RubyGems - twofish - Versions diffs - 1.0.2 → 1.0.3 - Mend

twofish 1.0.2 → 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

data/README.rdoc CHANGED Viewed

@@ -90,6 +90,17 @@ Aside from this README, rdoc documentation may be built as follows:
 The documentation will be built in the rdoc subdirectory.
+=== Benchmark
+A simple benchmark can be found in test/benchmark.rb and can be run
+thusly:
+    rake benchmark
+Ruby 1.9 is approximately three times faster than ruby 1.8.7
+(Ubuntu x86-64).
 === Bugs, omissions and weaknesses
 Encryption and decryption are (not unexpectedly) slow. If you need a
@@ -97,11 +108,6 @@ faster implementation for Ruby then the BouncyCastle provider
 (http://www.bouncycastle.org) plays well with JRuby (http://www.jruby.org).
 See above ("Unit tests") for a sample script.
-The original "pure Perl" implementation used Perl's integer pragma.
-This implementation uses a private method mask32 to strip off any high
-order bits in an effort to prevent (slow) promotion of Fixnums to Bignums.
-This is a little clumsy and probably could be quicker.
 Ruby >=1.9 introduces string encodings. The current workaround uses
 #ord and #chr but this is not very satisfactory: it would be preferable
 to move to byte arrays throughout.

data/Rakefile CHANGED Viewed

@@ -1,35 +1,38 @@
+require 'benchmark'
 require 'rake'
 require 'rake/clean'
-require 'rake/gempackagetask'
-require 'rake/rdoctask'
 require 'rake/testtask'
+require 'rdoc/task'
+require 'rubygems/package_task'
 desc 'Default task (test)'
 task :default => [:test]
 Rake::TestTask.new('test') do |test|
-  test.pattern = 'test/*.rb'
+  test.pattern = 'test/test_*.rb'
   test.warning = true
 end
+Rake::TestTask.new('benchmark') do |test|
+  test.pattern = 'test/benchmark.rb'
+end
 SPECFILE = 'twofish.gemspec'
 if File.exist?(SPECFILE)
   spec = eval( File.read(SPECFILE) )
-  Rake::GemPackageTask.new(spec) do |pkg|
+  Gem::PackageTask.new(spec) do |pkg|
     pkg.need_tar = true
   end
 end
-Rake::RDocTask.new do |rdoc|
+RDoc::Task.new do |rdoc|
   rdoc.rdoc_dir = 'rdoc'
   rdoc.title = 'twofish.rb'
-  rdoc.options << '--line-numbers' << '--inline-source'
-  rdoc.options << '-A cattr_accessor=object'
+  rdoc.options << '--line-numbers'
   rdoc.options << '--charset' << 'utf-8'
   rdoc.options << '--all'
   rdoc.rdoc_files.include('README.rdoc')
-  rdoc.rdoc_files.include('lib/twofish.rb')
-  rdoc.rdoc_files.include('test/test_twofish.rb')
+  rdoc.rdoc_files.include(Dir[ 'lib/**/*' ])
 end

data/lib/string.rb ADDED Viewed

@@ -0,0 +1,16 @@
+class String
+  unless method_defined?(:byteslice)
+    def byteslice(*args)
+      self.dup.force_encoding('ASCII-8BIT').slice!(*args)
+    end
+  end
+  unless method_defined?(:force_encoding)
+    def force_encoding(encoding)
+      self # noop
+    end
+  end
+end

data/lib/twofish.rb CHANGED Viewed

@@ -8,9 +8,26 @@
 # encryption algorithm based on original work by Guido Flohr.
 class Twofish
-  attr_reader :iv, :key_size, :mode, :padding # setters for iv, mode defined below for validation
+  require 'string' # monkey patch for MRI 1.8.7
+  require 'twofish/mode'
+  require 'twofish/padding'
-  BLOCK_SIZE = 16 # 16 bytes, 128 bits
+  # Setters for iv, mode defined below for validation
+  # Initialization vector for CBC mode.
+  attr_reader :iv
+  # The size of the key in bytes (16, 24, 32 bytes).
+  attr_reader :key_size
+  # Encryption mode eg Mode::ECB (default) or Mode::CBC.
+  attr_reader :mode
+  # Padding algorithm eg Padding::NONE (default) or Padding::ZERO_BYTE.
+  attr_reader :padding
+  # The block size in bytes (16).
+  BLOCK_SIZE = 16
   #:stopdoc:
   Q0 = [
@@ -323,7 +340,7 @@ class Twofish
     # consists of four equal bytes, each with the value i. The function
     # h is only applied to words of this type, so we only pass it the
     # value of i.
-    k = []
+    @k = []
     # The key-dependent S-boxes used in the g() function are created
     # below. They are defined by g(X) = h(X, S), where S is the vector
@@ -333,12 +350,11 @@ class Twofish
     # The relevant lookup tables qN have been precomputed and stored in
     # tables.h; we also perform full key precomputations incorporating
     # the MDS matrix multiplications.
-    xS0, xS1, xS2, xS3 = [], [], [], []
+    @xS0, @xS1, @xS2, @xS3 = [], [], [], []
     case @key_size
     when 16
       s7, s6, s5, s4 = *mds_rem(le_longs[0], le_longs[1])
       s3, s2, s1, s0 = *mds_rem(le_longs[2], le_longs[3])
-      a, b = 0, 0
       (0..38).step(2) do |i|
         j = i + 1
         a = M0[Q0[Q0[i] ^ key[8]]  ^ key[0]] ^
@@ -349,23 +365,22 @@ class Twofish
             M1[Q0[Q1[j] ^ key[13]] ^ key[5]] ^
             M2[Q1[Q0[j] ^ key[14]] ^ key[6]] ^
             M3[Q1[Q1[j] ^ key[15]] ^ key[7]]
-        b = mask32(b << 8) | (b >> 24)
-        a = mask32(a+b)
-        k.push(a)
-        a = mask32(a+b)
-        k.push(mask32(a << 9) | a >> 23)
+        b = ((b & 0xffffff) << 8) | (b >> 24)
+        a = 0xffffffff & (a+b)
+        @k.push(a)
+        a = 0xffffffff & (a+b)
+        @k.push((a & 0x7fffff) << 9 | a >> 23)
       end
       (0..255).each do |i|
-        xS0[i] = M0[Q0[Q0[i] ^ s4] ^ s0]
-        xS1[i] = M1[Q0[Q1[i] ^ s5] ^ s1]
-        xS2[i] = M2[Q1[Q0[i] ^ s6] ^ s2]
-        xS3[i] = M3[Q1[Q1[i] ^ s7] ^ s3]
+        @xS0[i] = M0[Q0[Q0[i] ^ s4] ^ s0]
+        @xS1[i] = M1[Q0[Q1[i] ^ s5] ^ s1]
+        @xS2[i] = M2[Q1[Q0[i] ^ s6] ^ s2]
+        @xS3[i] = M3[Q1[Q1[i] ^ s7] ^ s3]
       end
     when 24
       sb, sa, s9, s8 = *mds_rem(le_longs[0], le_longs[1])
       s7, s6, s5, s4 = *mds_rem(le_longs[2], le_longs[3])
       s3, s2, s1, s0 = *mds_rem(le_longs[4], le_longs[5])
-      j = 1
       (0..38).step(2) do |i|
         j = i + 1
         a = M0[Q0[Q0[Q1[i] ^ key[16]] ^ key[8]]  ^ key[0]] ^
