[proxmark3-svn] / client / loclass / ikeys.c

/*****************************************************************************
 * This file is part of iClassCipher. It is a reconstructon of the cipher engine
 * used in iClass, and RFID techology.
 *
 * The implementation is based on the work performed by
 * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
 * Milosch Meriac in the paper "Dismantling IClass".
 *
 * Copyright (C) 2014 Martin Holst Swende
 *
 * This is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as published
 * by the Free Software Foundation.
 *
 * This file is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with IClassCipher.  If not, see <http://www.gnu.org/licenses/>.
 ****************************************************************************/
/**
From "Dismantling iclass":
	This section describes in detail the built-in key diversification algorithm of iClass.
	Besides the obvious purpose of deriving a card key from a master key, this
	algorithm intends to circumvent weaknesses in the cipher by preventing the
	usage of certain ‘weak’ keys. In order to compute a diversified key, the iClass
	reader first encrypts the card identity id with the master key K, using single
	DES. The resulting ciphertext is then input to a function called hash0 which
	outputs the diversified key k.

	k = hash0(DES enc (id, K))

	Here the DES encryption of id with master key K outputs a cryptogram c
	of 64 bits. These 64 bits are divided as c = x, y, z [0] , . . . , z [7] ∈ F 82 × F 82 × (F 62 ) 8
	which is used as input to the hash0 function. This function introduces some
	obfuscation by performing a number of permutations, complement and modulo
	operations, see Figure 2.5. Besides that, it checks for and removes patterns like
	similar key bytes, which could produce a strong bias in the cipher. Finally, the
	output of hash0 is the diversified card key k = k [0] , . . . , k [7] ∈ (F 82 ) 8 .


**/


#include <stdint.h>
#include <stdbool.h>
#include <string.h>
#include "cipherutils.h"
#include "cipher.h"
#include "../util.h"
#include <stdio.h>
#include "des.h"
#include <inttypes.h>

uint8_t pi[35] = {0x0F,0x17,0x1B,0x1D,0x1E,0x27,0x2B,0x2D,0x2E,0x33,0x35,0x39,0x36,0x3A,0x3C,0x47,0x4B,0x4D,0x4E,0x53,0x55,0x56,0x59,0x5A,0x5C,0x63,0x65,0x66,0x69,0x6A,0x6C,0x71,0x72,0x74,0x78};

static des_context ctx_enc = {DES_ENCRYPT,{0}};
static des_context ctx_dec = {DES_DECRYPT,{0}};

static bool debug_print = false;

/**
 * @brief The key diversification algorithm uses 6-bit bytes.
 * This implementation uses 64 bit uint to pack seven of them into one
 * variable. When they are there, they are placed as follows:
 * XXXX XXXX N0 .... N7, occupying the lsat 48 bits.
 *
 * This function picks out one from such a collection
 * @param all
 * @param n bitnumber
 * @return
 */
uint8_t getSixBitByte(uint64_t c, int n)
{
	return (c >> (42-6*n)) & 0x3F;
	//return (c >> n*6) & 0x3f;
}

/**
 * @brief Puts back a six-bit 'byte' into a uint64_t.
 * @param c buffer
 * @param z the value to place there
 * @param n bitnumber.
 */
void pushbackSixBitByte(uint64_t *c, uint8_t z, int n)
{
	//0x XXXX YYYY ZZZZ ZZZZ ZZZZ
	//             ^z0         ^z7
	//z0:  1111 1100 0000 0000

	uint64_t masked = z & 0x3F;
	uint64_t eraser = 0x3F;
	masked <<= 42-6*n;
	eraser <<= 42-6*n;

	//masked <<= 6*n;
	//eraser <<= 6*n;

	eraser = ~eraser;
	(*c) &= eraser;
	(*c) |= masked;

}

uint64_t swapZvalues(uint64_t c)
{
	uint64_t newz = 0;
	pushbackSixBitByte(&newz, getSixBitByte(c,0),7);
	pushbackSixBitByte(&newz, getSixBitByte(c,1),6);
	pushbackSixBitByte(&newz, getSixBitByte(c,2),5);
	pushbackSixBitByte(&newz, getSixBitByte(c,3),4);
	pushbackSixBitByte(&newz, getSixBitByte(c,4),3);
	pushbackSixBitByte(&newz, getSixBitByte(c,5),2);
	pushbackSixBitByte(&newz, getSixBitByte(c,6),1);
	pushbackSixBitByte(&newz, getSixBitByte(c,7),0);
	newz |= (c & 0xFFFF000000000000);
	return newz;
}

