Initial working, passes tests

2022-02-04 01:10:16 +00:00 · 2022-02-04 01:10:16 +00:00 · 7729776e58
commit 7729776e58
7 changed files with 8538 additions and 0 deletions
--- a/go.mod
+++ b/go.mod
@ -0,0 +1,10 @@
+module romulus_m
+
+go 1.17
+
+require (
+	github.com/davecgh/go-spew v1.1.0 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/stretchr/testify v1.7.0 
+	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
+)
--- a/go.sum
+++ b/go.sum
@ -0,0 +1,10 @@
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/main.go
+++ b/main.go
@ -0,0 +1,14 @@
+package benncgoromulus
+
+/*
+Count = 1
+Key = 000102030405060708090A0B0C0D0E0F
+Nonce = 000102030405060708090A0B0C0D0E0F
+PT =
+AD =
+CT = 1866911F9E436083F788BBF27C62180A
+*/
+
+func main() {
+
+}
--- a/src/LWC_AEAD_KAT_128_128.txt
+++ b/src/LWC_AEAD_KAT_128_128.txt
--- a/src/enc_test.go
+++ b/src/enc_test.go
@ -0,0 +1,84 @@
+package src
+
+import (
+	"bufio"
+	"encoding/hex"
+	"fmt"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+type testData struct {
+	Name  string
+	Key   []byte
+	Nonce []byte
+	// Plaintext
+	PT []byte
+	// Addional data
+	AD []byte
+	// Cipher text
+	CT []byte
+}
+
+var tests = loadTests()
+
+func loadTests() []testData {
+	var tData []testData
+	dat, _ := os.ReadFile("LWC_AEAD_KAT_128_128.txt")
+	scanner := bufio.NewScanner(strings.NewReader((string)(dat)))
+
+	var currentTest testData
+	for scanner.Scan() {
+		noSpace := strings.ReplaceAll(scanner.Text(), " ", "")
+		split := strings.Split(noSpace, "=")
+		if len(split) > 0 {
+			switch split[0] {
+			case "Count":
+				currentTest.Name = fmt.Sprintf("Test Number %v", split[1])
+			case "Key":
+				currentTest.Key, _ = hex.DecodeString(split[1])
+			case "Nonce":
+				currentTest.Nonce, _ = hex.DecodeString(split[1])
+			case "PT":
+				currentTest.PT, _ = hex.DecodeString(split[1])
+			case "AD":
+				currentTest.AD, _ = hex.DecodeString(split[1])
+			case "CT":
+				currentTest.CT, _ = hex.DecodeString(split[1])
+				tData = append(tData, currentTest)
+				currentTest = testData{}
+			}
+		}
+	}
+
+	return tData
+}
+
+func TestEnc(t *testing.T) {
+
+	for _, r := range tests {
+		t.Run(r.Name, func(t *testing.T) {
+			c := make([]byte, len(r.PT)+16)
+			var clen uint64
+			romulus_m_encrypt(c[:], &clen, r.PT, (uint64)(len(r.PT)), r.AD, (uint64)(len(r.AD)), nil, r.Nonce, r.Key)
+			assert.Equal(t, (uint64)(len(r.CT)), clen)
+			assert.Equal(t, c, r.CT)
+		})
+	}
+}
+
+func TestDec(t *testing.T) {
+
+	for _, r := range tests {
+		t.Run(r.Name, func(t *testing.T) {
+			d := make([]byte, len(r.CT))
+			var dlen uint64
+			romulus_m_decrypt(d, &dlen, nil, r.CT, (uint64)(len(r.CT)), r.AD, (uint64)(len(r.AD)), r.Nonce, r.Key)
+			assert.Equal(t, (uint64)(len(r.PT)), dlen)
+			assert.Equal(t, d[:dlen], r.PT)
+		})
+	}
+}
--- a/src/romulus_m_reference.go
+++ b/src/romulus_m_reference.go
@ -0,0 +1,569 @@
+package src
+
+/*
+ * Date: 05 May 2021
+ * Contact: Romulus Team (Mustafa Khairallah - mustafa.khairallah@ntu.edu.sg)
+ * Romulus-M as compliant with the Romulus v1.3 specifications.
