1 /* This is an independent implementation of the encryption algorithm: */
3 /* Serpent by Ross Anderson, Eli Biham and Lars Knudsen */
5 /* which is a candidate algorithm in the Advanced Encryption Standard */
6 /* programme of the US National Institute of Standards and Technology. */
8 /* Copyright in this implementation is held by Dr B R Gladman but I */
9 /* hereby give permission for its free direct or derivative use subject */
10 /* to acknowledgment of its origin and compliance with any conditions */
11 /* that the originators of the algorithm place on its exploitation. */
13 /* Dr Brian Gladman (gladman@seven77.demon.co.uk) 14th January 1999 */
15 /* -------------------------------------------------------------------- */
17 /* Cleaned and optimized for GPU use with hashcat by Jens Steube */
21 #define sb0(a,b,c,d,e,f,g,h) \
40 #define ib0(a,b,c,d,e,f,g,h) \
59 #define sb1(a,b,c,d,e,f,g,h) \
77 #define ib1(a,b,c,d,e,f,g,h) \
98 #define sb2(a,b,c,d,e,f,g,h) \
118 #define ib2(a,b,c,d,e,f,g,h) \
138 #define sb3(a,b,c,d,e,f,g,h) \
157 /* 16 term solution that performs less well than 17 term one
158 in my environment (PPro/PII)
160 #define sb3(a,b,c,d,e,f,g,h) \
181 #define ib3(a,b,c,d,e,f,g,h) \
202 #define sb4(a,b,c,d,e,f,g,h) \
221 #define ib4(a,b,c,d,e,f,g,h) \
242 #define sb5(a,b,c,d,e,f,g,h) \
262 #define ib5(a,b,c,d,e,f,g,h) \
282 #define sb6(a,b,c,d,e,f,g,h) \
301 #define ib6(a,b,c,d,e,f,g,h) \
320 #define sb7(a,b,c,d,e,f,g,h) \
341 #define ib7(a,b,c,d,e,f,g,h) \
360 #define k_xor(r,a,b,c,d) \
361 a ^= ks[4 * r + 8]; \
362 b ^= ks[4 * r + 9]; \
363 c ^= ks[4 * r + 10]; \
366 #define k_set(r,a,b,c,d) \
369 c = ks[4 * r + 10]; \
372 #define k_get(r,a,b,c,d) \
375 ks[4 * r + 10] = c; \
378 /* the linear transformation and its inverse */
380 #define rot(a,b,c,d) \
392 #define irot(a,b,c,d) \
404 void serpent256_set_key (u32
*ks
, const u32
*ukey
)
409 for (int i
= 0; i
< 8; i
++)
417 for (int i
= 0; i
< 132; i
++)
419 ks
[i
+ 8] = rotl32 (ks
[i
+ 7] ^ ks
[i
+ 5] ^ ks
[i
+ 3] ^ ks
[i