@@ -376,24 +391,23 @@ class Twofish
             M1[Q0[Q1[Q1[j] ^ key[21]] ^ key[13]] ^ key[5]] ^
             M2[Q1[Q0[Q0[j] ^ key[22]] ^ key[14]] ^ key[6]] ^
             M3[Q1[Q1[Q0[j] ^ key[23]] ^ key[15]] ^ key[7]]
-        b = mask32(b << 8) | (b >> 24)
-        a = mask32(a+b)
-        k.push(a)
-        a = mask32(a+b)
-        k.push(mask32(a << 9) | a >> 23)
+        b = ((b & 0xffffff) << 8) | (b >> 24)
+        a = 0xffffffff & (a+b)
+        @k.push(a)
+        a = 0xffffffff & (a+b)
+        @k.push((a & 0x7fffff) << 9 | a >> 23)
       end
       (0..255).each do |i|
-        xS0[i] = M0[Q0[Q0[Q1[i] ^ s8] ^ s4] ^ s0]
-        xS1[i] = M1[Q0[Q1[Q1[i] ^ s9] ^ s5] ^ s1]
-        xS2[i] = M2[Q1[Q0[Q0[i] ^ sa] ^ s6] ^ s2]
-        xS3[i] = M3[Q1[Q1[Q0[i] ^ sb] ^ s7] ^ s3]
+        @xS0[i] = M0[Q0[Q0[Q1[i] ^ s8] ^ s4] ^ s0]
+        @xS1[i] = M1[Q0[Q1[Q1[i] ^ s9] ^ s5] ^ s1]
+        @xS2[i] = M2[Q1[Q0[Q0[i] ^ sa] ^ s6] ^ s2]
+        @xS3[i] = M3[Q1[Q1[Q0[i] ^ sb] ^ s7] ^ s3]
       end
     when 32
       sf, se, sd, sc = *mds_rem(le_longs[0], le_longs[1])
       sb, sa, s9, s8 = *mds_rem(le_longs[2], le_longs[3])
       s7, s6, s5, s4 = *mds_rem(le_longs[4], le_longs[5])
       s3, s2, s1, s0 = *mds_rem(le_longs[6], le_longs[7])
-      j = 1
       (0..38).step(2) do |i|
         j = i + 1
         a = M0[Q0[Q0[Q1[Q1[i] ^ key[24]] ^ key[16]] ^ key[8]]  ^ key[0]] ^
@@ -404,25 +418,22 @@ class Twofish
             M1[Q0[Q1[Q1[Q0[j] ^ key[29]] ^ key[21]] ^ key[13]] ^ key[5]] ^
             M2[Q1[Q0[Q0[Q0[j] ^ key[30]] ^ key[22]] ^ key[14]] ^ key[6]] ^
             M3[Q1[Q1[Q0[Q1[j] ^ key[31]] ^ key[23]] ^ key[15]] ^ key[7]]
-        b = mask32(b << 8) | (b >> 24)
-        a = mask32(a+b)
-        k.push(a)
-        a = mask32(a+b)
-        k.push(mask32(a << 9) | a >> 23)
+        b = ((b & 0xffffff) << 8) | (b >> 24)
+        a = 0xffffffff & (a+b)
+        @k.push(a)
+        a = 0xffffffff & (a+b)
+        @k.push((a & 0x7fffff) << 9 | a >> 23)
       end
       (0..255).each do |i|
-        xS0[i] = M0[Q0[Q0[Q1[Q1[i]^sc]^s8]^s4]^s0]
-        xS1[i] = M1[Q0[Q1[Q1[Q0[i]^sd]^s9]^s5]^s1]
-        xS2[i] = M2[Q1[Q0[Q0[Q0[i]^se]^sa]^s6]^s2]
-        xS3[i] = M3[Q1[Q1[Q0[Q1[i]^sf]^sb]^s7]^s3]
+        @xS0[i] = M0[Q0[Q0[Q1[Q1[i]^sc]^s8]^s4]^s0]
+        @xS1[i] = M1[Q0[Q1[Q1[Q0[i]^sd]^s9]^s5]^s1]
+        @xS2[i] = M2[Q1[Q0[Q0[Q0[i]^se]^sa]^s6]^s2]
+        @xS3[i] = M3[Q1[Q1[Q0[Q1[i]^sf]^sb]^s7]^s3]
       end
     else
       raise ArgumentError, "invalid key length #{@key_size} (expecting 16, 24 or 32 bytes)"
     end
-    @k = k
-    @s = [ xS0, xS1, xS2, xS3 ]
   end
   # Assign the initialization vector.
@@ -440,14 +451,14 @@ class Twofish
   # set to Mode::ECB then the IV will be ignored for any
   # encrypt/decrypt operations.
   def mode=(mode)
-    @mode = Mode::validate(mode)
+    @mode = Mode.validate(mode)
   end
   # Set the padding scheme for the (CBC mode) cipher
   # (Padding::NONE == :none or Padding::ZERO_BYTE ==
   # :zero_byte).
   def padding=(scheme)
-    @padding = Padding::validate(scheme)
+    @padding = Padding.validate(scheme)
   end
   # Return the cipher's block size in bytes.
@@ -458,15 +469,17 @@ class Twofish
   # Encrypt a plaintext string, chunking as required for
   # CBC mode.
   def encrypt(plaintext)
-    padded_plaintext = Padding::pad(plaintext, BLOCK_SIZE, self.padding)
-    result = ''
+    plaintext = plaintext.dup.force_encoding('ASCII-8BIT')
+    padded_plaintext = Padding.pad!(plaintext, BLOCK_SIZE, @padding)
+    result = ''.force_encoding('ASCII-8BIT')
     if @mode == Mode::CBC
       @iv = generate_iv(BLOCK_SIZE) unless @iv
       ciphertext_block = @iv
     end
-    (0..padded_plaintext.length-1).step(BLOCK_SIZE) do |block_ptr|
-      (0..BLOCK_SIZE-1).each { |i| padded_plaintext[block_ptr+i] = ( padded_plaintext[block_ptr+i].ord ^ ciphertext_block[i].ord ).chr } if Mode::CBC == @mode
-      result << ciphertext_block = self.encrypt_block(padded_plaintext[block_ptr, BLOCK_SIZE])
+    (0...padded_plaintext.length).step(BLOCK_SIZE) do |block_ptr|
+      plaintext_block = padded_plaintext[block_ptr, BLOCK_SIZE]
+      xor_block!(plaintext_block, ciphertext_block) if Mode::CBC == @mode
+      result << ciphertext_block = encrypt_block(plaintext_block)
     end
     result
   end
@@ -475,8 +488,9 @@ class Twofish
   # chaining modes. If @iv is not set then we use the first block
   # as the initialization vector when chaining.
   def decrypt(ciphertext)
-    raise ArgumentError, "Ciphertext is not a multiple of #{BLOCK_SIZE} bytes" unless (ciphertext.length % BLOCK_SIZE).zero?
-    result = ''
+    ciphertext = ciphertext.dup.force_encoding('ASCII-8BIT')
+    raise ArgumentError, "ciphertext is not a multiple of #{BLOCK_SIZE} bytes" unless (ciphertext.length % BLOCK_SIZE).zero?
+    result = ''.force_encoding('ASCII-8BIT')
     if Mode::CBC == @mode
       if @iv
         feedback = @iv
@@ -485,542 +499,542 @@ class Twofish
         ciphertext = ciphertext[BLOCK_SIZE..-1]
       end
     end
-    (0..ciphertext.length-1).step(BLOCK_SIZE) do |block_ptr|
+    (0...ciphertext.length).step(BLOCK_SIZE) do |block_ptr|
       ciphertext_block = ciphertext[block_ptr, BLOCK_SIZE]
-      plaintext_block = self.decrypt_block(ciphertext_block)
-      (0..BLOCK_SIZE-1).each { |i| plaintext_block[i] = (plaintext_block[i].ord ^ feedback[i].ord).chr } if Mode::CBC == @mode
+      plaintext_block = decrypt_block(ciphertext_block)
+      xor_block!(plaintext_block, feedback) if Mode::CBC == @mode
       result << plaintext_block
       feedback = ciphertext_block
     end
-    Padding::unpad(result, BLOCK_SIZE, self.padding)
+    Padding.unpad!(result, BLOCK_SIZE, @padding)
+  end
+  # Exclusive-or two blocks together, byte-by-byte, storing the result
+  # in the first block.