+ * This file icludes the functions of Romulus-N
+ * It superseeds earlier versions developed by Mustafa Khairallah and maintained
+ * by Mustafa Khairallah, Thomas Peyrin and Kazuhiko Minematsu
+ */
+
+// Padding function: pads the byte length of the message mod 16 to the last incomplete block.
+// For complete blocks it returns the same block.
+func pad(m []byte, mp []byte, l int, len8 int) {
+	var i int
+
+	for i = 0; i < l; i++ {
+		if i < len8 {
+			mp[i] = m[i]
+		} else if i == l-1 {
+			mp[i] = byte(len8 & 0x0f)
+		} else {
+			mp[i] = 0x00
+		}
+	}
+}
+
+// G(S): generates the key stream from the internal state by multiplying the state S by the constant matrix G
+func g8A(s []byte, c []byte) {
+	var i int
+
+	for i = 0; i < 16; i++ {
+		c[i] = (s[i] >> 1) ^ (s[i] & 0x80) ^ ((s[i] & 0x01) << 7)
+	}
+}
+
+// Rho(S,A) pads an A block and XORs it to the internal state.
+func rho_ad(m []byte, s []byte, len8 int, ver int) {
+	var i int
+	var mp [16]byte
+
+	pad(m, mp[:], ver, len8)
+	for i = 0; i < ver; i++ {
+		s[i] = s[i] ^ mp[i]
+	}
+}
+
+// Rho(S,M): pads an M block and outputs S'= M xor S and C = M xor G(S)
+func rho(m []byte, c []byte, s []byte, len8 int, ver int) {
+	var i int
+	var mp [16]byte
+
+	pad(m, mp[:], ver, len8)
+
+	g8A(s, c)
+	for i = 0; i < ver; i++ {
+		s[i] = s[i] ^ mp[i]
+		if i < len8 {
+			c[i] = c[i] ^ mp[i]
+		} else {
+			c[i] = 0
+		}
+	}
+}
+
+// Inverse-Rho(S,M): pads a C block and outputs S'= C xor G(S) xor S and M = C xor G(S)
+func irho(m []byte, c []byte, s []byte, len8 int, ver int) {
+	var i int
+	var cp [16]byte
+
+	pad(c, cp[:], ver, len8)
+
+	g8A(s, m)
+	for i = 0; i < ver; i++ {
+		if i < len8 {
+			s[i] = s[i] ^ cp[i] ^ m[i]
+		} else {
+			s[i] = s[i] ^ cp[i]
+		}
+
+		if i < len8 {
+			m[i] = m[i] ^ cp[i]
+		} else {
+			m[i] = 0
+		}
+	}
+}
+
+// Resets the value of the counter.
+func reset_lfsr_gf56(CNT []byte) {
+	CNT[0] = 0x01
+	CNT[1] = 0x00
+	CNT[2] = 0x00
+	CNT[3] = 0x00
+	CNT[4] = 0x00
+	CNT[5] = 0x00
+	CNT[6] = 0x00
+}
+
+// Applies CNT'=2 * CNT (mod GF(2^56)), where GF(2^56) is defined using the irreducible polynomial
+// x^56 + x^7 + x^4 + x^2 + 1
+func lfsr_gf56(CNT []byte) {
+	var fb0 byte
+
+	fb0 = CNT[6] >> 7
+
+	CNT[6] = CNT[6]<<1 | CNT[5]>>7
+	CNT[5] = CNT[5]<<1 | CNT[4]>>7
+	CNT[4] = CNT[4]<<1 | CNT[3]>>7
+	CNT[3] = CNT[3]<<1 | CNT[2]>>7
+	CNT[2] = CNT[2]<<1 | CNT[1]>>7
+	CNT[1] = CNT[1]<<1 | CNT[0]>>7
+	if fb0 == 1 {
+		CNT[0] = (CNT[0] << 1) ^ 0x95
+	} else {
+		CNT[0] = CNT[0] << 1
+	}
+}
+
+// Combines the secret key, nonce (or A block), counter and domain bits to form the full 384-bit tweakey
+func compose_tweakey(KT []byte, K []byte, T []byte, CNT []byte, D byte, t int) {
+	var i int
+
+	for i = 0; i < 7; i++ {
+		KT[i] = CNT[i]
+	}
+
+	KT[i] = D
+	for i = 8; i < 16; i++ {
+		KT[i] = 0x00
+	}
+
+	for i = 0; i < t; i++ {
+		KT[i+16] = T[i]
+	}
+
+	for i = 0; i < 16; i++ {
+		KT[i+16+t] = K[i]
+	}
+}
+
+// An interface between Romulus and the underlying TBC
+func block_cipher(s []byte, k []byte, T []byte, CNT []byte, D byte, t int) {
+	var KT [48]byte
+
+	compose_tweakey(KT[:], k, T, CNT, D, t)
+	skinny_128_384_plus_enc(s, KT[:])
+}
+
+// Calls the TBC using the nonce as part of the tweakey
+func nonce_encryption(N []byte, CNT []byte, s []byte, k []byte, t int, D byte) {
+	var T [16]byte
+	var i int
+	for i = 0; i < t; i++ {
+		T[i] = N[i]
+	}
+
+	block_cipher(s, k, T[:], CNT, D, t)
+}
+
+// Generates the tag T from the final state S by applying T=G(S).