/**
* @return 4 six-bit bytes chunked into a uint64_t,as 00..00a0a1a2a3
*/
uint64_t ck(int i, int j, uint64_t z)
{

//	printf("ck( i=%d, j=%d), zi=[%d],zj=[%d] \n",i,j,getSixBitByte(z,i),getSixBitByte(z,j) );

	if(i == 1 && j == -1)
	{
		// ck(1, −1, z [0] . . . z [3] ) = z [0] . . . z [3]
		return z;

	}else if( j == -1)
	{
		// ck(i, −1, z [0] . . . z [3] ) = ck(i − 1, i − 2, z [0] . . . z [3] )
		return ck(i-1,i-2, z);
	}

	if(getSixBitByte(z,i) == getSixBitByte(z,j))
	{
		// TODO, I dont know what they mean here in the paper
		//ck(i, j − 1, z [0] . . . z [i] ← j . . . z [3] )
		uint64_t newz = 0;
		int c;
		//printf("z[i]=z[i] (0x%02x), i=%d, j=%d\n",getSixBitByte(z,i),i,j );
		for(c = 0; c < 4 ;c++)
		{
			uint8_t val = getSixBitByte(z,c);
			if(c == i)
			{
				//printf("oops\n");
				pushbackSixBitByte(&newz, j, c);
			}else
			{
				pushbackSixBitByte(&newz, val, c);
			}
		}
		return ck(i,j-1,newz);
	}else
	{
		return ck(i,j-1,z);
	}

}
/**

	Definition 8.
	Let the function check : (F 62 ) 8 → (F 62 ) 8 be defined as
	check(z [0] . . . z [7] ) = ck(3, 2, z [0] . . . z [3] ) · ck(3, 2, z [4] . . . z [7] )

	where ck : N × N × (F 62 ) 4 → (F 62 ) 4 is defined as

		ck(1, −1, z [0] . . . z [3] ) = z [0] . . . z [3]
		ck(i, −1, z [0] . . . z [3] ) = ck(i − 1, i − 2, z [0] . . . z [3] )
		ck(i, j, z [0] . . . z [3] ) =
		ck(i, j − 1, z [0] . . . z [i] ← j . . . z [3] ),  if z [i] = z [j] ;
		ck(i, j − 1, z [0] . . . z [3] ), otherwise

	otherwise.
**/

uint64_t check(uint64_t z)
{
	//These 64 bits are divided as c = x, y, z [0] , . . . , z [7]

	// ck(3, 2, z [0] . . . z [3] )
	uint64_t ck1 = ck(3,2, z );

	// ck(3, 2, z [4] . . . z [7] )
	uint64_t ck2 = ck(3,2, z << 24);
	ck1 &= 0x00000000FFFFFF000000;
	ck2 &= 0x00000000FFFFFF000000;

	return ck1 | ck2 >> 24;

}

void permute(BitstreamIn *p_in, uint64_t z,int l,int r, BitstreamOut* out)
{
	if(bitsLeft(p_in) == 0)
	{
		return;
	}
	bool pn = tailBit(p_in);
	if( pn ) // pn = 1
	{
		uint8_t zl = getSixBitByte(z,l);
		//printf("permute pushing, zl=0x%02x, zl+1=0x%02x\n", zl, zl+1);
		push6bits(out, zl+1);
		permute(p_in, z, l+1,r, out);
	}else // otherwise
	{
		uint8_t zr = getSixBitByte(z,r);
		//printf("permute pushing, zr=0x%02x\n", zr);
		push6bits(out, zr);
		permute(p_in,z,l,r+1,out);
	}
}
void testPermute()
{

	uint64_t x = 0;
	pushbackSixBitByte(&x,0x00,0);
	pushbackSixBitByte(&x,0x01,1);
	pushbackSixBitByte(&x,0x02,2);
	pushbackSixBitByte(&x,0x03,3);
	pushbackSixBitByte(&x,0x04,4);
	pushbackSixBitByte(&x,0x05,5);
	pushbackSixBitByte(&x,0x06,6);
	pushbackSixBitByte(&x,0x07,7);

	uint8_t mres[8] = { getSixBitByte(x, 0),
						getSixBitByte(x, 1),
						getSixBitByte(x, 2),
						getSixBitByte(x, 3),
						getSixBitByte(x, 4),
						getSixBitByte(x, 5),
						getSixBitByte(x, 6),
						getSixBitByte(x, 7)};
	printarr("input_perm", mres,8);