+ 0] ^ 0x9e3779b9 ^ i
, 11);
423 u32 t1
,t2
,t3
,t4
,t5
,t6
,t7
,t8
,t9
,t10
,t11
,t12
,t13
,t14
,t15
,t16
;
425 k_set( 0,a
,b
,c
,d
); sb3(a
,b
,c
,d
,e
,f
,g
,h
); k_get( 0,e
,f
,g
,h
);
426 k_set( 1,a
,b
,c
,d
); sb2(a
,b
,c
,d
,e
,f
,g
,h
); k_get( 1,e
,f
,g
,h
);
427 k_set( 2,a
,b
,c
,d
); sb1(a
,b
,c
,d
,e
,f
,g
,h
); k_get( 2,e
,f
,g
,h
);
428 k_set( 3,a
,b
,c
,d
); sb0(a
,b
,c
,d
,e
,f
,g
,h
); k_get( 3,e
,f
,g
,h
);
429 k_set( 4,a
,b
,c
,d
); sb7(a
,b
,c
,d
,e
,f
,g
,h
); k_get( 4,e
,f
,g
,h
);
430 k_set( 5,a
,b
,c
,d
); sb6(a
,b
,c
,d
,e
,f
,g
,h
); k_get( 5,e
,f
,g
,h
);
431 k_set( 6,a
,b
,c
,d
); sb5(a
,b
,c
,d
,e
,f
,g
,h
); k_get( 6,e
,f
,g
,h
);
432 k_set( 7,a
,b
,c
,d
); sb4(a
,b
,c
,d
,e
,f
,g
,h
); k_get( 7,e
,f
,g
,h
);
433 k_set( 8,a
,b
,c
,d
); sb3(a
,b
,c
,d
,e
,f
,g
,h
); k_get( 8,e
,f
,g
,h
);
434 k_set( 9,a
,b
,c
,d
); sb2(a
,b
,c
,d
,e
,f
,g
,h
); k_get( 9,e
,f
,g
,h
);
435 k_set(10,a
,b
,c
,d
); sb1(a
,b
,c
,d
,e
,f
,g
,h
); k_get(10,e
,f
,g
,h
);
436 k_set(11,a
,b
,c
,d
); sb0(a
,b
,c
,d
,e
,f
,g
,h
); k_get(11,e
,f
,g
,h
);
437 k_set(12,a
,b
,c
,d
); sb7(a
,b
,c
,d
,e
,f
,g
,h
); k_get(12,e
,f
,g
,h
);
438 k_set(13,a
,b
,c
,d
); sb6(a
,b
,c
,d
,e
,f
,g
,h
); k_get(13,e
,f
,g
,h
);
439 k_set(14,a
,b
,c
,d
); sb5(a
,b
,c
,d
,e
,f
,g
,h
); k_get(14,e
,f
,g
,h
);
440 k_set(15,a
,b
,c
,d
); sb4(a
,b
,c
,d
,e
,f
,g
,h
); k_get(15,e
,f
,g
,h
);
441 k_set(16,a
,b
,c
,d
); sb3(a
,b
,c
,d
,e
,f
,g
,h
); k_get(16,e
,f
,g
,h
);
442 k_set(17,a
,b
,c
,d
); sb2(a
,b
,c
,d
,e
,f
,g
,h
); k_get(17,e
,f
,g
,h
);
443 k_set(18,a
,b
,c
,d
); sb1(a
,b
,c
,d
,e
,f
,g
,h
); k_get(18,e
,f
,g
,h
);
444 k_set(19,a
,b
,c
,d
); sb0(a
,b
,c
,d
,e
,f
,g
,h
); k_get(19,e
,f
,g
,h
);
445 k_set(20,a
,b
,c
,d
); sb7(a
,b
,c
,d
,e
,f
,g
,h
); k_get(20,e
,f
,g
,h
);
446 k_set(21,a
,b
,c
,d
); sb6(a
,b
,c
,d
,e
,f
,g
,h
); k_get(21,e
,f
,g
,h
);
447 k_set(22,a
,b
,c
,d
); sb5(a
,b
,c
,d
,e
,f
,g
,h
); k_get(22,e
,f
,g
,h
);
448 k_set(23,a
,b
,c
,d
); sb4(a
,b
,c
,d
,e
,f
,g
,h
); k_get(23,e
,f
,g
,h
