EEA3_EIA3_ZUC_v1_6 (4g加密算法)

3GPP Confidentiality and Integrity Algorithms 128-EEA3 3GPP Confidentiality and Integrity Algorithms 128-EEA3 3. If s16=0, then set s16=231-1; 4. (s1,s2, ,s15,s16) (s0,s1, ,s14,s15). In the working mode, the LFSR does not receive any input, and it works as follows: LFSRWithWorkMode() 1. s16=215s15+217s13+221s10+220s4+(1+28)s0 mod (231-1); 2. If s16=0, then set s16=231-1; 3. (s1,s2, ,s15,s16) (s0,s1, ,s14,s15). Informative note: Since the multiplication of a 31-bit string s by 2i over GF(231-1) can be implemented by a cyclic shift of s to the left by i bits, only addition modulo 231-1 is needed in step 1 of the above functions. More precisely, step 1 of the function LFSRWithInitialisationMode can be implemented by v=(s153115)+(s133117)+(s103121)+(s43120)+(s0 318)+s0 mod (231-1), and the same implementation is needed for step 1 of the function LFSRWithWorkMode. Informative note: For two elements a, b over GF(231-1), the computation of v=a+b mod (231-1) can be done by (1) compute v=a+b; and (2) if the carry bit is 1, then set v=v+1. Alternatively (and better if the implementation should resist possible timing attacks): (1) compute w=a+b, where w is a 32-bit value; and (2) set v = (least significant 31 bits of w) + (most significant bit of w). 3.3 The bit-reorganization The middle layer of the algorithm is the bit-reorganization. It extracts 128 bits from the cells of the LFSR and forms 4 of 32-bit words, where the first three words will be used by the nonlinear function F in the bottom layer, and the last word will be involved in producing the keystream. Let s0, s2, s5, s7, s9, s11, s14, s15 be 8 cells of LFSR as in section 3.2. Then the bit- reorganization forms 4 of 32-bit words X0, X1, X2, X3 from the above cells as follows: Bitreorganization() 1 X0=s15H | s14L; 2. X1=s11L | s9H; 3 X2=s7L | s5H; 4. X3=s2L |s0H. 3GPP Confidentiality and Integrity Algorithms 128-EEA3 2. W1= R1X1; 3. W2= R2X2; 4. R1=S(L1(W1L|W2H); 5. R2=S(L2(W2L|W1H). where S is a 3232 S-box, see section 3.4.1, L1 and L2 are linear transforms as defined in section 3.4.2. 3.4.1 The S-box S The 3232 S-box S is composed of 4 juxtaposed 88 S-boxes, i.e., S=(S0,S1,S2,S3), where S0=S2, S1=S3. The definitions of S0 and S1 can be found in table 3.1 and table 3.2 respectively. Let x be an 8-bit input to S0 (or S1). Write x into two hexadecimal digits as x=h|l, then the entry at the intersection of the h-th row and the l-th column in table 3.1 (or table 3.2) is the output of S0 (or S1). Example 7 S0(0 x12)=0 xF9 and S1(0 x34)=0 xC0. Let the 32-bit input X and the 32-bit output Y of the S-box S be as follows: X = x0 | x1 | x2 | x3, Y = y0 | y1 | y2 | y3, where xi and yi are all bytes, i=0,1,2,3. Then we have yi=Si(xi), i=0,1,2,3. Example 8 Let X=0 x12345678 be a 32-bit input to the S-box and Y its 32-bit output. Then