+  def xor_block!(target, source)
+    (0...BLOCK_SIZE).each { |i| target[i] = (target[i].ord ^ source[i].ord).chr }
   end
   # Encrypt a single block (16 bytes).
   def encrypt_block(plain_text)
     words = plain_text.unpack('V4')
-    k = @k
-    r0 = k[0] ^ words[0]
-    r1 = k[1] ^ words[1]
-    r2 = k[2] ^ words[2]
-    r3 = k[3] ^ words[3]
-    xS0, xS1, xS2, xS3 = *@s
+    r0 = @k[0] ^ words[0]
+    r1 = @k[1] ^ words[1]
+    r2 = @k[2] ^ words[2]
+    r3 = @k[3] ^ words[3]
     # i = 0
-    t0 = xS0[r0 & 0xff] ^
-         xS1[(r0 >> 8) & 0xff] ^
-         xS2[(r0 >> 16) & 0xff] ^
-         xS3[(r0 >> 24) & 0xff]
-    t1 = xS0[(r1 >> 24) & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[(r1 >> 8) & 0xff] ^
-         xS3[(r1 >> 16) & 0xff]
-    r2 ^= mask32(t0 + t1 + k[8])
-    r2 = (r2 >> 1 & 0x7fffffff) | mask32(r2 << 31)
-    r3 = ((r3 >> 31) & 1) | mask32(r3 << 1)
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[9])
-    t0 = xS0[r2 & 0xff] ^
-         xS1[(r2 >> 8) & 0xff] ^
-         xS2[(r2 >> 16) & 0xff] ^
-         xS3[(r2 >> 24) & 0xff]
-    t1 = xS0[(r3 >> 24) & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[(r3 >> 8) & 0xff] ^
-         xS3[(r3 >> 16) & 0xff]
-    r0 ^= mask32(t0 + t1 + k[10])
-    r0 = (r0 >> 1 & 0x7fffffff) | mask32(r0 << 31)
-    r1 = ((r1 >> 31) & 1) | mask32(r1 << 1)
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[11])
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[(r0 >> 8) & 0xff] ^
+         @xS2[(r0 >> 16) & 0xff] ^
+         @xS3[(r0 >> 24) & 0xff]
+    t1 = @xS0[(r1 >> 24) & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[(r1 >> 8) & 0xff] ^
+         @xS3[(r1 >> 16) & 0xff]
+    r2 ^= 0xffffffff & (t0 + t1 + @k[8])
+    r2 = (r2 >> 1 & 0x7fffffff) | (r2 & 0x1) << 31
+    r3 = ((r3 >> 31) & 1) | (r3 & 0x7fffffff) << 1
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[9])
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[(r2 >> 8) & 0xff] ^
+         @xS2[(r2 >> 16) & 0xff] ^
+         @xS3[(r2 >> 24) & 0xff]
+    t1 = @xS0[(r3 >> 24) & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[(r3 >> 8) & 0xff] ^
+         @xS3[(r3 >> 16) & 0xff]
+    r0 ^= 0xffffffff & (t0 + t1 + @k[10])
+    r0 = (r0 >> 1 & 0x7fffffff) | (r0 & 0x1) << 31
+    r1 = ((r1 >> 31) & 1) | (r1 & 0x7fffffff) << 1
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[11])
     # i = 1
-    t0 = xS0[r0 & 0xff] ^
-         xS1[(r0 >> 8) & 0xff] ^
-         xS2[(r0 >> 16) & 0xff] ^
-         xS3[(r0 >> 24) & 0xff]
-    t1 = xS0[(r1 >> 24) & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[(r1 >> 8) & 0xff] ^
-         xS3[(r1 >> 16) & 0xff]
-    r2 ^= mask32(t0 + t1 + k[12])
-    r2 = (r2 >> 1 & 0x7fffffff) | mask32(r2 << 31)
-    r3 = ((r3 >> 31) & 1) | mask32(r3 << 1)
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[13])
-    t0 = xS0[r2 & 0xff] ^
-         xS1[(r2 >> 8) & 0xff] ^
-         xS2[(r2 >> 16) & 0xff] ^
-         xS3[(r2 >> 24) & 0xff]
-    t1 = xS0[(r3 >> 24) & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[(r3 >> 8) & 0xff] ^
-         xS3[(r3 >> 16) & 0xff]
-    r0 ^= mask32(t0 + t1 + k[14])
-    r0 = (r0 >> 1 & 0x7fffffff) | mask32(r0 << 31)
-    r1 = ((r1 >> 31) & 1) | mask32(r1 << 1)
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[15])
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[(r0 >> 8) & 0xff] ^
+         @xS2[(r0 >> 16) & 0xff] ^
+         @xS3[(r0 >> 24) & 0xff]
+    t1 = @xS0[(r1 >> 24) & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[(r1 >> 8) & 0xff] ^
+         @xS3[(r1 >> 16) & 0xff]
+    r2 ^= 0xffffffff & (t0 + t1 + @k[12])
+    r2 = (r2 >> 1 & 0x7fffffff) | (r2 & 0x1) << 31
+    r3 = ((r3 >> 31) & 1) | (r3 & 0x7fffffff) << 1
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[13])
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[(r2 >> 8) & 0xff] ^
+         @xS2[(r2 >> 16) & 0xff] ^
+         @xS3[(r2 >> 24) & 0xff]
+    t1 = @xS0[(r3 >> 24) & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[(r3 >> 8) & 0xff] ^
+         @xS3[(r3 >> 16) & 0xff]
+    r0 ^= 0xffffffff & (t0 + t1 + @k[14])
+    r0 = (r0 >> 1 & 0x7fffffff) | (r0 & 0x1) << 31
+    r1 = ((r1 >> 31) & 1) | (r1 & 0x7fffffff) << 1
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[15])
     # i = 2
-    t0 = xS0[r0 & 0xff] ^
-         xS1[(r0 >> 8) & 0xff] ^
-         xS2[(r0 >> 16) & 0xff] ^
-         xS3[(r0 >> 24) & 0xff]
-    t1 = xS0[(r1 >> 24) & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[(r1 >> 8) & 0xff] ^
-         xS3[(r1 >> 16) & 0xff]
-    r2 ^= mask32(t0 + t1 + k[16])
-    r2 = (r2 >> 1 & 0x7fffffff) | mask32(r2 << 31)
-    r3 = ((r3 >> 31) & 1) | mask32(r3 << 1)
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[17])
-    t0 = xS0[r2 & 0xff] ^
-         xS1[(r2 >> 8) & 0xff] ^
-         xS2[(r2 >> 16) & 0xff] ^
-         xS3[(r2 >> 24) & 0xff]
-    t1 = xS0[(r3 >> 24) & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[(r3 >> 8) & 0xff] ^
-         xS3[(r3 >> 16) & 0xff]
-    r0 ^= mask32(t0 + t1 + k[18])
-    r0 = (r0 >> 1 & 0x7fffffff) | mask32(r0 << 31)
-    r1 = ((r1 >> 31) & 1) | mask32(r1 << 1)
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[19])
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[(r0 >> 8) & 0xff] ^