+func generate_tag(c *[]byte, s []byte, n int, clen *uint64) {
+	g8A(s, *c)
+	// For some reason im going to assert that n-clen is positive
+	*c = (*c)[(uint64)(n)-*clen:]
+	//*c = *c - *clen
+}
+
+// Absorbs and encrypts the message blocks.
+func msg_encryption(M *[]byte, c *[]byte, N []byte, CNT []byte, s []byte, k []byte, n uint, t uint, D byte, mlen uint64) uint64 {
+	var len8 int
+
+	if mlen >= uint64(n) {
+		len8 = int(n)
+		mlen = mlen - uint64(n)
+	} else {
+		len8 = int(mlen)
+		mlen = 0
+	}
+
+	rho(*M, *c, s, len8, int(n))
+	*c = (*c)[len8:]
+	*M = (*M)[len8:]
+	lfsr_gf56(CNT)
+	nonce_encryption(N, CNT, s, k, int(t), D)
+	return mlen
+}
+
+// Absorbs and decrypts the ciphertext blocks.
+func msg_decryption(M *[]byte, c *[]byte, N []byte, CNT []byte, s []byte, k []byte, n uint, t uint, D byte, clen uint64) uint64 {
+	var len8 int
+
+	if clen >= uint64(n) {
+		len8 = int(n)
+		clen = clen - uint64(n)
+	} else {
+		len8 = int(clen)
+		clen = 0
+	}
+
+	irho(*M, *c, s, len8, int(n))
+	*c = (*c)[len8:]
+	*M = (*M)[len8:]
+	lfsr_gf56(CNT)
+	nonce_encryption(N, CNT, s, k, int(t), D)
+	return clen
+}
+
+// Handles the special case when the number of blocks of A is odd
+func ad2msg_encryption(M *[]byte, CNT []byte, s []byte, k []byte, t uint, D byte, mlen uint64) uint64 {
+	var T [16]byte
+	var len8 int
+
+	if mlen <= uint64(t) {
+		len8 = int(mlen)
+		mlen = 0
+	} else {
+		len8 = int(t)
+		mlen = mlen - uint64(t)
+	}
+
+	pad(*M, T[:], int(t), len8)
+
+	block_cipher(s, k, T[:], CNT, D, int(t))
+	lfsr_gf56(CNT)
+	*M = (*M)[len8:]
+
+	return mlen
+}
+
+// Absorbs the AD blocks.