we have Y=S(X)=S0(0 x12)|S1(0 x34)|S2(0 x56)|S3(0 x78)=0 xF9C05A4E. 3GPP Confidentiality and Integrity Algorithms 128-EEA3 / see section 3.3 2. F(X0, X1, X2); /output discarded, see section 3.4 3. LFSRWithWorkMode(). / see section 3.2 Then the algorithm goes into the stage of producing keystream, i.e., for each iteration, the following operations are executed once, and a 32-bit word Z is produced as an output: 1. Bitreorganization(); / see section 3.3 2. Z= F(X0, X1, X2)X3; / for the definition of X3, see section 3.3 3. LFSRWithWorkMode() . / see section 3.2 3GPP Confidentiality and Integrity Algorithms 128-EEA3 typedef unsigned int u32; /* - */ /* the state registers of LFSR */ u32 LFSR_S0; u32 LFSR_S1; u32 LFSR_S2; u32 LFSR_S3; u32 LFSR_S4; u32 LFSR_S5; u32 LFSR_S6; u32 LFSR_S7; u32 LFSR_S8; u32 LFSR_S9; u32 LFSR_S10; u32 LFSR_S11; u32 LFSR_S12; u32 LFSR_S13; u32 LFSR_S14; u32 LFSR_S15; /* the registers of F */ u32 F_R1; u32 F_R2; /* the outputs of BitReorganization */ u32 BRC_X0; u32 BRC_X1; u32 BRC_X2; u32 BRC_X3; /* the s-boxes */ u8 S0256 = 0 x3e,0 x72,0 x5b,0 x47,0 xca,0 xe0,0 x00,0 x33,0 x04,0 xd1,0 x54,0 x98,0 x09,0 xb9,0 x6d,0 xcb, 0 x7b,0 x1b,0 xf9,0 x32,0 xaf,0 x9d,0 x6a,0 xa5,0 xb8,0 x2d,0 xfc,0 x1d,0 x08,0 x53,0 x03,0 x90, 0 x4d,0 x4e,0 x84,0 x99,0 xe4,0 xce,0 xd9,0 x91,0 xdd,0 xb6,0 x85,0 x48,0 x8b,0 x29,0 x6e,0 xac, 0 xcd,0 xc1,0 xf8,0 x1e,0 x73,0 x43,0 x69,0 xc6,0 xb5,0 xbd,0 xfd,0 x39,0 x63,0 x20,0 xd4,0 x38, 0 x76,0 x7d,0 xb2,0 xa7,0 xcf,0 xed,0 x57,0 xc5,0 xf3,0 x2c,0 xbb,0 x14,0 x21,0 x06,0 x55,0 x9b, 0 xe3,0 xef,0 x5e,0 x31,0 x4f,0 x7f,0 x5a,0 xa4,0 x0d,0 x82,0 x51,0 x49,0 x5f,0 xba,0 x58,0 x1c, 0 x4a,0 x16,0 xd5,0 x17,0 xa8,0 x92,0 x24,0 x1f,0 x8c,0 xff,0 xd8,0 xae,0 x2e,0 x01,0 xd3,0 xad, 0 x3b,0 x4b,0 xda,0 x46,0 xeb,0 xc9,0 xde,0 x9a,0 x8f,0 x87,0 xd7,0 x3a,0 x80,0 x6f,0 x2f,0 xc8, 0 xb1,0 xb4,0 x37,0 xf7,0 x0a,0 x22,0 x13,0 x28,0 x7c,0 xcc,0 x3c,0 x89,0 xc7,0 xc3,0 x96,0 x56, 0 x07,0 xbf,0 x7e,0 xf0,0 x0b,0 x2b,0 x97,0 x52,0 x35,0 x41,0 x79,0 x61,0 xa6,0 x4c,0 x10,0 xfe, 0 xbc,0 x26,0 x95,0 x88,0 x8a,0 xb0,0 xa3,0 xfb,0 xc0,0 x18,0 x94,0 xf2,0 xe1,0 xe5,0 xe9,0 x5d, 0 xd0,0 xdc,0 x11,0 x66,0 x64,0 x5c,0 xec,0 x59,0 x42,0 x75,0 x12,0 xf5,0 x74,0 x9c,0 xaa,0 x23, 0 x0e,0 x86,0 xab,0 xbe,0 x2a,0 x02,0 xe7,0 x67,0 xe6,0 x44,0 xa2,0 x6c,0 xc2,0 x93,0 x9f,0 xf1, 0 xf6,0 xfa,0 x36,0 xd2,0 x50,0 x68,0 x9e,0 x62,0 x71,0 x15,0 x3d,0 xd6,0 x40,0 xc4,0 xe2,0 x0f, 0 x8e,0 x83,0 x77,0 x6b,0 x25,0 x05,0 x3f,0 x0c,0 x30,0 xea,0 x70,0 xb7,0 xa1,0 xe8,0 xa9,0 x65, 0 x8d,0 x27,0 x1a,0 xdb,0 x81,0 xb3,0 xa0,0 xf4,0 x45,0 x7a,0 x19,0 xdf,0 xee,0 x78,0 x34,0 x60 ; u8 S1256 = 0 x55,0 xc2,0 x63,0 x71,0 x3b,0 xc8,0 x47,0 x86,0 x9f,0 x3c,0 xda,0 x5b,0 x29,0 xaa,0 xfd,0 x77, 0 x8c,0 xc5,0 x94,0 x0c,0 xa6,0 x1a,0 x13,0 x00,0 xe3,0 xa8,0 x16,0 x72,0 x40,0 xf9,0 xf8,0 x42, 0 x44,0 x26,0 x68,0 x96,0 