+         @xS2[(r0 >> 16) & 0xff] ^
+         @xS3[(r0 >> 24) & 0xff]
+    t1 = @xS0[(r1 >> 24) & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[(r1 >> 8) & 0xff] ^
+         @xS3[(r1 >> 16) & 0xff]
+    r2 ^= 0xffffffff & (t0 + t1 + @k[16])
+    r2 = (r2 >> 1 & 0x7fffffff) | (r2 & 0x1) << 31
+    r3 = ((r3 >> 31) & 1) | (r3 & 0x7fffffff) << 1
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[17])
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[(r2 >> 8) & 0xff] ^
+         @xS2[(r2 >> 16) & 0xff] ^
+         @xS3[(r2 >> 24) & 0xff]
+    t1 = @xS0[(r3 >> 24) & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[(r3 >> 8) & 0xff] ^
+         @xS3[(r3 >> 16) & 0xff]
+    r0 ^= 0xffffffff & (t0 + t1 + @k[18])
+    r0 = (r0 >> 1 & 0x7fffffff) | (r0 & 0x1) << 31
+    r1 = ((r1 >> 31) & 1) | (r1 & 0x7fffffff) << 1
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[19])
     # i = 3
-    t0 = xS0[r0 & 0xff] ^
-         xS1[(r0 >> 8) & 0xff] ^
-         xS2[(r0 >> 16) & 0xff] ^
-         xS3[(r0 >> 24) & 0xff]
-    t1 = xS0[(r1 >> 24) & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[(r1 >> 8) & 0xff] ^
-         xS3[(r1 >> 16) & 0xff]
-    r2 ^= mask32(t0 + t1 + k[20])
-    r2 = (r2 >> 1 & 0x7fffffff) | mask32(r2 << 31)
-    r3 = ((r3 >> 31) & 1) | mask32(r3 << 1)
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[21])
-    t0 = xS0[r2 & 0xff] ^
-         xS1[(r2 >> 8) & 0xff] ^
-         xS2[(r2 >> 16) & 0xff] ^
-         xS3[(r2 >> 24) & 0xff]
-    t1 = xS0[(r3 >> 24) & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[(r3 >> 8) & 0xff] ^
-         xS3[(r3 >> 16) & 0xff]
-    r0 ^= mask32(t0 + t1 + k[22])
-    r0 = (r0 >> 1 & 0x7fffffff) | mask32(r0 << 31)
-    r1 = ((r1 >> 31) & 1) | mask32(r1 << 1)
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[23])
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[(r0 >> 8) & 0xff] ^
+         @xS2[(r0 >> 16) & 0xff] ^
+         @xS3[(r0 >> 24) & 0xff]
+    t1 = @xS0[(r1 >> 24) & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[(r1 >> 8) & 0xff] ^
+         @xS3[(r1 >> 16) & 0xff]
+    r2 ^= 0xffffffff & (t0 + t1 + @k[20])
+    r2 = (r2 >> 1 & 0x7fffffff) | (r2 & 0x1) << 31
+    r3 = ((r3 >> 31) & 1) | ((r3 & 0x7fffffff) << 1)
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[21])
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[(r2 >> 8) & 0xff] ^
+         @xS2[(r2 >> 16) & 0xff] ^
+         @xS3[(r2 >> 24) & 0xff]
+    t1 = @xS0[(r3 >> 24) & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[(r3 >> 8) & 0xff] ^
+         @xS3[(r3 >> 16) & 0xff]
+    r0 ^= 0xffffffff & (t0 + t1 + @k[22])
+    r0 = (r0 >> 1 & 0x7fffffff) | (r0 & 0x1) << 31
+    r1 = ((r1 >> 31) & 1) | (r1 & 0x7fffffff) << 1
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[23])
     # i = 4
-    t0 = xS0[r0 & 0xff] ^
-         xS1[(r0 >> 8) & 0xff] ^
-         xS2[(r0 >> 16) & 0xff] ^
-         xS3[(r0 >> 24) & 0xff]
-    t1 = xS0[(r1 >> 24) & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[(r1 >> 8) & 0xff] ^
-         xS3[(r1 >> 16) & 0xff]
-    r2 ^= mask32(t0 + t1 + k[24])
-    r2 = (r2 >> 1 & 0x7fffffff) | mask32(r2 << 31)
-    r3 = ((r3 >> 31) & 1) | mask32(r3 << 1)
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[25])
-    t0 = xS0[r2 & 0xff] ^
-         xS1[(r2 >> 8) & 0xff] ^
-         xS2[(r2 >> 16) & 0xff] ^
-         xS3[(r2 >> 24) & 0xff]
-    t1 = xS0[(r3 >> 24) & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[(r3 >> 8) & 0xff] ^
-         xS3[(r3 >> 16) & 0xff]
-    r0 ^= mask32(t0 + t1 + k[26])
-    r0 = (r0 >> 1 & 0x7fffffff) | mask32(r0 << 31);
-    r1 = ((r1 >> 31) & 1) | mask32(r1 << 1)
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[27])
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[(r0 >> 8) & 0xff] ^
+         @xS2[(r0 >> 16) & 0xff] ^
+         @xS3[(r0 >> 24) & 0xff]
+    t1 = @xS0[(r1 >> 24) & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[(r1 >> 8) & 0xff] ^
+         @xS3[(r1 >> 16) & 0xff]
+    r2 ^= 0xffffffff & (t0 + t1 + @k[24])
+    r2 = (r2 >> 1 & 0x7fffffff) | (r2 & 0x1) << 31
+    r3 = ((r3 >> 31) & 1) | (r3 & 0x7fffffff) << 1
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[25])
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[(r2 >> 8) & 0xff] ^
+         @xS2[(r2 >> 16) & 0xff] ^
+         @xS3[(r2 >> 24) & 0xff]
+    t1 = @xS0[(r3 >> 24) & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[(r3 >> 8) & 0xff] ^
+         @xS3[(r3 >> 16) & 0xff]
+    r0 ^= 0xffffffff & (t0 + t1 + @k[26])
+    r0 = (r0 >> 1 & 0x7fffffff) | (r0 & 0x1) << 31
+    r1 = ((r1 >> 31) & 1) | ((r1 & 0x7fffffff) << 1)
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[27])
     # i = 5
-    t0 = xS0[r0 & 0xff] ^
-         xS1[(r0 >> 8) & 0xff] ^
-         xS2[(r0 >> 16) & 0xff] ^
-         xS3[(r0 >> 24) & 0xff]
-    t1 = xS0[(r1 >> 24) & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[(r1 >> 8) & 0xff] ^
-         xS3[(r1 >> 16) & 0xff]
-    r2  ^= mask32(t0 + t1 + k[28])
-    r2 = (r2 >> 1 & 0x7fffffff) | mask32(r2 << 31)
-    r3 = ((r3 >> 31) & 1) | mask32(r3 << 1)
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[29])
-    t0 = xS0[r2 & 0xff] ^
-         xS1[(r2 >> 8) & 0xff] ^
-         xS2[(r2 >> 16) & 0xff] ^