+func ad_encryption(A *[]byte, s []byte, k []byte, adlen uint64, CNT []byte, D byte, n uint, t uint) uint64 {
+	var T [16]byte
+	var len8 int
+
+	if adlen >= uint64(n) {
+		len8 = int(n)
+		adlen = adlen - uint64(n)
+	} else {
+		len8 = int(adlen)
+		adlen = 0
+	}
+
+	rho_ad(*A, s, len8, int(n))
+	*A = (*A)[len8:]
+	lfsr_gf56(CNT)
+
+	if adlen != 0 {
+		if adlen >= uint64(t) {
+			len8 = int(t)
+			adlen = adlen - uint64(t)
+		} else {
+			len8 = int(adlen)
+			adlen = 0
+		}
+
+		pad(*A, T[:], int(t), len8)
+		*A = (*A)[len8:]
+		block_cipher(s, k, T[:], CNT, D, int(t))
+		lfsr_gf56(CNT)
+	}
+
+	return adlen
+}
+
+func romulus_m_encrypt(c []byte, clen *uint64, m []byte, mlen uint64, ad []byte, adlen uint64, nsec []byte, npub []byte, k []byte) int {
+	var s [16]byte
+	var CNT [7]byte
+	var T [16]byte
+	var N []byte
+	var n uint
+	var t uint
+	var i uint
+	var w byte
+	var xlen uint64
+
+	N = npub
+	mstart := m[:]
+	cstart := c[:]
+	n = 16
+	t = 16
+
+	xlen = mlen
+
+	for i = 0; i < n; i++ {
+		s[i] = 0
+	}
+
+	reset_lfsr_gf56(CNT[:])
+
+	// Calculating the domain separation bits for the last block MAC TBC call depending on the length of M and AD
+	w = 48
+
+	if adlen == 0 {
+		w = w ^ 2
+		if xlen == 0 {
+			w = w ^ 1
+		} else if xlen%uint64(n+t) == 0 {
+			w = w ^ 4
+		} else if xlen%uint64(n+t) < uint64(t) {
+			w = w ^ 1
+		} else if xlen%uint64(n+t) == uint64(t) {
+			w = w ^ 0
+		} else {
+			w = w ^ 5
+		}
+	} else if adlen%uint64(n+t) == 0 {
+		w = w ^ 8
+		if xlen == 0 {
+			w = w ^ 1
+		} else if xlen%uint64(n+t) == 0 {
+			w = w ^ 4
+		} else if xlen%uint64(n+t) < uint64(n) {
+			w = w ^ 1
+		} else if xlen%uint64(n+t) == uint64(n) {
+			w = w ^ 0
+		} else {
+			w = w ^ 5
+		}
+	} else if adlen%uint64(n+t) < uint64(n) {
+		w = w ^ 2
+		if xlen == 0 {
+			w = w ^ 1
+		} else if xlen%uint64(n+t) == 0 {
+			w = w ^ 4
+		} else if xlen%uint64(n+t) < uint64(t) {
+			w = w ^ 1
+		} else if xlen%uint64(n+t) == uint64(t) {
+			w = w ^ 0
+		} else {
+			w = w ^ 5
+		}
+	} else if adlen%uint64(n+t) == uint64(n) {
+		w = w ^ 0
+		if xlen == 0 {
+			w = w ^ 1
+		} else if xlen%uint64(n+t) == 0 {
+			w = w ^ 4
+		} else if xlen%uint64(n+t) < uint64(t) {
+			w = w ^ 1
+		} else if xlen%uint64(n+t) == uint64(t) {
+			w = w ^ 0
+		} else {
+			w = w ^ 5
+		}
+	} else {
+		w = w ^ 10
+		if xlen == 0 {
+			w = w ^ 1
+		} else if xlen%uint64(n+t) == 0 {
+			w = w ^ 4
+		} else if xlen%uint64(n+t) < uint64(n) {
+			w = w ^ 1
+		} else if xlen%uint64(n+t) == uint64(n) {
+			w = w ^ 0
+		} else {
+			w = w ^ 5
+		}
+	}
+
+	if adlen == 0 { // AD is an empty string