	uint8_t p = ~pi[0];
	BitstreamIn p_in = { &p, 8,0 };
	uint8_t outbuffer[] = {0,0,0,0,0,0,0,0};
	BitstreamOut out = {outbuffer,0,0};

	permute(&p_in, x,0,4, &out);

	uint64_t permuted = bytes_to_num(outbuffer,8);
	//printf("zTilde 0x%"PRIX64"\n", zTilde);
	permuted >>= 16;

	uint8_t res[8] = { getSixBitByte(permuted, 0),
						getSixBitByte(permuted, 1),
						getSixBitByte(permuted, 2),
						getSixBitByte(permuted, 3),
						getSixBitByte(permuted, 4),
						getSixBitByte(permuted, 5),
						getSixBitByte(permuted, 6),
						getSixBitByte(permuted, 7)};
	printarr("permuted", res, 8);
}
void printbegin()
{
	if(! debug_print)
		return;

	printf("          | x| y|z0|z1|z2|z3|z4|z5|z6|z7|\n");
}

void printState(char* desc, int x,int y, uint64_t c)
{
	if(! debug_print)
		return;

	printf("%s : ", desc);
	//uint8_t x = 	(c & 0xFF00000000000000 ) >> 56;
	//uint8_t y = 	(c & 0x00FF000000000000 ) >> 48;
	printf("  %02x %02x", x,y);
	int i ;
	for(i =0 ; i < 8 ; i++)
	{
		printf(" %02x", getSixBitByte(c,i));
	}
	printf("\n");
}

/**
 * @brief
 *Definition 11. Let the function hash0 : F 82 × F 82 × (F 62 ) 8 → (F 82 ) 8 be defined as
 *	hash0(x, y, z [0] . . . z [7] ) = k [0] . . . k [7] where
 * z'[i] = (z[i] mod (63-i)) + i	i =  0...3
 * z'[i+4] = (z[i+4] mod (64-i)) + i	i =  0...3
 * ẑ = check(z');
 * @param c
 * @param k this is where the diversified key is put (should be 8 bytes)
 * @return
 */
void hash0(uint64_t c, uint8_t *k)
{
	printbegin();
	//These 64 bits are divided as c = x, y, z [0] , . . . , z [7]
	// x = 8 bits
	// y = 8 bits
	// z0-z7 6 bits each : 48 bits
	uint8_t x = 	(c & 0xFF00000000000000 ) >> 56;
	uint8_t y = 	(c & 0x00FF000000000000 ) >> 48;
	printState("origin",x,y,c);
	int n;
	uint8_t zn, zn4, _zn, _zn4;
	uint64_t zP = 0;

	for(n = 0;  n < 4 ; n++)
	{
		zn = getSixBitByte(c,n);
		zn4 = getSixBitByte(c,n+4);

		_zn = (zn % (63-n)) + n;
		_zn4 = (zn4 % (64-n)) + n;

		pushbackSixBitByte(&zP, _zn,n);
		pushbackSixBitByte(&zP, _zn4,n+4);

	}
	printState("x|y|z'",x,y,zP);

	uint64_t zCaret = check(zP);
	printState("x|y|z^",x,y,zP);


	uint8_t p = pi[x % 35];

	if(x & 1) //Check if x7 is 1
	{
		p = ~p;
	}
    printState("p|y|z^",p,y,zP);
	//if(debug_print) printf("p:%02x\n", p);

	BitstreamIn p_in = { &p, 8,0 };
	uint8_t outbuffer[] = {0,0,0,0,0,0,0,0};
	BitstreamOut out = {outbuffer,0,0};
	permute(&p_in,zCaret,0,4,&out);//returns 48 bits? or 6 8-bytes

	//Out is now a buffer containing six-bit bytes, should be 48 bits
	// if all went well
	//printf("Permute output is %d num bits (48?)\n", out.numbits);
	//Shift z-values down onto the lower segment

	uint64_t zTilde = bytes_to_num(outbuffer,8);

	//printf("zTilde 0x%"PRIX64"\n", zTilde);
	zTilde >>= 16;
	//printf("z~ 0x%"PRIX64"\n", zTilde);
	printState("p|y|z~", p,y,zTilde);

	int i;
	int zerocounter =0 ;
	for(i =0 ; i < 8  ; i++)
	{

		// the key on index i is first a bit from y
		// then six bits from z,
		// then a bit from p