-         xS3[(r2 >> 24) & 0xff]
-    t1 = xS0[(r3 >> 24) & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[(r3 >> 8) & 0xff] ^
-         xS3[(r3 >> 16) & 0xff]
-    r0 ^= mask32(t0 + t1 + k[30])
-    r0 = (r0 >> 1 & 0x7fffffff) | mask32(r0 << 31)
-    r1 = ((r1 >> 31) & 1) | mask32(r1 << 1)
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[31])
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[(r0 >> 8) & 0xff] ^
+         @xS2[(r0 >> 16) & 0xff] ^
+         @xS3[(r0 >> 24) & 0xff]
+    t1 = @xS0[(r1 >> 24) & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[(r1 >> 8) & 0xff] ^
+         @xS3[(r1 >> 16) & 0xff]
+    r2 ^= 0xffffffff & (t0 + t1 + @k[28])
+    r2 = (r2 >> 1 & 0x7fffffff) | (r2 & 0x1) << 31
+    r3 = ((r3 >> 31) & 1) | (r3 & 0x7fffffff) << 1
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[29])
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[(r2 >> 8) & 0xff] ^
+         @xS2[(r2 >> 16) & 0xff] ^
+         @xS3[(r2 >> 24) & 0xff]
+    t1 = @xS0[(r3 >> 24) & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[(r3 >> 8) & 0xff] ^
+         @xS3[(r3 >> 16) & 0xff]
+    r0 ^= 0xffffffff & (t0 + t1 + @k[30])
+    r0 = (r0 >> 1 & 0x7fffffff) | (r0 & 0x1) << 31
+    r1 = ((r1 >> 31) & 1) | (r1 & 0x7fffffff) << 1
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[31])
     # i = 6
-    t0 = xS0[r0 & 0xff] ^
-         xS1[(r0 >> 8) & 0xff] ^
-         xS2[(r0 >> 16) & 0xff] ^
-         xS3[(r0 >> 24) & 0xff]
-    t1 = xS0[(r1 >> 24) & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[(r1 >> 8) & 0xff] ^
-         xS3[(r1 >> 16) & 0xff]
-    r2 ^= mask32(t0 + t1 + k[32])
-    r2 = (r2 >> 1 & 0x7fffffff) | mask32(r2 << 31)
-    r3 = ((r3 >> 31) & 1) | mask32(r3 << 1)
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[33])
-    t0 = xS0[r2 & 0xff] ^
-         xS1[(r2 >> 8) & 0xff] ^
-         xS2[(r2 >> 16) & 0xff] ^
-         xS3[(r2 >> 24) & 0xff]
-    t1 = xS0[(r3 >> 24) & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[(r3 >> 8) & 0xff] ^
-         xS3[(r3 >> 16) & 0xff]
-    r0 ^= mask32(t0 + t1 + k[34])
-    r0 = (r0 >> 1 & 0x7fffffff) | mask32(r0 << 31)
-    r1 = ((r1 >> 31) & 1) | mask32(r1 << 1)
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[35])
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[(r0 >> 8) & 0xff] ^
+         @xS2[(r0 >> 16) & 0xff] ^
+         @xS3[(r0 >> 24) & 0xff]
+    t1 = @xS0[(r1 >> 24) & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[(r1 >> 8) & 0xff] ^
+         @xS3[(r1 >> 16) & 0xff]
+    r2 ^= 0xffffffff & (t0 + t1 + @k[32])
+    r2 = (r2 >> 1 & 0x7fffffff) | (r2 & 0x1) << 31
+    r3 = ((r3 >> 31) & 1) | (r3 & 0x7fffffff) << 1
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[33])
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[(r2 >> 8) & 0xff] ^
+         @xS2[(r2 >> 16) & 0xff] ^
+         @xS3[(r2 >> 24) & 0xff]
+    t1 = @xS0[(r3 >> 24) & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[(r3 >> 8) & 0xff] ^
+         @xS3[(r3 >> 16) & 0xff]
+    r0 ^= 0xffffffff & (t0 + t1 + @k[34])
+    r0 = (r0 >> 1 & 0x7fffffff) | (r0 & 0x1) << 31
+    r1 = ((r1 >> 31) & 1) | (r1 & 0x7fffffff) << 1
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[35])
     # i = 7
-    t0 = xS0[r0 & 0xff] ^
-         xS1[(r0 >> 8) & 0xff] ^
-         xS2[(r0 >> 16) & 0xff] ^
-         xS3[(r0 >> 24) & 0xff]
-    t1 = xS0[(r1 >> 24) & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[(r1 >> 8) & 0xff] ^
-         xS3[(r1 >> 16) & 0xff]
-    r2 ^= mask32(t0 + t1 + k[36])
-    r2 = (r2 >> 1 & 0x7fffffff) | mask32(r2 << 31)
-    r3 = ((r3 >> 31) & 1) | mask32(r3 << 1)
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[37])
-    t0 = xS0[r2 & 0xff] ^
-         xS1[(r2 >> 8) & 0xff] ^
-         xS2[(r2 >> 16) & 0xff] ^
-         xS3[(r2 >> 24) & 0xff]
-    t1 = xS0[(r3 >> 24) & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[(r3 >> 8) & 0xff] ^
-         xS3[(r3 >> 16) & 0xff]
-    r0 ^= mask32(t0 + t1 + k[38])
-    r0 = (r0 >> 1 & 0x7fffffff) | mask32(r0 << 31)
-    r1 = ((r1 >> 31) & 1) | mask32(r1 << 1)
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[39])
-    [k[4] ^ r2, k[5] ^ r3, k[6] ^ r0, k[7] ^ r1].pack("V4")
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[(r0 >> 8) & 0xff] ^
+         @xS2[(r0 >> 16) & 0xff] ^
+         @xS3[(r0 >> 24) & 0xff]
+    t1 = @xS0[(r1 >> 24) & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[(r1 >> 8) & 0xff] ^
+         @xS3[(r1 >> 16) & 0xff]
+    r2 ^= 0xffffffff & (t0 + t1 + @k[36])
+    r2 = (r2 >> 1 & 0x7fffffff) | (r2 & 0x1) << 31
+    r3 = ((r3 >> 31) & 1) | (r3 & 0x7fffffff) << 1
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[37])
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[(r2 >> 8) & 0xff] ^
+         @xS2[(r2 >> 16) & 0xff] ^
+         @xS3[(r2 >> 24) & 0xff]
+    t1 = @xS0[(r3 >> 24) & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[(r3 >> 8) & 0xff] ^
+         @xS3[(r3 >> 16) & 0xff]
+    r0 ^= 0xffffffff & (t0 + t1 + @k[38])
+    r0 = (r0 >> 1 & 0x7fffffff) | (r0 & 0x1) << 31
+    r1 = ((r1 >> 31) & 1) | (r1 & 0x7fffffff) << 1
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[39])
+    [@k[4] ^ r2, @k[5] ^ r3, @k[6] ^ r0, @k[7] ^ r1].pack("V4")