+		lfsr_gf56(CNT[:])
+	} else {
+		for adlen > 0 {
+			adlen = ad_encryption(&ad, s[:], k, adlen, CNT[:], 40, n, t)
+		}
+	}
+
+	if w&8 == 0 {
+		xlen = ad2msg_encryption(&m, CNT[:], s[:], k, t, 44, xlen)
+	} else if mlen == 0 {
+		lfsr_gf56(CNT[:])
+	}
+
+	for xlen > 0 {
+		xlen = ad_encryption(&m, s[:], k, xlen, CNT[:], 44, n, t)
+	}
+
+	nonce_encryption(N, CNT[:], s[:], k, int(t), w)
+
+	// Tag generation
+	g8A(s[:], T[:])
+
+	m = mstart
+
+	reset_lfsr_gf56(CNT[:])
+
+	for i = 0; i < n; i = i + 1 {
+		s[i] = T[i]
+	}
+
+	n = 16
+	*clen = mlen + uint64(n)
+
+	if mlen > 0 {
+		nonce_encryption(N, CNT[:], s[:], k, int(t), 36)
+		for mlen > uint64(n) {
+			mlen = msg_encryption(&m, &c, N, CNT[:], s[:], k, n, t, 36, mlen)
+		}
+
+		rho(m, c, s[:], int(mlen), 16)
+		c = c[mlen:]
+		m = m[mlen:]
+	}
+
+	// Tag Concatenation
+	for i = 0; i < 16; i = i + 1 {
+		(c[i:])[0] = T[i]
+	}
+
+	c = cstart
+
+	return 0
+}
+
+func romulus_m_decrypt(m []byte, mlen *uint64, nsec []byte, c []byte, clen uint64, ad []byte, adlen uint64, npub []byte, k []byte) int {
+	var s [16]byte
+	var CNT [7]byte
+	var T [16]byte
+	var N []byte
+	var n uint
+	var t uint
+	var i uint
+	var w byte
+	var xlen uint64
+	var mauth []byte
+
+	mauth = m
+
+	N = npub
+
+	n = 16
+	t = 16
+
+	xlen = clen - 16
+
+	reset_lfsr_gf56(CNT[:])
+
+	for i = 0; i < 16; i++ {
+		T[i] = (c[clen-16+uint64(i):])[0]
+	}
+
+	for i = 0; i < n; i = i + 1 {
+		s[i] = T[i]
+	}
+
+	n = 16
+	clen = clen - 16
+	*mlen = clen
+
+	if clen > 0 {
+		nonce_encryption(N, CNT[:], s[:], k, int(t), 36)
+		for clen > uint64(n) {
+			clen = msg_decryption(&m, &c, N, CNT[:], s[:], k, n, t, 36, clen)
+		}
+
+		irho(m, c, s[:], int(clen), 16)
+		c = c[clen:]
+		m = m[clen:]
+	}
+
+	for i = 0; i < n; i++ {
+		s[i] = 0
+	}
+
+	reset_lfsr_gf56(CNT[:])
+
+	// Calculating the domain separation bits for the last block MAC TBC call depending on the length of M and AD
+	w = 48
+
+	if adlen == 0 {
+		w = w ^ 2
+		if xlen == 0 {
+			w = w ^ 1
+		} else if xlen%uint64(n+t) == 0 {
+			w = w ^ 4
+		} else if xlen%uint64(n+t) < uint64(t) {
+			w = w ^ 1
+		} else if xlen%uint64(n+t) == uint64(t) {
+			w = w ^ 0
+		} else {
+			w = w ^ 5
+		}
+	} else if adlen%uint64(n+t) == 0 {
+		w = w ^ 8
+		if xlen == 0 {
+			w = w ^ 1
+		} else if xlen%uint64(n+t) == 0 {
+			w = w ^ 4
+		} else if xlen%uint64(n+t) < uint64(n) {
+			w = w ^ 1
+		} else if xlen%uint64(n+t) == uint64(n) {
+			w = w ^ 0
+		} else {
+			w = w ^ 5
+		}
+	} else if adlen%uint64(n+t) < uint64(n) {
+		w = w ^ 2
+		if xlen == 0 {
+			w = w ^ 1
+		} else if xlen%uint64(n+t) == 0 {
+			w = w ^ 4