x81,0 xd9,0 x45,0 x3e,0 x10,0 x76,0 xc6,0 xa7,0 x8b,0 x39,0 x43,0 xe1, 0 x3a,0 xb5,0 x56,0 x2a,0 xc0,0 x6d,0 xb3,0 x05,0 x22,0 x66,0 xbf,0 xdc,0 x0b,0 xfa,0 x62,0 x48, 0 xdd,0 x20,0 x11,0 x06,0 x36,0 xc9,0 xc1,0 xcf,0 xf6,0 x27,0 x52,0 xbb,0 x69,0 xf5,0 xd4,0 x87, 0 x7f,0 x84,0 x4c,0 xd2,0 x9c,0 x57,0 xa4,0 xbc,0 x4f,0 x9a,0 xdf,0 xfe,0 xd6,0 x8d,0 x7a,0 xeb, 0 x2b,0 x53,0 xd8,0 x5c,0 xa1,0 x14,0 x17,0 xfb,0 x23,0 xd5,0 x7d,0 x30,0 x67,0 x73,0 x08,0 x09, 0 xee,0 xb7,0 x70,0 x3f,0 x61,0 xb2,0 x19,0 x8e,0 x4e,0 xe5,0 x4b,0 x93,0 x8f,0 x5d,0 xdb,0 xa9, 0 xad,0 xf1,0 xae,0 x2e,0 xcb,0 x0d,0 xfc,0 xf4,0 x2d,0 x46,0 x6e,0 x1d,0 x97,0 xe8,0 xd1,0 xe9, 0 x4d,0 x37,0 xa5,0 x75,0 x5e,0 x83,0 x9e,0 xab,0 x82,0 x9d,0 xb9,0 x1c,0 xe0,0 xcd,0 x49,0 x89, 0 x01,0 xb6,0 xbd,0 x58,0 x24,0 xa2,0 x5f,0 x38,0 x78,0 x99,0 x15,0 x90,0 x50,0 xb8,0 x95,0 xe4, 0 xd0,0 x91,0 xc7,0 xce,0 xed,0 x0f,0 xb4,0 x6f,0 xa0,0 xcc,0 xf0,0 x02,0 x4a,0 x79,0 xc3,0 xde, 0 xa3,0 xef,0 xea,0 x51,0 xe6,0 x6b,0 x18,0 xec,0 x1b,0 x2c,0 x80,0 xf7,0 x74,0 xe7,0 xff,0 x21, 0 x5a,0 x6a,0 x54,0 x1e,0 x41,0 x31,0 x92,0 x35,0 xc4,0 x33,0 x07,0 x0a,0 xba,0 x7e,0 x0e,0 x34, 0 x88,0 xb1,0 x98,0 x7c,0 xf3,0 x3d,0 x60,0 x6c,0 x7b,0 xca,0 xd3,0 x1f,0 x32,0 x65,0 x04,0 x28, 0 x64,0 xbe,0 x85,0 x9b,0 x2f,0 x59,0 x8a,0 xd7,0 xb0,0 x25,0 xac,0 xaf,0 x12,0 x03,0 xe2,0 xf2 ; /* the constants D */ u32 EK_d16 = 0 x44D7, 0 x26BC, 0 x626B, 0 x135E, 0 x5789, 0 x35E2, 0 x7135, 0 x09AF, 0 x4D78, 0 x2F13, 0 x6BC4, 0 x1AF1, 0 x5E26, 0 x3C4D, 0 x789A, 0 x47AC ; 3GPP Confidentiality and Integrity Algorithms 128-EEA3 return (c /* LFSR with initialization mode */ #define MulByPow2(x, k) (x) (31 - k) f = LFSR_S0; v = MulByPow2(LFSR_S0, 8); f = AddM(f, v); v = MulByPow2(LFSR_S4, 20); f = AddM(f, v); v = MulByPow2(LFSR_S10, 21); f = AddM(f, v); v = MulByPow2(LFSR_S13, 17); f = AddM(f, v); v = MulByPow2(LFSR_S15, 15); f = AddM(f, v); f = AddM(f, u); /* update the state */ LFSR_S0 = LFSR_S1; LFSR_S1 = LFSR_S2; LFSR_S2 = LFSR_S3; LFSR_S3 = LFSR_S4; LFSR_S4 = LFSR_S5; LFSR_S5 = LFSR_S6; LFSR_S6 = LFSR_S7; LFSR_S7 = LFSR_S8; LFSR_S8 = LFSR_S9; LFSR_S9 = LFSR_S10; LFSR_S10 = LFSR_S11; LFSR_S11 = LFSR_S12; LFSR_S12 = LFSR_S13; LFSR_S13 = LFSR_S14; LFSR_S14 = LFSR_S15; LFSR_S15 = f; /* LFSR with work mode */ void LFSRWithWorkMode() u32 f, v; f = LFSR_S0; v = MulByPow2(LFSR_S0, 8); f = AddM(f, v); v = MulByPow2(LFSR_S4, 20); f = AddM(f, v); v = MulByPow2(LFSR_S10, 21); f = AddM(f, v); v = MulByPow2(LFSR_S13, 17); f = AddM(f, v); v = MulByPow2(LFSR_S15, 15); f = AddM(f, v); /* update the state */ LFSR_S0 = LFSR_S1; LFSR_S1 = LFSR_S2; LFSR_S2 = LFSR_S3; LFSR_S3 = LFSR_S4; 3GPP Confidentiality and Integrity Algorithms 128-EEA3 LFSR_S5 = LFSR_S6; LFSR_S6 = LFSR_S7; LFSR_S7 = LFSR_S8; LFSR_S8 = LFSR_S9; LFSR_S9 = LFSR_S10; LFSR_S10 = LFSR_S11; LFSR_S11 = LFSR_S12; LFSR_S12 = LFSR_S13; LFSR_S13