   end
   # Decrypt a single block (16 bytes).
   def decrypt_block(plain)
-    words = plain.unpack("V4")
-    k = @k
-    r0 = k[4] ^ words[0]
-    r1 = k[5] ^ words[1]
-    r2 = k[6] ^ words[2]
-    r3 = k[7] ^ words[3]
+    words = plain.unpack("V4")
-    xS0, xS1, xS2, xS3 = *@s
+    r0 = @k[4] ^ words[0]
+    r1 = @k[5] ^ words[1]
+    r2 = @k[6] ^ words[2]
+    r3 = @k[7] ^ words[3]
     # i = 7
-    t0 = xS0[r0 & 0xff] ^
-         xS1[r0 >> 8 & 0xff] ^
-         xS2[r0 >> 16 & 0xff] ^
-         xS3[r0 >> 24 & 0xff]
-    t1 = xS0[r1 >> 24 & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[r1 >> 8 & 0xff] ^
-         xS3[r1 >> 16 & 0xff]
-    r2 = r2 >> 31 & 0x1 | mask32(r2 << 1)
-    r2 ^= mask32(t0 + t1 + k[38])
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[39])
-    r3 = r3 >> 1 & 0x7fffffff | mask32(r3 << 31)
-    t0 = xS0[r2 & 0xff] ^
-         xS1[r2 >> 8 & 0xff] ^
-         xS2[r2 >> 16 & 0xff] ^
-         xS3[r2 >> 24 & 0xff]
-    t1 = xS0[r3 >> 24 & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[r3 >> 8 & 0xff] ^
-         xS3[r3 >> 16 & 0xff]
-    r0 = r0 >> 31 & 0x1 | mask32(r0 << 1)
-    r0 ^= mask32(t0 + t1 + k[36])
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[37])
-    r1 = r1 >> 1 & 0x7fffffff | mask32(r1 << 31)
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[r0 >> 8 & 0xff] ^
+         @xS2[r0 >> 16 & 0xff] ^
+         @xS3[r0 >> 24 & 0xff]
+    t1 = @xS0[r1 >> 24 & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[r1 >> 8 & 0xff] ^
+         @xS3[r1 >> 16 & 0xff]
+    r2 = r2 >> 31 & 0x1 | (r2 & 0x7fffffff) << 1
+    r2 ^= 0xffffffff & (t0 + t1 + @k[38])
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[39])
+    r3 = r3 >> 1 & 0x7fffffff | (r3 & 0x1) << 31
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[r2 >> 8 & 0xff] ^
+         @xS2[r2 >> 16 & 0xff] ^
+         @xS3[r2 >> 24 & 0xff]
+    t1 = @xS0[r3 >> 24 & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[r3 >> 8 & 0xff] ^
+         @xS3[r3 >> 16 & 0xff]
+    r0 = r0 >> 31 & 0x1 | (r0 & 0x7fffffff) << 1
+    r0 ^= 0xffffffff & (t0 + t1 + @k[36])
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[37])
+    r1 = r1 >> 1 & 0x7fffffff | (r1 & 0x1) << 31
     # i = 6
-    t0 = xS0[r0 & 0xff] ^
-         xS1[r0 >> 8 & 0xff] ^
-         xS2[r0 >> 16 & 0xff] ^
-         xS3[r0 >> 24 & 0xff]
-    t1 = xS0[r1 >> 24 & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[r1 >> 8 & 0xff] ^
-         xS3[r1 >> 16 & 0xff]
-    r2 = r2 >> 31 & 0x1 | mask32(r2 << 1)
-    r2 ^= mask32(t0 + t1 + k[34])
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[35])
-    r3 = r3 >> 1 & 0x7fffffff | mask32(r3 << 31)
-    t0 = xS0[r2 & 0xff] ^
-         xS1[r2 >> 8 & 0xff] ^
-         xS2[r2 >> 16 & 0xff] ^
-         xS3[r2 >> 24 & 0xff]
-    t1 = xS0[r3 >> 24 & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[r3 >> 8 & 0xff] ^
-         xS3[r3 >> 16 & 0xff]
-    r0 = r0 >> 31 & 0x1 | mask32(r0 << 1)
-    r0 ^= mask32(t0 + t1 + k[32])
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[33])
-    r1 = r1 >> 1 & 0x7fffffff | mask32(r1 << 31)
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[r0 >> 8 & 0xff] ^
+         @xS2[r0 >> 16 & 0xff] ^
+         @xS3[r0 >> 24 & 0xff]
+    t1 = @xS0[r1 >> 24 & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[r1 >> 8 & 0xff] ^
+         @xS3[r1 >> 16 & 0xff]
+    r2 = r2 >> 31 & 0x1 | (r2 & 0x7fffffff) << 1
+    r2 ^= 0xffffffff & (t0 + t1 + @k[34])
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[35])
+    r3 = r3 >> 1 & 0x7fffffff | (r3 & 0x1) << 31
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[r2 >> 8 & 0xff] ^
+         @xS2[r2 >> 16 & 0xff] ^
+         @xS3[r2 >> 24 & 0xff]
+    t1 = @xS0[r3 >> 24 & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[r3 >> 8 & 0xff] ^
+         @xS3[r3 >> 16 & 0xff]
+    r0 = r0 >> 31 & 0x1 | (r0 & 0x7fffffff) << 1
+    r0 ^= 0xffffffff & (t0 + t1 + @k[32])
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[33])
+    r1 = r1 >> 1 & 0x7fffffff | (r1 & 0x1) << 31
     # i = 5
-    t0 = xS0[r0 & 0xff] ^
-         xS1[r0 >> 8 & 0xff] ^
-         xS2[r0 >> 16 & 0xff] ^
-         xS3[r0 >> 24 & 0xff]
-    t1 = xS0[r1 >> 24 & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[r1 >> 8 & 0xff] ^
-         xS3[r1 >> 16 & 0xff]
-    r2 = r2 >> 31 & 0x1 | mask32(r2 << 1)
-    r2 ^= mask32(t0 + t1 + k[30])
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[31])
-    r3 = r3 >> 1 & 0x7fffffff | mask32(r3 << 31)
-    t0 = xS0[r2 & 0xff] ^
-         xS1[r2 >> 8 & 0xff] ^
-         xS2[r2 >> 16 & 0xff] ^
-         xS3[r2 >> 24 & 0xff]
-    t1 = xS0[r3 >> 24 & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[r3 >> 8 & 0xff] ^
-         xS3[r3 >> 16 & 0xff]
-    r0 = r0 >> 31 & 0x1 | mask32(r0 << 1)
-    r0 ^= mask32(t0 + t1 + k[28])
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[29])
-    r1 = r1 >> 1 & 0x7fffffff | mask32(r1 << 31)
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[r0 >> 8 & 0xff] ^
+         @xS2[r0 >> 16 & 0xff] ^
+         @xS3[r0 >> 24 & 0xff]
+    t1 = @xS0[r1 >> 24 & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[r1 >> 8 & 0xff] ^
+         @xS3[r1 >> 16 & 0xff]
+    r2 = r2 >> 31 & 0x1 | (r2 & 0x7fffffff) << 1
+    r2 ^= 0xffffffff & (t0 + t1 + @k[30])
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[31])
+    r3 = r3 >> 1 & 0x7fffffff | (r3 & 0x1) << 31
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[r2 >> 8 & 0xff] ^
+         @xS2[r2 >> 16 & 0xff] ^
+         @xS3[r2 >> 24 & 0xff]
+    t1 = @xS0[r3 >> 24 & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[r3 >> 8 & 0xff] ^
+         @xS3[r3 >> 16 & 0xff]
+    r0 = r0 >> 31 & 0x1 | (r0 & 0x7fffffff) << 1
+    r0 ^= 0xffffffff & (t0 + t1 + @k[28])
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[29])
+    r1 = r1 >> 1 & 0x7fffffff | (r1 & 0x1) << 31
     # i = 4
-    t0 = xS0[r0 & 0xff] ^
-         xS1[r0 >> 8 & 0xff] ^
-         xS2[r0 >> 16 & 0xff] ^
-         xS3[r0 >> 24 & 0xff]
-    t1 = xS0[r1 >> 24 & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[r1 >> 8 & 0xff] ^
-         xS3[r1 >> 16 & 0xff]
-    r2 = r2 >> 31 & 0x1 | mask32(r2 << 1)
-    r2 ^= mask32(t0 + t1 + k[26])
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[27])
-    r3 = r3 >> 1 & 0x7fffffff | mask32(r3 << 31)