+		} else if xlen%uint64(n+t) < uint64(t) {
+			w = w ^ 1
+		} else if xlen%uint64(n+t) == uint64(t) {
+			w = w ^ 0
+		} else {
+			w = w ^ 5
+		}
+	} else if adlen%uint64(n+t) == uint64(n) {
+		w = w ^ 0
+		if xlen == 0 {
+			w = w ^ 1
+		} else if xlen%uint64(n+t) == 0 {
+			w = w ^ 4
+		} else if xlen%uint64(n+t) < uint64(t) {
+			w = w ^ 1
+		} else if xlen%uint64(n+t) == uint64(t) {
+			w = w ^ 0
+		} else {
+			w = w ^ 5
+		}
+	} else {
+		w = w ^ 10
+		if xlen == 0 {
+			w = w ^ 1
+		} else if xlen%uint64(n+t) == 0 {
+			w = w ^ 4
+		} else if xlen%uint64(n+t) < uint64(n) {
+			w = w ^ 1
+		} else if xlen%uint64(n+t) == uint64(n) {
+			w = w ^ 0
+		} else {
+			w = w ^ 5
+		}
+	}
+
+	if adlen == 0 { // AD is an empty string
+		lfsr_gf56(CNT[:])
+	} else {
+		for adlen > 0 {
+			adlen = ad_encryption(&ad, s[:], k, adlen, CNT[:], 40, n, t)
+		}
+	}
+
+	if w&8 == 0 {
+		xlen = ad2msg_encryption(&mauth, CNT[:], s[:], k, t, 44, xlen)
+	} else if clen == 0 {
+		lfsr_gf56(CNT[:])
+	}
+
+	for xlen > 0 {
+		xlen = ad_encryption(&mauth, s[:], k, xlen, CNT[:], 44, n, t)
+	}
+
+	nonce_encryption(N, CNT[:], s[:], k, int(t), w)
+
+	// Tag generation
+	g8A(s[:], T[:])
+
+	// Tag verification
+	for i = 0; i < 16; i++ {
+		if T[i] != ((c[i:])[0]) {
+			return -1
+		}
+	}
+
+	return 0
+}
--- a/src/skinny_reference.go
+++ b/src/skinny_reference.go
@ -0,0 +1,228 @@
+package src
+
+/*
+ * Date: 11 December 2015
+ * Contact: Thomas Peyrin - thomas.peyrin@gmail.com
+ * Modified on 04 May 2021 by Mustafa Khairallah - Modified the code
+ * to implement only the SKINNY-128-384+ encryption version of Skinny for
+ * Romulus v1.3, the NIST LwC finalist.
+ * mustafa.khairallah@ntu.edu.sg
+ */
+
+/*
+ * This file includes only the encryption function of SKINNY-128-384+ as required by Romulus-v1.3
+ */
+
+// Skinny-128-384+ parameters: 128-bit block, 384-bit tweakey and 40 rounds
+var BLOCK_SIZE int = 128
+
+var TWEAKEY_SIZE int = 384
+
+var N_RNDS int = 40
+
+// Packing of data is done as follows (state[i][j] stands for row i and column j):
+// 0  1  2  3
+// 4  5  6  7
+// 8  9 10 11
+//12 13 14 15
+
+// 8-bit Sbox
+var sbox_8 = [256]byte{0x65, 0x4c, 0x6a, 0x42, 0x4b, 0x63, 0x43, 0x6b, 0x55, 0x75, 0x5a, 0x7a, 0x53, 0x73, 0x5b, 0x7b, 0x35, 0x8c, 0x3a, 0x81, 0x89, 0x33, 0x80, 0x3b, 0x95, 0x25, 0x98, 0x2a, 0x90, 0x23, 0x99, 0x2b, 0xe5, 0xcc, 0xe8, 0xc1, 0xc9, 0xe0, 0xc0, 0xe9, 0xd5, 0xf5, 0xd8, 0xf8, 0xd0, 0xf0, 0xd9, 0xf9, 0xa5, 0x1c, 0xa8, 0x12, 0x1b, 0xa0, 0x13, 0xa9, 0x05, 0xb5, 0x0a, 0xb8, 0x03, 0xb0, 0x0b, 0xb9, 0x32, 0x88, 0x3c, 0x85, 0x8d, 0x34, 0x84, 0x3d, 0x91, 0x22, 