);
449 k_set(24,a
,b
,c
,d
); sb3(a
,b
,c
,d
,e
,f
,g
,h
); k_get(24,e
,f
,g
,h
);
450 k_set(25,a
,b
,c
,d
); sb2(a
,b
,c
,d
,e
,f
,g
,h
); k_get(25,e
,f
,g
,h
);
451 k_set(26,a
,b
,c
,d
); sb1(a
,b
,c
,d
,e
,f
,g
,h
); k_get(26,e
,f
,g
,h
);
452 k_set(27,a
,b
,c
,d
); sb0(a
,b
,c
,d
,e
,f
,g
,h
); k_get(27,e
,f
,g
,h
);
453 k_set(28,a
,b
,c
,d
); sb7(a
,b
,c
,d
,e
,f
,g
,h
); k_get(28,e
,f
,g
,h
);
454 k_set(29,a
,b
,c
,d
); sb6(a
,b
,c
,d
,e
,f
,g
,h
); k_get(29,e
,f
,g
,h
);
455 k_set(30,a
,b
,c
,d
); sb5(a
,b
,c
,d
,e
,f
,g
,h
); k_get(30,e
,f
,g
,h
);
456 k_set(31,a
,b
,c
,d
); sb4(a
,b
,c
,d
,e
,f
,g
,h
); k_get(31,e
,f
,g
,h
);
457 k_set(32,a
,b
,c
,d
); sb3(a
,b
,c
,d
,e
,f
,g
,h
); k_get(32,e
,f
,g
,h
);
460 void serpent256_encrypt (const u32
*ks
, const u32
*in
, u32
*out
)
463 u32 t1
,t2
,t3
,t4
,t5
,t6
,t7
,t8
,t9
,t10
,t11
,t12
,t13
,t14
,t15
,t16
;
470 k_xor( 0,a
,b
,c
,d
); sb0(a
,b
,c
,d
,e
,f
,g
,h
); rot(e
,f
,g
,h
);
471 k_xor( 1,e
,f
,g
,h
); sb1(e
,f
,g
,h
,a
,b
,c
,d
); rot(a
,b
,c
,d
);
472 k_xor( 2,a
,b
,c
,d
); sb2(a
,b
,c
,d
,e
,f
,g
,h
); rot(e
,f
,g
,h
);
473 k_xor( 3,e
,f
,g
,h
); sb3(e
,f
,g
,h
,a
,b
,c
,d
); rot(a
,b
,c
,d
);
474 k_xor( 4,a
,b
,c
,d
); sb4(a
,b
,c
,d
,e
,f
,g
,h
); rot(e
,f
,g
,h
);
475 k_xor( 5,e
,f
,g
,h
); sb5(e
,f
,g
,h
,a
,b
,c
,d
); rot(a
,b
,c
,d
);
476 k_xor( 6,a
,b
,c
,d
); sb6(a
,b
,c
,d
,e
,f
,g
,h
); rot(e
,f
,g
,h
);
477 k_xor( 7,e
,f
,g
,h
); sb7(e
,f
,g
,h
,a
,b
,c
,d
); rot(a
,b
,c
,d
);
478 k_xor( 8,a
,b
,c
,d
); sb0(a
,b
,c
,d
,e
,f
,g
,h
); rot(e
,f
,g
,h
);
479 k_xor( 9,e
,f
,g
,h
); sb1(e
,f
,g
,h
,a
,b
,c
,d
); rot(a
,b
,c
,d
);
480 k_xor(10,a
,b
,c
,d
); sb2(a
,b
,c
,d
,e
,f
,g
,h
); rot(e
,f
,g
,h
);
481 k_xor(11,e
,f
,g
,h
); sb3(e
,f
,g
,h
,a
,b
,c
,d
); rot(a
,b
,c
,d
);
482 k_xor(12,a
,b
,c
,d
); sb4(a
,b
,c
,d
,e
,f
,g
,h
); rot(e
,f
,g
,h
);
483 k_xor(13,e
,f
,g
,h
); sb5(e
,f
,g
,h
,a
,b
,c
,d
); rot(a
,b
,c
,d
);
484 k_xor(14,a
,b
,c
,d
); sb6(a
,b
,c
,d
,e
,f
,g
,h
); rot(e
,f
,g
,h
);
485 k_xor(15,e
,f
,g
,h