		// Init with zeroes
		k[i] = 0;
		// First, place yi leftmost in k
		//k[i] |= (y  << i) & 0x80 ;

		// First, place y(7-i) leftmost in k
		k[i] |= (y  << (7-i)) & 0x80 ;

		//printf("y%d = %d\n",i,(y  << i) & 0x80);

		uint8_t zTilde_i = getSixBitByte(zTilde, i);
		//printf("zTilde_%d 0x%02x (should be <= 0x3F)\n",i, zTilde_i);
		// zTildeI is now on the form 00XXXXXX
		// with one leftshift, it'll be
		// 0XXXXXX0
		// So after leftshift, we can OR it into k
		// However, when doing complement, we need to
		// again MASK 0XXXXXX0 (0x7E)
		zTilde_i <<= 1;

		//Finally, add bit from p or p-mod
		//Shift bit i into rightmost location (mask only after complement)
		uint8_t p_i = p >> i & 0x1;

		if( k[i] )// yi = 1
		{
			//printf("k[%d] +1\n", i);
			k[i] |= ~zTilde_i & 0x7E;
			k[i] |= p_i & 1;
			k[i] += 1;

		}else // otherwise
		{
			k[i] |= zTilde_i & 0x7E;
			k[i] |= (~p_i) & 1;
		}
		if((k[i]  & 1 )== 0)
		{
			zerocounter ++;
		}
	}
	//printf("zerocounter=%d (should be 4)\n",zerocounter);
	//printf("permute fin, y:0x%02x, x: 0x%02x\n", y, x);

	//return k;
}

void reorder(uint8_t arr[8])
{
	uint8_t tmp[4] = {arr[3],arr[2],arr[1], arr[0]};
	arr[0] = arr[7];
	arr[1] = arr[6];
	arr[2] = arr[5];
	arr[3] = arr[4];
	arr[4] = tmp[0];//arr[3];
	arr[5] = tmp[1];//arr[2];
	arr[6] = tmp[2];//arr[3];
	arr[7] = tmp[3];//arr[1]
}

//extern void printarr(char * name, uint8_t* arr, int len);

bool des_getParityBitFromKey(uint8_t key)
{//The top 7 bits is used
	bool parity = ((key & 0x80) >> 7)
			^ ((key & 0x40) >> 6) ^ ((key & 0x20) >> 5)
			^ ((key & 0x10) >> 4) ^ ((key & 0x08) >> 3)
			^ ((key & 0x04) >> 2) ^ ((key & 0x02) >> 1);
	return !parity;
}
void des_checkParity(uint8_t* key)
{
	int i;
	int fails =0;
	for(i =0 ; i < 8 ; i++)
	{
		bool parity = des_getParityBitFromKey(key[i]);
		if(parity != (key[i] & 0x1))
		{
			fails++;
			printf("parity1 fail, byte %d [%02x] was %d, should be %d\n",i,key[i],(key[i] & 0x1),parity);
		}
	}
	if(fails)
	{
		printf("parity fails: %d\n", fails);
	}else
	{
		printf("Key syntax is with parity bits inside each byte\n");
	}
}