-    t0 = xS0[r2 & 0xff] ^
-         xS1[r2 >> 8 & 0xff] ^
-         xS2[r2 >> 16 & 0xff] ^
-         xS3[r2 >> 24 & 0xff]
-    t1 = xS0[r3 >> 24 & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[r3 >> 8 & 0xff] ^
-         xS3[r3 >> 16 & 0xff]
-    r0 = r0 >> 31 & 0x1 | mask32(r0 << 1)
-    r0 ^= mask32(t0 + t1 + k[24])
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[25])
-    r1 = r1 >> 1 & 0x7fffffff | mask32(r1 << 31)
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[r0 >> 8 & 0xff] ^
+         @xS2[r0 >> 16 & 0xff] ^
+         @xS3[r0 >> 24 & 0xff]
+    t1 = @xS0[r1 >> 24 & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[r1 >> 8 & 0xff] ^
+         @xS3[r1 >> 16 & 0xff]
+    r2 = r2 >> 31 & 0x1 | (r2 & 0x7fffffff) << 1
+    r2 ^= 0xffffffff & (t0 + t1 + @k[26])
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[27])
+    r3 = r3 >> 1 & 0x7fffffff | (r3 & 0x1) << 31
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[r2 >> 8 & 0xff] ^
+         @xS2[r2 >> 16 & 0xff] ^
+         @xS3[r2 >> 24 & 0xff]
+    t1 = @xS0[r3 >> 24 & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[r3 >> 8 & 0xff] ^
+         @xS3[r3 >> 16 & 0xff]
+    r0 = r0 >> 31 & 0x1 | (r0 & 0x7fffffff) << 1
+    r0 ^= 0xffffffff & (t0 + t1 + @k[24])
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[25])
+    r1 = r1 >> 1 & 0x7fffffff | (r1 & 0x1) << 31
     # i = 3
-    t0 = xS0[r0 & 0xff] ^
-         xS1[r0 >> 8 & 0xff] ^
-         xS2[r0 >> 16 & 0xff] ^
-         xS3[r0 >> 24 & 0xff]
-    t1 = xS0[r1 >> 24 & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[r1 >> 8 & 0xff] ^
-         xS3[r1 >> 16 & 0xff]
-    r2 = r2 >> 31 & 0x1 | mask32(r2 << 1)
-    r2 ^= mask32(t0 + t1 + k[22])
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[23])
-    r3 = r3 >> 1 & 0x7fffffff | mask32(r3 << 31)
-    t0 = xS0[r2 & 0xff] ^
-         xS1[r2 >> 8 & 0xff] ^
-         xS2[r2 >> 16 & 0xff] ^
-         xS3[r2 >> 24 & 0xff]
-    t1 = xS0[r3 >> 24 & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[r3 >> 8 & 0xff] ^
-         xS3[r3 >> 16 & 0xff]
-    r0 = r0 >> 31 & 0x1 | mask32(r0 << 1)
-    r0 ^= mask32(t0 + t1 + k[20])
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[21])
-    r1 = r1 >> 1 & 0x7fffffff | mask32(r1 << 31)
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[r0 >> 8 & 0xff] ^
+         @xS2[r0 >> 16 & 0xff] ^
+         @xS3[r0 >> 24 & 0xff]
+    t1 = @xS0[r1 >> 24 & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[r1 >> 8 & 0xff] ^
+         @xS3[r1 >> 16 & 0xff]
+    r2 = r2 >> 31 & 0x1 | (r2 & 0x7fffffff) << 1
+    r2 ^= 0xffffffff & (t0 + t1 + @k[22])
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[23])
+    r3 = r3 >> 1 & 0x7fffffff | (r3 & 0x1) << 31
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[r2 >> 8 & 0xff] ^
+         @xS2[r2 >> 16 & 0xff] ^
+         @xS3[r2 >> 24 & 0xff]
+    t1 = @xS0[r3 >> 24 & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[r3 >> 8 & 0xff] ^
+         @xS3[r3 >> 16 & 0xff]
+    r0 = r0 >> 31 & 0x1 | (r0 & 0x7fffffff) << 1
+    r0 ^= 0xffffffff & (t0 + t1 + @k[20])
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[21])
+    r1 = r1 >> 1 & 0x7fffffff | (r1 & 0x1) << 31
     # i = 2
-    t0 = xS0[r0 & 0xff] ^
-         xS1[r0 >> 8 & 0xff] ^
-         xS2[r0 >> 16 & 0xff] ^
-         xS3[r0 >> 24 & 0xff]
-    t1 = xS0[r1 >> 24 & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[r1 >> 8 & 0xff] ^
-         xS3[r1 >> 16 & 0xff]
-    r2 = r2 >> 31 & 0x1 | mask32(r2 << 1)
-    r2 ^= mask32(t0 + t1 + k[18])
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[19])
-    r3 = r3 >> 1 & 0x7fffffff | mask32(r3 << 31)
-    t0 = xS0[r2 & 0xff] ^
-         xS1[r2 >> 8 & 0xff] ^
-         xS2[r2 >> 16 & 0xff] ^
-         xS3[r2 >> 24 & 0xff]
-    t1 = xS0[r3 >> 24 & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[r3 >> 8 & 0xff] ^
-         xS3[r3 >> 16 & 0xff]
-    r0 = r0 >> 31 & 0x1 | mask32(r0 << 1)
-    r0 ^= mask32(t0 + t1 + k[16])
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[17])
-    r1 = r1 >> 1 & 0x7fffffff | mask32(r1 << 31)
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[r0 >> 8 & 0xff] ^
+         @xS2[r0 >> 16 & 0xff] ^
+         @xS3[r0 >> 24 & 0xff]
+    t1 = @xS0[r1 >> 24 & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[r1 >> 8 & 0xff] ^
+         @xS3[r1 >> 16 & 0xff]
+    r2 = r2 >> 31 & 0x1 | (r2 & 0x7fffffff) << 1
+    r2 ^= 0xffffffff & (t0 + t1 + @k[18])
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[19])
+    r3 = r3 >> 1 & 0x7fffffff | (r3 & 0x1) << 31
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[r2 >> 8 & 0xff] ^
+         @xS2[r2 >> 16 & 0xff] ^
+         @xS3[r2 >> 24 & 0xff]
+    t1 = @xS0[r3 >> 24 & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[r3 >> 8 & 0xff] ^
+         @xS3[r3 >> 16 & 0xff]
+    r0 = r0 >> 31 & 0x1 | (r0 & 0x7fffffff) << 1
+    r0 ^= 0xffffffff & (t0 + t1 + @k[16])
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[17])
+    r1 = r1 >> 1 & 0x7fffffff | (r1 & 0x1) << 31
     # i = 1
-    t0 = xS0[r0 & 0xff] ^
-         xS1[r0 >> 8 & 0xff] ^
-         xS2[r0 >> 16 & 0xff] ^
-         xS3[r0 >> 24 & 0xff]
-    t1 = xS0[r1 >> 24 & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[r1 >> 8 & 0xff] ^
-         xS3[r1 >> 16 & 0xff]
-    r2 = r2 >> 31 & 0x1 | mask32(r2 << 1)
-    r2 ^= mask32(t0 + t1 + k[14])
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[15])
-    r3 = r3 >> 1 & 0x7fffffff | mask32(r3 << 31)
-    t0 = xS0[r2 & 0xff] ^
-         xS1[r2 >> 8 & 0xff] ^
-         xS2[r2 >> 16 & 0xff] ^
-         xS3[r2 >> 24 & 0xff]
-    t1 = xS0[r3 >> 24 & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[r3 >> 8 & 0xff] ^
-         xS3[r3 >> 16 & 0xff]
-    r0 = r0 >> 31 & 0x1 | mask32(r0 << 1)
-    r0 ^= mask32(t0 + t1 + k[12])
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[13])
-    r1 = r1 >> 1 & 0x7fffffff | mask32(r1 << 31)
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[r0 >> 8 & 0xff] ^
+         @xS2[r0 >> 16 & 0xff] ^
+         @xS3[r0 >> 24 & 0xff]
+    t1 = @xS0[r1 >> 24 & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[r1 >> 8 & 0xff] ^
+         @xS3[r1 >> 16 & 0xff]
+    r2 = r2 >> 31 & 0x1 | (r2 & 0x7fffffff) << 1
+    r2 ^= 0xffffffff & (t0 + t1 + @k[14])
