RubyGems - twofish - Versions diffs - 1.0.2 → 1.0.3 - Mend

twofish 1.0.2 → 1.0.3

Files changed (9) hide show

data/README.rdoc CHANGED Viewed

@@ -90,6 +90,17 @@ Aside from this README, rdoc documentation may be built as follows:
 The documentation will be built in the rdoc subdirectory.
+=== Benchmark
+A simple benchmark can be found in test/benchmark.rb and can be run
+thusly:
+    rake benchmark
+Ruby 1.9 is approximately three times faster than ruby 1.8.7
+(Ubuntu x86-64).
 === Bugs, omissions and weaknesses
 Encryption and decryption are (not unexpectedly) slow. If you need a
@@ -97,11 +108,6 @@ faster implementation for Ruby then the BouncyCastle provider
 (http://www.bouncycastle.org) plays well with JRuby (http://www.jruby.org).
 See above ("Unit tests") for a sample script.
-The original "pure Perl" implementation used Perl's integer pragma.
-This implementation uses a private method mask32 to strip off any high
-order bits in an effort to prevent (slow) promotion of Fixnums to Bignums.
-This is a little clumsy and probably could be quicker.
 Ruby >=1.9 introduces string encodings. The current workaround uses
 #ord and #chr but this is not very satisfactory: it would be preferable
 to move to byte arrays throughout.

data/Rakefile CHANGED Viewed

@@ -1,35 +1,38 @@
+require 'benchmark'
 require 'rake'
 require 'rake/clean'
-require 'rake/gempackagetask'
-require 'rake/rdoctask'
 require 'rake/testtask'
+require 'rdoc/task'
+require 'rubygems/package_task'
 desc 'Default task (test)'
 task :default => [:test]
 Rake::TestTask.new('test') do |test|
-  test.pattern = 'test/*.rb'
+  test.pattern = 'test/test_*.rb'
   test.warning = true
 end
+Rake::TestTask.new('benchmark') do |test|
+  test.pattern = 'test/benchmark.rb'
+end
 SPECFILE = 'twofish.gemspec'
 if File.exist?(SPECFILE)
   spec = eval( File.read(SPECFILE) )
-  Rake::GemPackageTask.new(spec) do |pkg|
+  Gem::PackageTask.new(spec) do |pkg|
     pkg.need_tar = true
   end
 end
-Rake::RDocTask.new do |rdoc|
+RDoc::Task.new do |rdoc|
   rdoc.rdoc_dir = 'rdoc'
   rdoc.title = 'twofish.rb'
-  rdoc.options << '--line-numbers' << '--inline-source'
-  rdoc.options << '-A cattr_accessor=object'
+  rdoc.options << '--line-numbers'
   rdoc.options << '--charset' << 'utf-8'
   rdoc.options << '--all'
   rdoc.rdoc_files.include('README.rdoc')
-  rdoc.rdoc_files.include('lib/twofish.rb')
-  rdoc.rdoc_files.include('test/test_twofish.rb')
+  rdoc.rdoc_files.include(Dir[ 'lib/**/*' ])
 end

data/lib/string.rb ADDED Viewed

@@ -0,0 +1,16 @@
+class String
+  unless method_defined?(:byteslice)
+    def byteslice(*args)
+      self.dup.force_encoding('ASCII-8BIT').slice!(*args)
+    end
+  end
+  unless method_defined?(:force_encoding)
+    def force_encoding(encoding)
+      self # noop
+    end
+  end
+end