void printarr2(char * name, uint8_t* arr, int len)
{
	int i ;
	printf("%s :", name);
	for(i =0 ;  i< len ; i++)
	{
		printf("%02x",*(arr+i));
	}
	printf("\n");
}
Commit	Line	Data
f028213f	1	/*****************************************************************************
	2	* This file is part of iClassCipher. It is a reconstructon of the cipher engine
	3	* used in iClass, and RFID techology.
	4	*
	5	* The implementation is based on the work performed by
	6	* Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
	7	* Milosch Meriac in the paper "Dismantling IClass".
	8	*
	9	* Copyright (C) 2014 Martin Holst Swende
	10	*
	11	* This is free software: you can redistribute it and/or modify
	12	* it under the terms of the GNU General Public License version 2 as published
	13	* by the Free Software Foundation.
	14	*
	15	* This file is distributed in the hope that it will be useful,
	16	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	* GNU General Public License for more details.
	19	*
	20	* You should have received a copy of the GNU General Public License
	21	* along with IClassCipher. If not, see <http://www.gnu.org/licenses/>.
	22	****************************************************************************/
	23	/**
	24	From "Dismantling iclass":
	25	This section describes in detail the built-in key diversification algorithm of iClass.
	26	Besides the obvious purpose of deriving a card key from a master key, this
	27	algorithm intends to circumvent weaknesses in the cipher by preventing the
	28	usage of certain ‘weak’ keys. In order to compute a diversified key, the iClass
	29	reader first encrypts the card identity id with the master key K, using single
	30	DES. The resulting ciphertext is then input to a function called hash0 which
	31	outputs the diversified key k.
	32
	33	k = hash0(DES enc (id, K))
	34
	35	Here the DES encryption of id with master key K outputs a cryptogram c
	36	of 64 bits. These 64 bits are divided as c = x, y, z [0] , . . . , z [7] ∈ F 82 × F 82 × (F 62 ) 8
	37	which is used as input to the hash0 function. This function introduces some
	38	obfuscation by performing a number of permutations, complement and modulo
	39	operations, see Figure 2.5. Besides that, it checks for and removes patterns like
	40	similar key bytes, which could produce a strong bias in the cipher. Finally, the
	41	output of hash0 is the diversified card key k = k [0] , . . . , k [7] ∈ (F 82 ) 8 .
	42
	43
	44	**/
	45
	46
	47	#include <stdint.h>
	48	#include <stdbool.h>
	49	#include <string.h>
	50	#include "cipherutils.h"
	51	#include "cipher.h"
	52	#include "../util.h"
	53	#include <stdio.h>
	54	#include "des.h"
	55	#include <inttypes.h>
	56
	57	uint8_t pi[35] = {0x0F,0x17,0x1B,0x1D,0x1E,0x27,0x2B,0x2D,0x2E,0x33,0x35,0x39,0x36,0x3A,0x3C,0x47,0x4B,0x4D,0x4E,0x53,0x55,0x56,0x59,0x5A,0x5C,0x63,0x65,0x66,0x69,0x6A,0x6C,0x71,0x72,0x74,0x78};
	58
	59	static des_context ctx_enc = {DES_ENCRYPT,{0}};
	60	static des_context ctx_dec = {DES_DECRYPT,{0}};
	61
	62	static bool debug_print = false;
	63
	64	/**
65	* @brief The key diversification algorithm uses 6-bit bytes.
66	* This implementation uses 64 bit uint to pack seven of them into one
67	* variable. When they are there, they are placed as follows:
68	* XXXX XXXX N0 .... N7, occupying the lsat 48 bits.
69	*
70	* This function picks out one from such a collection
71	* @param all
72	* @param n bitnumber