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[15])
+    r3 = r3 >> 1 & 0x7fffffff | (r3 & 0x1) << 31
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[r2 >> 8 & 0xff] ^
+         @xS2[r2 >> 16 & 0xff] ^
+         @xS3[r2 >> 24 & 0xff]
+    t1 = @xS0[r3 >> 24 & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[r3 >> 8 & 0xff] ^
+         @xS3[r3 >> 16 & 0xff]
+    r0 = r0 >> 31 & 0x1 | (r0 & 0x7fffffff) << 1
+    r0 ^= 0xffffffff & (t0 + t1 + @k[12])
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[13])
+    r1 = r1 >> 1 & 0x7fffffff | (r1 & 0x1) << 31
     # i = 0
-    t0 = xS0[r0 & 0xff] ^
-         xS1[r0 >> 8 & 0xff] ^
-         xS2[r0 >> 16 & 0xff] ^
-         xS3[r0 >> 24 & 0xff]
-    t1 = xS0[r1 >> 24 & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[r1 >> 8 & 0xff] ^
-         xS3[r1 >> 16 & 0xff]
-    r2 = r2 >> 31 & 0x1 | mask32(r2 << 1)
-    r2 ^= mask32(t0 + t1 + k[10])
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[11])
-    r3 = r3 >> 1 & 0x7fffffff | mask32(r3 << 31)
-    t0 = xS0[r2 & 0xff] ^
-         xS1[r2 >> 8 & 0xff] ^
-         xS2[r2 >> 16 & 0xff] ^
-         xS3[r2 >> 24 & 0xff]
-    t1 = xS0[r3 >> 24 & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[r3 >> 8 & 0xff] ^
-         xS3[r3 >> 16 & 0xff]
-    r0 = r0 >> 31 & 0x1 | mask32(r0 << 1)
-    r0 ^= mask32(t0 + t1 + k[8])
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[9])
-    r1 = r1 >> 1 & 0x7fffffff | mask32(r1 << 31)
-    [mask32(k[0] ^ r2), mask32(k[1] ^ r3), mask32(k[2] ^ r0), mask32(k[3] ^ r1)].pack("V4")
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[r0 >> 8 & 0xff] ^
+         @xS2[r0 >> 16 & 0xff] ^
+         @xS3[r0 >> 24 & 0xff]
+    t1 = @xS0[r1 >> 24 & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[r1 >> 8 & 0xff] ^
+         @xS3[r1 >> 16 & 0xff]
+    r2 = r2 >> 31 & 0x1 | (r2 & 0x7fffffff) << 1
+    r2 ^= 0xffffffff & (t0 + t1 + @k[10])
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[11])
+    r3 = r3 >> 1 & 0x7fffffff | (r3 & 0x1) << 31
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[r2 >> 8 & 0xff] ^
+         @xS2[r2 >> 16 & 0xff] ^
+         @xS3[r2 >> 24 & 0xff]
+    t1 = @xS0[r3 >> 24 & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[r3 >> 8 & 0xff] ^
+         @xS3[r3 >> 16 & 0xff]
+    r0 = r0 >> 31 & 0x1 | (r0 & 0x7fffffff) << 1
+    r0 ^= 0xffffffff & (t0 + t1 + @k[8])
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[9])
+    r1 = r1 >> 1 & 0x7fffffff | (r1 & 0x1) << 31
+    [@k[0] ^ r2, @k[1] ^ r3, @k[2] ^ r0, @k[3] ^ r1].pack("V4")
   end
 private
@@ -1058,16 +1072,16 @@ private
       t = b >> 24
       # Shift the others up.
-      b = mask32(b << 8) | (a >> 24)
-      a = mask32(a << 8)
+      b = ((b & 0xffffff) << 8) | (a >> 24)
+      a = ((a & 0xffffff) << 8)
-      u = mask32(t << 1)
+      u = ((t & 0x7fffffff) << 1)
       # Subtract the modular polynomial on overflow.
       u ^= 0x14d unless (t & 0x80).zero?
       # Remove t * (a * x^2 + 1).
-      b ^= t ^ mask32(u << 16)
+      b ^= t ^ ((u & 0xffff) << 16)
       # Form u = a*t + t/a = t*(a + 1/a).
       u ^= 0x7fffffff & (t >> 1)
@@ -1076,103 +1090,19 @@ private
       u ^= 0xa6 unless (t & 0x01).zero?
       # Remove t * (a + 1/a) * (x^3 + x).
-      b ^= mask32(u << 24) | mask32(u << 8)
+      b ^= ((u & 0xff) << 24) | ((u & 0xffffff) << 8)
     end
     [ b >> 24, b >> 16 & 0xff, b >> 8 & 0xff, b & 0xff ]
   end
-  # Retain only lowest 32 bits of the given integer.
-  def mask32(x)
-    x & 0xffffffff
-  end
   # Generates a random initialization vector of the given length.
   # Warning: use Ruby standard library Kernel#rand.
   def generate_iv(block_size)
     Array.new(block_size).
       map{ |x| rand(256) }.
-      pack("C#{block_size}")
-  end
-end
-# Encryption modes.
-#
-# The only currently implemented modes are ECB (Electronic Code Book)
-# and CBC (Cipher Block Chaining).
-module Mode
-  ECB = :ecb
-  CBC = :cbc
-  ALL = [ CBC, ECB ]
-  DEFAULT = ECB
-  # Takes a string or symbol and returns the lowercased
-  # symbol representation if this is a recognized mode.
-  # Otherwise, throws ArgumentError.
-  def Mode::validate(mode)
-    mode_sym = mode.nil? ? DEFAULT : mode.to_s.downcase.to_sym
-    raise ArgumentError, "unknown cipher mode #{mode.inspect}" unless ALL.include? mode_sym
-    mode_sym
-  end
-end
-# Implements padding modes to make plaintext into a complete
-# number of blocks before encryption and to remove that padding
-# after successful decryption.
-#
-# The only implemented padding schemes are :none and
-# :zero_byte. Note that zero byte padding is potentially
-# dangerous because if the plaintext terminates in
-# zero bytes then these will be erroneously removed by #unpad.
-# A more sensible padding scheme should be used in this case.
-module Padding
-  NONE = :none
-  ZERO_BYTE = :zero_byte
-  ALL = [ NONE, ZERO_BYTE ]
-  DEFAULT = NONE
-  # Takes a string or symbol and returns the lowercased
-  # symbol representation if this is a recognized padding scheme.
-  # Otherwise, throws ArgumentError.
-  def Padding::validate(scheme)
-    scheme_sym = scheme.nil? ? DEFAULT : scheme.to_s.downcase.to_sym
-    raise ArgumentError, "unknown padding scheme #{scheme.inspect}" unless ALL.include? scheme_sym
-    scheme_sym
-  end
-  # Pad the given plaintext to a complete number of blocks. If
-  # the padding scheme is :none and the plaintext is not a whole
-  # number of blocks then ArgumentError is thrown.
-  def Padding::pad(plaintext, block_size, scheme=DEFAULT)
-    scheme_sym = validate(scheme)
-    remainder = plaintext.length % block_size
-    case scheme_sym
-    when NONE
-      raise ArgumentError, "no padding scheme specified and plaintext length is not a multiple of the block size" unless remainder.zero?
-      plaintext.dup
-    when ZERO_BYTE
-      unless remainder.zero?
-        plaintext.dup << "\0" * (block_size - remainder)
-      else
-        plaintext.dup
-      end
-    end
-  end
-  # Unpad the given plaintext using the given scheme.
-  def Padding::unpad(plaintext, block_size, scheme=DEFAULT)
-    scheme_sym = validate(scheme)
-    case scheme_sym
-    when NONE
-      plaintext.dup
-    when ZERO_BYTE
-      plaintext.dup.sub(/\000+\Z/, '')
-    end
+      pack("C#{block_size}") # defaults to ASCII-8BIT encoding
   end
 end