0x9c, 0x2c, 0x94, 0x24, 0x9d, 0x2d, 0x62, 0x4a, 0x6c, 0x45, 0x4d, 0x64, 0x44, 0x6d, 0x52, 0x72, 0x5c, 0x7c, 0x54, 0x74, 0x5d, 0x7d, 0xa1, 0x1a, 0xac, 0x15, 0x1d, 0xa4, 0x14, 0xad, 0x02, 0xb1, 0x0c, 0xbc, 0x04, 0xb4, 0x0d, 0xbd, 0xe1, 0xc8, 0xec, 0xc5, 0xcd, 0xe4, 0xc4, 0xed, 0xd1, 0xf1, 0xdc, 0xfc, 0xd4, 0xf4, 0xdd, 0xfd, 0x36, 0x8e, 0x38, 0x82, 0x8b, 0x30, 0x83, 0x39, 0x96, 0x26, 0x9a, 0x28, 0x93, 0x20, 0x9b, 0x29, 0x66, 0x4e, 0x68, 0x41, 0x49, 0x60, 0x40, 0x69, 0x56, 0x76, 0x58, 0x78, 0x50, 0x70, 0x59, 0x79, 0xa6, 0x1e, 0xaa, 0x11, 0x19, 0xa3, 0x10, 0xab, 0x06, 0xb6, 0x08, 0xba, 0x00, 0xb3, 0x09, 0xbb, 0xe6, 0xce, 0xea, 0xc2, 0xcb, 0xe3, 0xc3, 0xeb, 0xd6, 0xf6, 0xda, 0xfa, 0xd3, 0xf3, 0xdb, 0xfb, 0x31, 0x8a, 0x3e, 0x86, 0x8f, 0x37, 0x87, 0x3f, 0x92, 0x21, 0x9e, 0x2e, 0x97, 0x27, 0x9f, 0x2f, 0x61, 0x48, 0x6e, 0x46, 0x4f, 0x67, 0x47, 0x6f, 0x51, 0x71, 0x5e, 0x7e, 0x57, 0x77, 0x5f, 0x7f, 0xa2, 0x18, 0xae, 0x16, 0x1f, 0xa7, 0x17, 0xaf, 0x01, 0xb2, 0x0e, 0xbe, 0x07, 0xb7, 0x0f, 0xbf, 0xe2, 0xca, 0xee, 0xc6, 0xcf, 0xe7, 0xc7, 0xef, 0xd2, 0xf2, 0xde, 0xfe, 0xd7, 0xf7, 0xdf, 0xff}
+
+// ShiftAndSwitchRows permutation
+var P = [16]byte{0, 1, 2, 3, 7, 4, 5, 6, 10, 11, 8, 9, 13, 14, 15, 12}
+
+// Tweakey permutation
+var TWEAKEY_P = [16]byte{9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7}
+
+// round constants
+var RC = [40]byte{
+	0x01,
+	0x03,
+	0x07,
+	0x0F,
+	0x1F,
+	0x3E,
+	0x3D,
+	0x3B,
+	0x37,
+	0x2F,
+	0x1E,
+	0x3C,
+	0x39,
+	0x33,
+	0x27,
+	0x0E,
+	0x1D,
+	0x3A,
+	0x35,
+	0x2B,
+	0x16,
+	0x2C,
+	0x18,
+	0x30,
+	0x21,
+	0x02,
+	0x05,
+	0x0B,
+	0x17,
+	0x2E,
+	0x1C,
+	0x38,
+	0x31,
+	0x23,
+	0x06,
+	0x0D,
+	0x1B,
+	0x36,
+	0x2D,
+	0x1A,
+}
+
+// Extract and apply the subtweakey to the internal state (must be the two top rows XORed together), then update the tweakey state
+func AddKey(state [][4]byte, keyCells [][4][4]byte) {
+	var i int
+	var j int
+	var k int
+	var pos byte
+	var keyCells_tmp [3][4][4]byte
+
+	// apply the subtweakey to the internal state
+	for i = 0; i <= 1; i++ {
+		for j = 0; j < 4; j++ {
+			state[i][j] ^= keyCells[0][i][j] ^ keyCells[1][i][j] ^ keyCells[2][i][j]
+		}
+	}
+
+	// update the subtweakey states with the permutation
+	for k = 0; k < int(TWEAKEY_SIZE/BLOCK_SIZE); k++ {
+		for i = 0; i < 4; i++ {
+			for j = 0; j < 4; j++ {
+				//application of the TWEAKEY permutation
+				pos = TWEAKEY_P[j+4*i]
+
+				keyCells_tmp[k][i][j] = keyCells[k][pos>>2][pos&0x3]
+			}
+		}
+	}
+
+	// update the subtweakey states with the LFSRs
+	for k = 0; k < int(TWEAKEY_SIZE/BLOCK_SIZE); k++ {
+		for i = 0; i <= 1; i++ {
+			for j = 0; j < 4; j++ {