73	* @return
74	*/
75	uint8_t getSixBitByte(uint64_t c, int n)
76	{
77	return (c >> (42-6*n)) & 0x3F;
78	//return (c >> n*6) & 0x3f;
79	}
80
81	/**
82	* @brief Puts back a six-bit 'byte' into a uint64_t.
83	* @param c buffer
84	* @param z the value to place there
85	* @param n bitnumber.
86	*/
87	void pushbackSixBitByte(uint64_t *c, uint8_t z, int n)
88	{
89	//0x XXXX YYYY ZZZZ ZZZZ ZZZZ
90	// ^z0 ^z7
91	//z0: 1111 1100 0000 0000
92
93	uint64_t masked = z & 0x3F;
94	uint64_t eraser = 0x3F;
95	masked <<= 42-6*n;
96	eraser <<= 42-6*n;
97
98	//masked <<= 6*n;
99	//eraser <<= 6*n;
100
101	eraser = ~eraser;
102	(*c) &= eraser;
103	(*c) \|= masked;
104
105	}
106
107	uint64_t swapZvalues(uint64_t c)
108	{
109	uint64_t newz = 0;
110	pushbackSixBitByte(&newz, getSixBitByte(c,0),7);
111	pushbackSixBitByte(&newz, getSixBitByte(c,1),6);
112	pushbackSixBitByte(&newz, getSixBitByte(c,2),5);
113	pushbackSixBitByte(&newz, getSixBitByte(c,3),4);
114	pushbackSixBitByte(&newz, getSixBitByte(c,4),3);
115	pushbackSixBitByte(&newz, getSixBitByte(c,5),2);
116	pushbackSixBitByte(&newz, getSixBitByte(c,6),1);
117	pushbackSixBitByte(&newz, getSixBitByte(c,7),0);
118	newz \|= (c & 0xFFFF000000000000);
119	return newz;
120	}
121
122	/**
123	* @return 4 six-bit bytes chunked into a uint64_t,as 00..00a0a1a2a3
124	*/
125	uint64_t ck(int i, int j, uint64_t z)
126	{
127
128	// printf("ck( i=%d, j=%d), zi=[%d],zj=[%d] \n",i,j,getSixBitByte(z,i),getSixBitByte(z,j) );
129
130	if(i == 1 && j == -1)
131	{
132	// ck(1, −1, z [0] . . . z [3] ) = z [0] . . . z [3]
133	return z;
134
135	}else if( j == -1)
136	{
137	// ck(i, −1, z [0] . . . z [3] ) = ck(i − 1, i − 2, z [0] . . . z [3] )
138	return ck(i-1,i-2, z);
139	}
140
141	if(getSixBitByte(z,i) == getSixBitByte(z,j))
142	{
143	// TODO, I dont know what they mean here in the paper
144	//ck(i, j − 1, z [0] . . . z [i] ← j . . . z [3] )
145	uint64_t newz = 0;
146	int c;
147	//printf("z[i]=z[i] (0x%02x), i=%d, j=%d\n",getSixBitByte(z,i),i,j );
148	for(c = 0; c < 4 ;c++)
149	{
150	uint8_t val = getSixBitByte(z,c);
151	if(c == i)
152	{
153	//printf("oops\n");
154	pushbackSixBitByte(&newz, j, c);
155	}else
156	{
157	pushbackSixBitByte(&newz, val, c);
158	}
159	}
160	return ck(i,j-1,newz);
161	}else
162	{
163	return ck(i,j-1,z);
164	}
165
166	}
167	/**
168
169	Definition 8.
170	Let the function check : (F 62 ) 8 → (F 62 ) 8 be defined as
171	check(z [0] . . . z [7] ) = ck(3, 2, z [0] . . . z [3] ) · ck(3, 2, z [4] . . . z [7] )
172
173	where ck : N × N × (F 62 ) 4 → (F 62 ) 4 is defined as
174
175	ck(1, −1, z [0] . . . z [3] ) = z [0] . . . z [3]
176	ck(i, −1, z [0] . . . z [3] ) = ck(i − 1, i − 2, z [0] . . . z [3] )
177	ck(i, j, z [0] . . . z [3] ) =
178	ck(i, j − 1, z [0] . . . z [i] ← j . . . z [3] ), if z [i] = z [j] ;
179	ck(i, j − 1, z [0] . . . z [3] ), otherwise
180
181	otherwise.
182	**/
183
184	uint64_t check(uint64_t z)
185	{
186	//These 64 bits are divided as c = x, y, z [0] , . . . , z [7]
187
188	// ck(3, 2, z [0] . . . z [3] )
189	uint64_t ck1 = ck(3,2, z );
190
191	// ck(3, 2, z [4] . . . z [7] )
192	uint64_t ck2 = ck(3,2, z << 24);
193	ck1 &= 0x00000000FFFFFF000000;
194	ck2 &= 0x00000000FFFFFF000000;
195
196	return ck1 \| ck2 >> 24;
197
198	}
199
200	void permute(BitstreamIn p_in, uint64_t z,int l,int r, BitstreamOut out)
201	{
202	if(bitsLeft(p_in) == 0)
203	{
204	return;
205	}
206	bool pn = tailBit(p_in);