); sb7(e
,f
,g
,h
,a
,b
,c
,d
); rot(a
,b
,c
,d
);
486 k_xor(16,a
,b
,c
,d
); sb0(a
,b
,c
,d
,e
,f
,g
,h
); rot(e
,f
,g
,h
);
487 k_xor(17,e
,f
,g
,h
); sb1(e
,f
,g
,h
,a
,b
,c
,d
); rot(a
,b
,c
,d
);
488 k_xor(18,a
,b
,c
,d
); sb2(a
,b
,c
,d
,e
,f
,g
,h
); rot(e
,f
,g
,h
);
489 k_xor(19,e
,f
,g
,h
); sb3(e
,f
,g
,h
,a
,b
,c
,d
); rot(a
,b
,c
,d
);
490 k_xor(20,a
,b
,c
,d
); sb4(a
,b
,c
,d
,e
,f
,g
,h
); rot(e
,f
,g
,h
);
491 k_xor(21,e
,f
,g
,h
); sb5(e
,f
,g
,h
,a
,b
,c
,d
); rot(a
,b
,c
,d
);
492 k_xor(22,a
,b
,c
,d
); sb6(a
,b
,c
,d
,e
,f
,g
,h
); rot(e
,f
,g
,h
);
493 k_xor(23,e
,f
,g
,h
); sb7(e
,f
,g
,h
,a
,b
,c
,d
); rot(a
,b
,c
,d
);
494 k_xor(24,a
,b
,c
,d
); sb0(a
,b
,c
,d
,e
,f
,g
,h
); rot(e
,f
,g
,h
);
495 k_xor(25,e
,f
,g
,h
); sb1(e
,f
,g
,h
,a
,b
,c
,d
); rot(a
,b
,c
,d
);
496 k_xor(26,a
,b
,c
,d
); sb2(a
,b
,c
,d
,e
,f
,g
,h
); rot(e
,f
,g
,h
);
497 k_xor(27,e
,f
,g
,h
); sb3(e
,f
,g
,h
,a
,b
,c
,d
); rot(a
,b
,c
,d
);
498 k_xor(28,a
,b
,c
,d
); sb4(a
,b
,c
,d
,e
,f
,g
,h
); rot(e
,f
,g
,h
);
499 k_xor(29,e
,f
,g
,h
); sb5(e
,f
,g
,h
,a
,b
,c
,d
); rot(a
,b
,c
,d
);
500 k_xor(30,a
,b
,c
,d
); sb6(a
,b
,c
,d
,e
,f
,g
,h
); rot(e
,f
,g
,h
);
501 k_xor(31,e
,f
,g
,h
); sb7(e
,f
,g
,h
,a
,b
,c
,d
);
510 void serpent256_decrypt (const u32
*ks
, const u32
*in
, u32
*out
)
513 u32 t1
,t2
,t3
,t4
,t5
,t6
,t7
,t8
,t9
,t10
,t11
,t12
,t13
,t14
,t15
,t16
;
521 ib7(a
,b
,c
,d
,e
,f
,g
,h
); k_xor(31,e
,f
,g
,h
);
522 irot(e
,f
,g
,h
); ib6(e
,f
,g
,h
,a
,b
,c
,d
); k_xor(30,a
,b
,c
,d
);
523 irot(a
,b
,c
,d
); ib5(a
,b
,c
,d
,e
,f
,g
,h
); k_xor(29,e
,f
,g
,h
);
524 irot(e
,f
,g
,h
); ib4(e
,f
,g
,h
,a
,b
,c
,d
); k_xor(28,a
,b
,c
,d
);
525 irot(a
,b
,c
,d
); ib3(a
,b
,c
,d
,e
,f
,g
,h
); k_xor(27,e
,f
,g
,h
);
526 irot(e
,f
,g
,h
); ib2(e
,f
,g
,h
,a
,b
,c
,d
); k_xor(26,a
,b
,c
,d
);
527 irot(a
,b
,c
,d
); ib1(a
,b
,c
,d
,e
,f
,g
,h
); k_xor(25,e
,f
,g
,h
);
528 irot(e
,f
,g
,h
); ib0(e
,f
,g
,h
,a
,b
,c
,d
); k_xor(24,a
,b
,c
,d
);
529 irot(a
,b
,c
,d
); ib7(a
,b
,c
,d
,e
,f
,g
,h