data/lib/twofish.rb CHANGED Viewed

@@ -8,9 +8,26 @@
 # encryption algorithm based on original work by Guido Flohr.
 class Twofish
-  attr_reader :iv, :key_size, :mode, :padding # setters for iv, mode defined below for validation
+  require 'string' # monkey patch for MRI 1.8.7
+  require 'twofish/mode'
+  require 'twofish/padding'
-  BLOCK_SIZE = 16 # 16 bytes, 128 bits
+  # Setters for iv, mode defined below for validation
+  # Initialization vector for CBC mode.
+  attr_reader :iv
+  # The size of the key in bytes (16, 24, 32 bytes).
+  attr_reader :key_size
+  # Encryption mode eg Mode::ECB (default) or Mode::CBC.
+  attr_reader :mode
+  # Padding algorithm eg Padding::NONE (default) or Padding::ZERO_BYTE.
+  attr_reader :padding
+  # The block size in bytes (16).
+  BLOCK_SIZE = 16
   #:stopdoc:
   Q0 = [
@@ -323,7 +340,7 @@ class Twofish
     # consists of four equal bytes, each with the value i. The function
     # h is only applied to words of this type, so we only pass it the
     # value of i.
-    k = []
+    @k = []
     # The key-dependent S-boxes used in the g() function are created
     # below. They are defined by g(X) = h(X, S), where S is the vector
@@ -333,12 +350,11 @@ class Twofish
     # The relevant lookup tables qN have been precomputed and stored in
     # tables.h; we also perform full key precomputations incorporating
     # the MDS matrix multiplications.
-    xS0, xS1, xS2, xS3 = [], [], [], []
+    @xS0, @xS1, @xS2, @xS3 = [], [], [], []
     case @key_size
     when 16
       s7, s6, s5, s4 = *mds_rem(le_longs[0], le_longs[1])
       s3, s2, s1, s0 = *mds_rem(le_longs[2], le_longs[3])
-      a, b = 0, 0
       (0..38).step(2) do |i|
         j = i + 1
         a = M0[Q0[Q0[i] ^ key[8]]  ^ key[0]] ^
@@ -349,23 +365,22 @@ class Twofish
             M1[Q0[Q1[j] ^ key[13]] ^ key[5]] ^
             M2[Q1[Q0[j] ^ key[14]] ^ key[6]] ^
             M3[Q1[Q1[j] ^ key[15]] ^ key[7]]
-        b = mask32(b << 8) | (b >> 24)
-        a = mask32(a+b)
-        k.push(a)
-        a = mask32(a+b)
-        k.push(mask32(a << 9) | a >> 23)
+        b = ((b & 0xffffff) << 8) | (b >> 24)
+        a = 0xffffffff & (a+b)
+        @k.push(a)
+        a = 0xffffffff & (a+b)
+        @k.push((a & 0x7fffff) << 9 | a >> 23)
       end
       (0..255).each do |i|
-        xS0[i] = M0[Q0[Q0[i] ^ s4] ^ s0]
-        xS1[i] = M1[Q0[Q1[i] ^ s5] ^ s1]
-        xS2[i] = M2[Q1[Q0[i] ^ s6] ^ s2]
-        xS3[i] = M3[Q1[Q1[i] ^ s7] ^ s3]
+        @xS0[i] = M0[Q0[Q0[i] ^ s4] ^ s0]
+        @xS1[i] = M1[Q0[Q1[i] ^ s5] ^ s1]
+        @xS2[i] = M2[Q1[Q0[i] ^ s6] ^ s2]
+        @xS3[i] = M3[Q1[Q1[i] ^ s7] ^ s3]
       end
     when 24
       sb, sa, s9, s8 = *mds_rem(le_longs[0], le_longs[1])
       s7, s6, s5, s4 = *mds_rem(le_longs[2], le_longs[3])
       s3, s2, s1, s0 = *mds_rem(le_longs[4], le_longs[5])
-      j = 1
       (0..38).step(2) do |i|
         j = i + 1
         a = M0[Q0[Q0[Q1[i] ^ key[16]] ^ key[8]]  ^ key[0]] ^
@@ -376,24 +391,23 @@ class Twofish
             M1[Q0[Q1[Q1[j] ^ key[21]] ^ key[13]] ^ key[5]] ^
             M2[Q1[Q0[Q0[j] ^ key[22]] ^ key[14]] ^ key[6]] ^
             M3[Q1[Q1[Q0[j] ^ key[23]] ^ key[15]] ^ key[7]]
-        b = mask32(b << 8) | (b >> 24)
-        a = mask32(a+b)
-        k.push(a)
-        a = mask32(a+b)
-        k.push(mask32(a << 9) | a >> 23)
+        b = ((b & 0xffffff) << 8) | (b >> 24)
+        a = 0xffffffff & (a+b)
+        @k.push(a)
+        a = 0xffffffff & (a+b)
+        @k.push((a & 0x7fffff) << 9 | a >> 23)