207	if( pn ) // pn = 1
208	{
209	uint8_t zl = getSixBitByte(z,l);
210	//printf("permute pushing, zl=0x%02x, zl+1=0x%02x\n", zl, zl+1);
211	push6bits(out, zl+1);
212	permute(p_in, z, l+1,r, out);
213	}else // otherwise
214	{
215	uint8_t zr = getSixBitByte(z,r);
216	//printf("permute pushing, zr=0x%02x\n", zr);
217	push6bits(out, zr);
218	permute(p_in,z,l,r+1,out);
219	}
220	}
221	void testPermute()
222	{
223
224	uint64_t x = 0;
225	pushbackSixBitByte(&x,0x00,0);
226	pushbackSixBitByte(&x,0x01,1);
227	pushbackSixBitByte(&x,0x02,2);
228	pushbackSixBitByte(&x,0x03,3);
229	pushbackSixBitByte(&x,0x04,4);
230	pushbackSixBitByte(&x,0x05,5);
231	pushbackSixBitByte(&x,0x06,6);
232	pushbackSixBitByte(&x,0x07,7);
233
234	uint8_t mres[8] = { getSixBitByte(x, 0),
235	getSixBitByte(x, 1),
236	getSixBitByte(x, 2),
237	getSixBitByte(x, 3),
238	getSixBitByte(x, 4),
239	getSixBitByte(x, 5),
240	getSixBitByte(x, 6),
241	getSixBitByte(x, 7)};
242	printarr("input_perm", mres,8);
243
244	uint8_t p = ~pi[0];
245	BitstreamIn p_in = { &p, 8,0 };
246	uint8_t outbuffer[] = {0,0,0,0,0,0,0,0};
247	BitstreamOut out = {outbuffer,0,0};
248
249	permute(&p_in, x,0,4, &out);
250
251	uint64_t permuted = bytes_to_num(outbuffer,8);
252	//printf("zTilde 0x%"PRIX64"\n", zTilde);
253	permuted >>= 16;
254
255	uint8_t res[8] = { getSixBitByte(permuted, 0),
256	getSixBitByte(permuted, 1),
257	getSixBitByte(permuted, 2),
258	getSixBitByte(permuted, 3),
259	getSixBitByte(permuted, 4),
260	getSixBitByte(permuted, 5),
261	getSixBitByte(permuted, 6),
262	getSixBitByte(permuted, 7)};
263	printarr("permuted", res, 8);
264	}
265	void printbegin()
266	{
267	if(! debug_print)
268	return;
269
270	printf(" \| x\| y\|z0\|z1\|z2\|z3\|z4\|z5\|z6\|z7\|\n");
271	}
272
273	void printState(char* desc, int x,int y, uint64_t c)
274	{
275	if(! debug_print)
276	return;
277
278	printf("%s : ", desc);
279	//uint8_t x = (c & 0xFF00000000000000 ) >> 56;
280	//uint8_t y = (c & 0x00FF000000000000 ) >> 48;
281	printf(" %02x %02x", x,y);
282	int i ;
283	for(i =0 ; i < 8 ; i++)
284	{
285	printf(" %02x", getSixBitByte(c,i));
286	}
287	printf("\n");
288	}
289
290	/**
291	* @brief
292	*Definition 11. Let the function hash0 : F 82 × F 82 × (F 62 ) 8 → (F 82 ) 8 be defined as
293	* hash0(x, y, z [0] . . . z [7] ) = k [0] . . . k [7] where
294	* z'[i] = (z[i] mod (63-i)) + i i = 0...3
295	* z'[i+4] = (z[i+4] mod (64-i)) + i i = 0...3
296	* ẑ = check(z');
297	* @param c
298	* @param k this is where the diversified key is put (should be 8 bytes)
299	* @return
300	*/
301	void hash0(uint64_t c, uint8_t *k)
302	{
303	printbegin();
304	//These 64 bits are divided as c = x, y, z [0] , . . . , z [7]
305	// x = 8 bits
306	// y = 8 bits
307	// z0-z7 6 bits each : 48 bits
308	uint8_t x = (c & 0xFF00000000000000 ) >> 56;
309	uint8_t y = (c & 0x00FF000000000000 ) >> 48;
310	printState("origin",x,y,c);
311	int n;
312	uint8_t zn, zn4, _zn, _zn4;
313	uint64_t zP = 0;
314
315	for(n = 0; n < 4 ; n++)
316	{
317	zn = getSixBitByte(c,n);
318	zn4 = getSixBitByte(c,n+4);
319
320	_zn = (zn % (63-n)) + n;
321	_zn4 = (zn4 % (64-n)) + n;
322
323	pushbackSixBitByte(&zP, _zn,n);
324	pushbackSixBitByte(&zP, _zn4,n+4);
325
326	}
327	printState("x\|y\|z'",x,y,zP);
328
329	uint64_t zCaret = check(zP);
330	printState("x\|y\|z^",x,y,zP);
331
332
333	uint8_t p = pi[x % 35];
334
335	if(x & 1) //Check if x7 is 1
336	{
337	p = ~p;
338	}
