
228 lines
7.4 KiB
Raw Normal View History

2021-04-04 20:05:31 +00:00
#include <assert.h>
#include <stdint.h>
#include <string.h>
void xxtea128(uint32_t const key[4], uint32_t block[4]) {
// Encryption half of the XXTEA algorithm, with block size limited
// to 128 bits or 4 words. This avoids all the weaknesses that
// Wikipedia knows of, since both depend on only running 6 rounds
// per block, and we will run 6 + 52//4 = 6 + 13 = 19
uint32_t roundconstant = 0;
for (unsigned round = 0; round < 19; round++) {
// This took a while to puzzle out since the original
// specification is a mess, and the mess is only added to
// by needing to support custom blockwidths.
// The algorithm is as follows:
// 1. Set the round constant (sum) to round * 0x9e3779b9
// (implemented by addition)
// 2. Create a reduced version of the round constant (e)
// which is the bits 3…2 of the round constant. The
// reduced version is needed for changing the pattern of
// key accesses, since key is only 4 words long
// 3. Go through each word in the block and derive its new
// value based on its current value (v[p]), the next (y)
// and the previous word (z), wrapping around the ends
// of the block as needed.
2021-04-04 20:05:31 +00:00
// The function for deriving the new value of a word is a
// xor of sums of xors, followed by an in-place addition.
// The first sum adds together combinations of the next and
// previous word, and the second sum adds together
// previous/next combined with a value dependant on the
// round constant. The key is also mixed into the word in
// the first xor of second sum. After this the result is
// added back into the original word.
2021-04-04 20:05:31 +00:00
// I have changed the operand order in the second xor of
// first add and in the second add. This is to keep the
// part dependant of previous word on the left and the part
// dependant on the next word on the right.
roundconstant += 0x9e3779b9;
uint32_t reduced = (roundconstant >> 2) & 3;
block[0] += ((block[3]>>5 ^ block[1]<<2) + (block[3]<<4 ^ block[1]>>3)) ^ ((key[reduced ^ 0] ^ block[3]) + (roundconstant ^ block[1]));
block[1] += ((block[0]>>5 ^ block[2]<<2) + (block[0]<<4 ^ block[2]>>3)) ^ ((key[reduced ^ 1] ^ block[0]) + (roundconstant ^ block[2]));
block[2] += ((block[1]>>5 ^ block[3]<<2) + (block[1]<<4 ^ block[3]>>3)) ^ ((key[reduced ^ 2] ^ block[1]) + (roundconstant ^ block[3]));
block[3] += ((block[2]>>5 ^ block[0]<<2) + (block[2]<<4 ^ block[0]>>3)) ^ ((key[reduced ^ 3] ^ block[2]) + (roundconstant ^ block[0]));
uint32_t bytes2word(unsigned char const bytes[4]) {
return bytes[0] | bytes[1]<<8 | bytes[2]<<16 | bytes[3]<<24;
void word2bytes(unsigned char *bytes, uint32_t word) {
bytes[0] = word;
bytes[1] = word>>8;
bytes[2] = word>>16;
2021-04-04 20:05:31 +00:00
bytes[3] = word>>24;
void derive_subkey(uint32_t key[4], uint32_t nonce[6], uint32_t subkey[4]) {
// We are using an extended nonce construction with 192 bit nonces.
// The first 128 bits of nonce are encrypted using xxtea128 with
// the provided key, in order to derive a subkey that is then used
// alongside the remaining nonce to do the actual encryption.
// This is, as far as I can tell, not a standard construction. I
// have based it on xchacha20, with the understanding that it
// should not matter if the function used to derive the subkey is
// reversible or not, since an attacker doesn't know the original
// key and the original key is used only in this derivation.
subkey[0] = nonce[0];
subkey[1] = nonce[1];
subkey[2] = nonce[2];
subkey[3] = nonce[3];
xxtea128(key, subkey);
struct hashstate {
// A_n and B_n of the MDC-2 algorithm
uint32_t a[4];
uint32_t b[4];
// Buffer to hold data until next full block
unsigned char buffer[16];
size_t length;
// Counter that keeps tracks of how much data we've hashed
uint64_t totalbits;
void initialize_hash(struct hashstate *state) {
// Hash function is MDC-2 with xxtea128, which is nice since it
// gives us a 256 bit hash. The constants are based on binary
// expansion of the square root of two, A1 being the first 128 bits
// and B1 the next 128.