+				//application of LFSRs for TK updates
+				if k == 1 {
+					keyCells_tmp[k][i][j] = ((keyCells_tmp[k][i][j] << 1) & 0xFE) ^ ((keyCells_tmp[k][i][j] >> 7) & 0x01) ^ ((keyCells_tmp[k][i][j] >> 5) & 0x01)
+				} else if k == 2 {
+					keyCells_tmp[k][i][j] = ((keyCells_tmp[k][i][j] >> 1) & 0x7F) ^ ((keyCells_tmp[k][i][j] << 7) & 0x80) ^ ((keyCells_tmp[k][i][j] << 1) & 0x80)
+				}
+			}
+		}
+	}
+
+	for k = 0; k < int(TWEAKEY_SIZE/BLOCK_SIZE); k++ {
+		for i = 0; i < 4; i++ {
+			for j = 0; j < 4; j++ {
+				keyCells[k][i][j] = keyCells_tmp[k][i][j]
+			}
+		}
+	}
+}
+
+// Apply the constants: using a LFSR counter on 6 bits, we XOR the 6 bits to the first 6 bits of the internal state
+func AddConstants(state [][4]byte, r int) {
+	state[0][0] ^= (RC[r] & 0xf)
+	state[1][0] ^= ((RC[r] >> 4) & 0x3)
+	state[2][0] ^= 0x2
+}
+
+// apply the 8-bit Sbox
+func SubCell8(state [][4]byte) {
+	var i int
+	var j int
+	for i = 0; i < 4; i++ {
+		for j = 0; j < 4; j++ {
+			state[i][j] = sbox_8[state[i][j]]
+		}
+	}
+}
+
+// Apply the ShiftRows function
+func ShiftRows(state [][4]byte) {
+	var i int
+	var j int
+	var pos int
+	var state_tmp [4][4]byte
+	for i = 0; i < 4; i++ {
+		for j = 0; j < 4; j++ {
+			//application of the ShiftRows permutation
+			pos = int(P[j+4*i])
+
+			state_tmp[i][j] = state[pos>>2][pos&0x3]
+		}
+	}
+
+	for i = 0; i < 4; i++ {
+		for j = 0; j < 4; j++ {
+			state[i][j] = state_tmp[i][j]
+		}
+	}
+}
+
+// Apply the linear diffusion matrix
+//M =
+//1 0 1 1
+//1 0 0 0
+//0 1 1 0
+//1 0 1 0
+func MixColumn(state [][4]byte) {
+	var j int
+	var temp byte
+
+	for j = 0; j < 4; j++ {
+		state[1][j] ^= state[2][j]
+		state[2][j] ^= state[0][j]
+		state[3][j] ^= state[2][j]
+
+		temp = state[3][j]
+		state[3][j] = state[2][j]
+		state[2][j] = state[1][j]
+		state[1][j] = state[0][j]
+		state[0][j] = temp
+	}
+}
+
+// encryption function of Skinny-128-384+
+func enc(input []byte, userkey []byte) {
+	var state [4][4]byte
+	var keyCells [3][4][4]byte
+	var i int
+
+	//memset(keyCells, 0, 48);
+	for i = 0; i < 16; i++ {
+		state[i>>2][i&0x3] = input[i] & 0xFF
+		keyCells[0][i>>2][i&0x3] = userkey[i] & 0xFF
+		keyCells[1][i>>2][i&0x3] = userkey[i+16] & 0xFF
+		keyCells[2][i>>2][i&0x3] = userkey[i+32] & 0xFF
+	}
+
+	for i = 0; i < N_RNDS; i++ {
+		SubCell8(state[:])
+
+		AddConstants(state[:], i)
+
+		AddKey(state[:], keyCells[:])
+
+		ShiftRows(state[:])
+
+		MixColumn(state[:])
+	}
+
+	for i = 0; i < 16; i++ {
+		input[i] = state[i>>2][i&0x3] & 0xFF
+	}
+}
+
+func skinny_128_384_plus_enc(input []byte, userkey []byte) {
+	enc(input, userkey)
+}