339	printState("p\|y\|z^",p,y,zP);
340	//if(debug_print) printf("p:%02x\n", p);
341
342	BitstreamIn p_in = { &p, 8,0 };
343	uint8_t outbuffer[] = {0,0,0,0,0,0,0,0};
344	BitstreamOut out = {outbuffer,0,0};
345	permute(&p_in,zCaret,0,4,&out);//returns 48 bits? or 6 8-bytes
346
347	//Out is now a buffer containing six-bit bytes, should be 48 bits
348	// if all went well
349	//printf("Permute output is %d num bits (48?)\n", out.numbits);
350	//Shift z-values down onto the lower segment
351
352	uint64_t zTilde = bytes_to_num(outbuffer,8);
353
354	//printf("zTilde 0x%"PRIX64"\n", zTilde);
355	zTilde >>= 16;
356	//printf("z~ 0x%"PRIX64"\n", zTilde);
357	printState("p\|y\|z~", p,y,zTilde);
358
359	int i;
360	int zerocounter =0 ;
361	for(i =0 ; i < 8 ; i++)
362	{
363
364	// the key on index i is first a bit from y
365	// then six bits from z,
366	// then a bit from p
367
368	// Init with zeroes
369	k[i] = 0;
370	// First, place yi leftmost in k
371	//k[i] \|= (y << i) & 0x80 ;
372
373	// First, place y(7-i) leftmost in k
374	k[i] \|= (y << (7-i)) & 0x80 ;
375
376	//printf("y%d = %d\n",i,(y << i) & 0x80);
377
378	uint8_t zTilde_i = getSixBitByte(zTilde, i);
379	//printf("zTilde_%d 0x%02x (should be <= 0x3F)\n",i, zTilde_i);
380	// zTildeI is now on the form 00XXXXXX
381	// with one leftshift, it'll be
382	// 0XXXXXX0
383	// So after leftshift, we can OR it into k
384	// However, when doing complement, we need to
385	// again MASK 0XXXXXX0 (0x7E)
386	zTilde_i <<= 1;
387
388	//Finally, add bit from p or p-mod
389	//Shift bit i into rightmost location (mask only after complement)
390	uint8_t p_i = p >> i & 0x1;
391
392	if( k[i] )// yi = 1
393	{
394	//printf("k[%d] +1\n", i);
395	k[i] \|= ~zTilde_i & 0x7E;
396	k[i] \|= p_i & 1;
397	k[i] += 1;
398
399	}else // otherwise
400	{
401	k[i] \|= zTilde_i & 0x7E;
402	k[i] \|= (~p_i) & 1;
403	}
404	if((k[i] & 1 )== 0)
405	{
406	zerocounter ++;
407	}
408	}
409	//printf("zerocounter=%d (should be 4)\n",zerocounter);
410	//printf("permute fin, y:0x%02x, x: 0x%02x\n", y, x);
411
412	//return k;
413	}
414
415	void reorder(uint8_t arr[8])
416	{
417	uint8_t tmp[4] = {arr[3],arr[2],arr[1], arr[0]};
418	arr[0] = arr[7];
419	arr[1] = arr[6];
420	arr[2] = arr[5];
421	arr[3] = arr[4];
422	arr[4] = tmp[0];//arr[3];
423	arr[5] = tmp[1];//arr[2];
424	arr[6] = tmp[2];//arr[3];
425	arr[7] = tmp[3];//arr[1]
426	}
427
428	//extern void printarr(char * name, uint8_t* arr, int len);
429
430	bool des_getParityBitFromKey(uint8_t key)
431	{//The top 7 bits is used
432	bool parity = ((key & 0x80) >> 7)
433	^ ((key & 0x40) >> 6) ^ ((key & 0x20) >> 5)
434	^ ((key & 0x10) >> 4) ^ ((key & 0x08) >> 3)
435	^ ((key & 0x04) >> 2) ^ ((key & 0x02) >> 1);
436	return !parity;
437	}
438	void des_checkParity(uint8_t* key)
439	{
440	int i;
441	int fails =0;
442	for(i =0 ; i < 8 ; i++)
443	{
444	bool parity = des_getParityBitFromKey(key[i]);
445	if(parity != (key[i] & 0x1))
446	{
447	fails++;
448	printf("parity1 fail, byte %d [%02x] was %d, should be %d\n",i,key[i],(key[i] & 0x1),parity);
449	}
450	}
451	if(fails)
452	{
453	printf("parity fails: %d\n", fails);
454	}else
455	{
456	printf("Key syntax is with parity bits inside each byte\n");
457	}
458	}
459
460	void printarr2(char * name, uint8_t* arr, int len)
461	{
462	int i ;
463	printf("%s :", name);
464	for(i =0 ; i< len ; i++)
465	{
466	printf("%02x",*(arr+i));
467	}
468	printf("\n");
469	}