); k_xor(23,e
,f
,g
,h
);
530 irot(e
,f
,g
,h
); ib6(e
,f
,g
,h
,a
,b
,c
,d
); k_xor(22,a
,b
,c
,d
);
531 irot(a
,b
,c
,d
); ib5(a
,b
,c
,d
,e
,f
,g
,h
); k_xor(21,e
,f
,g
,h
);
532 irot(e
,f
,g
,h
); ib4(e
,f
,g
,h
,a
,b
,c
,d
); k_xor(20,a
,b
,c
,d
);
533 irot(a
,b
,c
,d
); ib3(a
,b
,c
,d
,e
,f
,g
,h
); k_xor(19,e
,f
,g
,h
);
534 irot(e
,f
,g
,h
); ib2(e
,f
,g
,h
,a
,b
,c
,d
); k_xor(18,a
,b
,c
,d
);
535 irot(a
,b
,c
,d
); ib1(a
,b
,c
,d
,e
,f
,g
,h
); k_xor(17,e
,f
,g
,h
);
536 irot(e
,f
,g
,h
); ib0(e
,f
,g
,h
,a
,b
,c
,d
); k_xor(16,a
,b
,c
,d
);
537 irot(a
,b
,c
,d
); ib7(a
,b
,c
,d
,e
,f
,g
,h
); k_xor(15,e
,f
,g
,h
);
538 irot(e
,f
,g
,h
); ib6(e
,f
,g
,h
,a
,b
,c
,d
); k_xor(14,a
,b
,c
,d
);
539 irot(a
,b
,c
,d
); ib5(a
,b
,c
,d
,e
,f
,g
,h
); k_xor(13,e
,f
,g
,h
);
540 irot(e
,f
,g
,h
); ib4(e
,f
,g
,h
,a
,b
,c
,d
); k_xor(12,a
,b
,c
,d
);
541 irot(a
,b
,c
,d
); ib3(a
,b
,c
,d
,e
,f
,g
,h
); k_xor(11,e
,f
,g
,h
);
542 irot(e
,f
,g
,h
); ib2(e
,f
,g
,h
,a
,b
,c
,d
); k_xor(10,a
,b
,c
,d
);
543 irot(a
,b
,c
,d
); ib1(a
,b
,c
,d
,e
,f
,g
,h
); k_xor( 9,e
,f
,g
,h
);
544 irot(e
,f
,g
,h
); ib0(e
,f
,g
,h
,a
,b
,c
,d
); k_xor( 8,a
,b
,c
,d
);
545 irot(a
,b
,c
,d
); ib7(a
,b
,c
,d
,e
,f
,g
,h
); k_xor( 7,e
,f
,g
,h
);
546 irot(e
,f
,g
,h
); ib6(e
,f
,g
,h
,a
,b
,c
,d
); k_xor( 6,a
,b
,c
,d
);
547 irot(a
,b
,c
,d
); ib5(a
,b
,c
,d
,e
,f
,g
,h
); k_xor( 5,e
,f
,g
,h
);
548 irot(e
,f
,g
,h
); ib4(e
,f
,g
,h
,a
,b
,c
,d
); k_xor( 4,a
,b
,c
,d
);
549 irot(a
,b
,c
,d
); ib3(a
,b
,c
,d
,e
,f
,g
,h
); k_xor( 3,e
,f
,g
,h
);
550 irot(e
,f
,g
,h
); ib2(e
,f
,g
,h
,a
,b
,c
,d
); k_xor( 2,a
,b
,c
,d
);
551 irot(a
,b
,c
,d
); ib1(a
,b
,c
,d
,e
,f
,g
,h
); k_xor( 1,e
,f
,g
,h
);
552 irot(e
,f
,g
,h
); ib0(e
,f
,g
,h
,a
,b
,c
,d
); k_xor( 0,a
,b
,c
,d
);
560 void serpent256_decrypt_xts (const u32
*ukey1
, const u32
*ukey2
, const u32
*in
, u32
*out
)
572 serpent256_set_key (ks
, ukey2
);
573 serpent256_encrypt (ks
, Z
, T
);
580 serpent256_set_key (ks
, ukey1
);
581 serpent256_decrypt (ks
, out
, out
);