// If we treat A1 and B1 as 128bit little endian integers, they
// have the values:
// A1 = 6a09e667 f3bcc908 b2fb1366 ea957d3e
// A2 = 3adec175 12775099 da2f590b 0667322a
state->a[0] = 0xea957d3eUL;
state->a[1] = 0xb2fb1366UL;
state->a[2] = 0xf3bcc908UL;
state->a[3] = 0x6a09e667UL;
state->b[0] = 0x0667322aUL;
state->b[1] = 0xda2f590bUL;
state->b[2] = 0x12775099UL;
state->b[3] = 0x3adec175UL;
memset(state->buffer, 0, sizeof(state->buffer));
state->length = 0;
state->totalbits = 0;
void compress_hash(struct hashstate *state) {
assert(state->length == 16);
// M_i
uint32_t message[4];
message[0] = bytes2word(&state->buffer[0]);
message[1] = bytes2word(&state->buffer[4]);
message[2] = bytes2word(&state->buffer[8]);
message[3] = bytes2word(&state->buffer[12]);
// V_i = M_i ^ E(M_i, A_i)
// Note: In this description A_i is the *key*, not the plaintext
uint32_t v[4];
memcpy(v, message, sizeof(v));
xxtea128(state->a, v);
v[0] ^= message[0];
v[1] ^= message[1];
v[2] ^= message[2];
v[3] ^= message[3];
2021-04-04 20:05:31 +00:00
// W_i = M_i ^ E(M_i, B_i);
uint32_t w[4];
memcpy(w, message, sizeof(w));
xxtea128(state->b, w);
w[0] ^= message[0];
w[1] ^= message[1];
w[2] ^= message[2];
w[3] ^= message[3];
// A_{i+1} = Vwi^L || W_i^R
state->a[0] = v[0];
state->a[1] = v[1];
state->a[2] = w[2];
state->a[3] = w[3];
2021-04-04 20:05:31 +00:00
// B_{i+1} = W_i^L || V_i^R
state->b[0] = v[0];
state->b[1] = v[1];
state->b[2] = w[2];
state->b[3] = w[3];
2021-04-04 20:05:31 +00:00
// Mark that we have consumed the buffer
state->length = 0;
void feed_hash(struct hashstate *state, unsigned char input[], size_t length) {
// Invariant: The buffer will be filled somewhere between 0 and 15
// when we enter this loop. This is because once it reaches 16, the
// hash compression function is executed.
2021-04-04 23:15:31 +00:00
for (size_t i = 0; i < length; i++) {
2021-04-04 20:05:31 +00:00
// Must not overflow the internat counter. In practice we will not
// hit this.
assert(state->totalbits <= UINT64_MAX - 8);
state->buffer[state->length++] = input[i];
state->totalbits += 8;
if (state->length == 16) {
void finalize_hash(struct hashstate *state, unsigned char hash[32]) {
// Feed the padding. It consists of one-bit, followed by zero-bits,
// followed by the number of bits in the message as big-endian
// uint64. This is the same padding as in SHA-2.
// We can assume that this works due to the invariant that buffer
// fill when entering this function is between 0 and 15
state->buffer[state->length++] = 0x80;
while(state->length != 8) {
if (state->length == 16) {
state->buffer[state->length++] = 0;
// Add the number of bits, and do one last compression
state->buffer[8] = state->totalbits >> 56;
state->buffer[9] = state->totalbits >> 48;
state->buffer[10] = state->totalbits >> 40;
state->buffer[11] = state->totalbits >> 32;
state->buffer[12] = state->totalbits >> 24;
state->buffer[13] = state->totalbits >> 16;
state->buffer[14] = state->totalbits >> 8;
state->buffer[15] = state->totalbits;
state->length += 8;
2021-04-04 20:05:31 +00:00
// Extract the hash state
for (size_t i = 0; i < 4; i++) {
word2bytes(&hash[i*4], state->a[i]);
for (size_t i = 0; i < 4; i++) {
word2bytes(&hash[i*4 + 16], state->b[i]);
// Clear all of the hash state, in case there was sth important
// there
explicit_bzero(state, sizeof(struct hashstate));
2021-04-04 20:05:31 +00:00