROM.NLEN-1]=x.w[ROM.NLEN-1]&ROM.BMASK + w[ROM.NLEN]=x.w[ROM.NLEN-1]>>Chunk(ROM.BASEBITS) + for i in ROM.NLEN+1 ..< ROM.DNLEN {w[i]=0} + } + init(_ x: DBIG) + { + for i in 0 ..< ROM.DNLEN {w[i]=x.w[i]} + } + init(_ x: [Chunk]) + { + for i in 0 ..< ROM.DNLEN {w[i]=x[i]} + } + + func cmove(_ g: DBIG,_ d: Int) + { + let b = Chunk(-d) + + for i in 0 ..< ROM.DNLEN + { + w[i]^=(w[i]^g.w[i])&b; + } + } + +/* Copy from another DBIG */ + func copy(_ x: DBIG) + { + for i in 0 ..< ROM.DNLEN {w[i] = x.w[i]} + } + + /* this-=x */ + func sub(_ x: DBIG) + { + for i in 0 ..< ROM.DNLEN + { + w[i]-=x.w[i] + } + } +/* func muladd(_ x: Int32,_ y: Int32,_ c: Int32,_ i: Int) -> Int32 + { + let prod:Int64 = Int64(x)*Int64(y)+Int64(c)+Int64(w[i]) + w[i]=Int32(prod&Int64(ROM.BMASK)) + return Int32(prod>>Int64(ROM.BASEBITS)) + } */ + /* general shift left */ + func shl(_ k: UInt) + { + let n=k%ROM.BASEBITS + let m=Int(k/ROM.BASEBITS) + w[ROM.DNLEN-1]=((w[ROM.DNLEN-1-m]<<Chunk(n)))|(w[ROM.DNLEN-m-2]>>Chunk(ROM.BASEBITS-n)) + for i in (m+1...ROM.DNLEN-2).reversed() + // for var i=ROM.DNLEN-2;i>m;i-- + { + w[i]=((w[i-m]<<Chunk(n))&ROM.BMASK)|(w[i-m-1]>>Chunk(ROM.BASEBITS-n)) + } + w[m]=(w[0]<<Chunk(n))&ROM.BMASK + for i in 0 ..< m {w[i]=0} + } + /* general shift right */ + func shr(_ k: UInt) + { + let n=k%ROM.BASEBITS + let m=Int(k/ROM.BASEBITS) + for i in 0 ..< ROM.DNLEN-m-1 + { + w[i]=(w[m+i]>>Chunk(n))|((w[m+i+1]<<Chunk(ROM.BASEBITS-n))&ROM.BMASK) + } + w[ROM.DNLEN - m - 1]=w[ROM.DNLEN-1]>>Chunk(n) + for i in ROM.DNLEN - m ..< ROM.DNLEN {w[i]=0} + } + /* Compare a and b, return 0 if a==b, -1 if a<b, +1 if a>b. Inputs must be normalised */ + static func comp(_ a: DBIG,_ b: DBIG) -> Int + { + for i in (0...ROM.DNLEN-1).reversed() + // for var i=ROM.DNLEN-1;i>=0;i-- + { + if (a.w[i]==b.w[i]) {continue} + if (a.w[i]>b.w[i]) {return 1} + else {return -1} + } + return 0; + } + /* normalise BIG - force all digits < 2^BASEBITS */ + func norm() + { + var carry:Chunk=0 + for i in 0 ..< ROM.DNLEN-1 + { + let d=w[i]+carry + w[i]=d&ROM.BMASK + carry=d>>Chunk(ROM.BASEBITS) + } + w[ROM.DNLEN-1]+=carry + } + /* reduces this DBIG mod a BIG, and returns the BIG */ + func mod(_ c: BIG) -> BIG + { + var k:Int=0 + norm() + let m=DBIG(c) + let r=DBIG(0) + + if DBIG.comp(self,m)<0 {return BIG(self)} + + repeat + { + m.shl(1) + k += 1 + } + while (DBIG.comp(self,m)>=0); + + while (k>0) + { + m.shr(1) + + r.copy(self) + r.sub(m) + r.norm() + cmove(r,Int(1-((r.w[ROM.DNLEN-1]>>Chunk(ROM.CHUNK-1))&1))) +/* + + if (DBIG.comp(self,m)>=0) + { + sub(m) + norm() + } */ + k -= 1; + } + return BIG(self) + } + /* return this/c */ + func div(_ c:BIG) -> BIG + { + var k:Int=0 + let m=DBIG(c) + let a=BIG(0) + let e=BIG(1) + let r=BIG(0) + let dr=DBIG(0) + + norm() + + while (DBIG.comp(self,m)>=0) + { + e.fshl(1) + m.shl(1) + k += 1 + } + + while (k>0) + { + m.shr(1) + e.shr(1) + + dr.copy(self) + dr.sub(m) + dr.norm() + let d=Int(1-((dr.w[ROM.DNLEN-1]>>Chunk(ROM.CHUNK-1))&1)) + cmove(dr,d) + r.copy(a) + r.add(e) + r.norm() + a.cmove(r,d) +/* + if (DBIG.comp(self,m)>0) + { + a.add(e) + a.norm() + sub(m) + norm() + } */ + k -= 1 + } + return a + } + + /* split DBIG at position n, return higher half, keep lower half */ + func split(_ n: UInt) -> BIG + { + let t=BIG(0) + let m=n%ROM.BASEBITS + var carry=w[ROM.DNLEN-1]<<Chunk(ROM.BASEBITS-m) + + for i in (ROM.NLEN-1...ROM.DNLEN-2).reversed() + // for var i=ROM.DNLEN-2;i>=ROM.NLEN-1;i-- + { + let nw=(w[i]>>Chunk(m))|carry; + carry=(w[i]<<Chunk(ROM.BASEBITS-m))&ROM.BMASK; + t.set(i-ROM.NLEN+1,nw); + } + w[ROM.NLEN-1]&=((1<<Chunk(m))-1); + return t; + } + /* return number of bits */ + func nbits() -> Int + { + var k=(ROM.DNLEN-1) + norm() + while k>=0 && w[k]==0 {k -= 1} + if k<0 {return 0} + var bts=Int(ROM.BASEBITS)*k + var c=w[k]; + while c != 0 {c/=2; bts+=1} + return bts + } + /* Convert to Hex String */ + func toString() -> String + { + _ = DBIG() + var s:String="" + var len=nbits() + if len%4 == 0 {len/=4} + else {len/=4; len += 1} + + for i in (0...len-1).reversed() + // for var i=len-1;i>=0;i-- + { + let b = DBIG(self) + b.shr(UInt(i*4)) + let n=String(b.w[0]&15,radix:16,uppercase:false) + s+=n + } + + return s + } + +}