       end
       (0..255).each do |i|
-        xS0[i] = M0[Q0[Q0[Q1[i] ^ s8] ^ s4] ^ s0]
-        xS1[i] = M1[Q0[Q1[Q1[i] ^ s9] ^ s5] ^ s1]
-        xS2[i] = M2[Q1[Q0[Q0[i] ^ sa] ^ s6] ^ s2]
-        xS3[i] = M3[Q1[Q1[Q0[i] ^ sb] ^ s7] ^ s3]
+        @xS0[i] = M0[Q0[Q0[Q1[i] ^ s8] ^ s4] ^ s0]
+        @xS1[i] = M1[Q0[Q1[Q1[i] ^ s9] ^ s5] ^ s1]
+        @xS2[i] = M2[Q1[Q0[Q0[i] ^ sa] ^ s6] ^ s2]
+        @xS3[i] = M3[Q1[Q1[Q0[i] ^ sb] ^ s7] ^ s3]
       end
     when 32
       sf, se, sd, sc = *mds_rem(le_longs[0], le_longs[1])
       sb, sa, s9, s8 = *mds_rem(le_longs[2], le_longs[3])
       s7, s6, s5, s4 = *mds_rem(le_longs[4], le_longs[5])
       s3, s2, s1, s0 = *mds_rem(le_longs[6], le_longs[7])
-      j = 1
       (0..38).step(2) do |i|
         j = i + 1
         a = M0[Q0[Q0[Q1[Q1[i] ^ key[24]] ^ key[16]] ^ key[8]]  ^ key[0]] ^
@@ -404,25 +418,22 @@ class Twofish
             M1[Q0[Q1[Q1[Q0[j] ^ key[29]] ^ key[21]] ^ key[13]] ^ key[5]] ^
             M2[Q1[Q0[Q0[Q0[j] ^ key[30]] ^ key[22]] ^ key[14]] ^ key[6]] ^
             M3[Q1[Q1[Q0[Q1[j] ^ key[31]] ^ key[23]] ^ key[15]] ^ key[7]]
-        b = mask32(b << 8) | (b >> 24)
-        a = mask32(a+b)
-        k.push(a)
-        a = mask32(a+b)
-        k.push(mask32(a << 9) | a >> 23)
+        b = ((b & 0xffffff) << 8) | (b >> 24)
+        a = 0xffffffff & (a+b)
+        @k.push(a)
+        a = 0xffffffff & (a+b)
+        @k.push((a & 0x7fffff) << 9 | a >> 23)
       end
       (0..255).each do |i|
-        xS0[i] = M0[Q0[Q0[Q1[Q1[i]^sc]^s8]^s4]^s0]
-        xS1[i] = M1[Q0[Q1[Q1[Q0[i]^sd]^s9]^s5]^s1]
-        xS2[i] = M2[Q1[Q0[Q0[Q0[i]^se]^sa]^s6]^s2]
-        xS3[i] = M3[Q1[Q1[Q0[Q1[i]^sf]^sb]^s7]^s3]
+        @xS0[i] = M0[Q0[Q0[Q1[Q1[i]^sc]^s8]^s4]^s0]
+        @xS1[i] = M1[Q0[Q1[Q1[Q0[i]^sd]^s9]^s5]^s1]
+        @xS2[i] = M2[Q1[Q0[Q0[Q0[i]^se]^sa]^s6]^s2]
+        @xS3[i] = M3[Q1[Q1[Q0[Q1[i]^sf]^sb]^s7]^s3]
       end
     else
       raise ArgumentError, "invalid key length #{@key_size} (expecting 16, 24 or 32 bytes)"
     end
-    @k = k
-    @s = [ xS0, xS1, xS2, xS3 ]
   end
   # Assign the initialization vector.
@@ -440,14 +451,14 @@ class Twofish
   # set to Mode::ECB then the IV will be ignored for any
   # encrypt/decrypt operations.
   def mode=(mode)
-    @mode = Mode::validate(mode)
+    @mode = Mode.validate(mode)
   end
   # Set the padding scheme for the (CBC mode) cipher
   # (Padding::NONE == :none or Padding::ZERO_BYTE ==
   # :zero_byte).
   def padding=(scheme)
-    @padding = Padding::validate(scheme)
+    @padding = Padding.validate(scheme)
   end
   # Return the cipher's block size in bytes.
@@ -458,15 +469,17 @@ class Twofish
   # Encrypt a plaintext string, chunking as required for
   # CBC mode.
   def encrypt(plaintext)
-    padded_plaintext = Padding::pad(plaintext, BLOCK_SIZE, self.padding)
-    result = ''
+    plaintext = plaintext.dup.force_encoding('ASCII-8BIT')
+    padded_plaintext = Padding.pad!(plaintext, BLOCK_SIZE, @padding)
+    result = ''.force_encoding('ASCII-8BIT')
     if @mode == Mode::CBC
       @iv = generate_iv(BLOCK_SIZE) unless @iv
       ciphertext_block = @iv
     end
-    (0..padded_plaintext.length-1).step(BLOCK_SIZE) do |block_ptr|
-      (0..BLOCK_SIZE-1).each { |i| padded_plaintext[block_ptr+i] = ( padded_plaintext[block_ptr+i].ord ^ ciphertext_block[i].ord ).chr } if Mode::CBC == @mode
-      result << ciphertext_block = self.encrypt_block(padded_plaintext[block_ptr, BLOCK_SIZE])
+    (0...padded_plaintext.length).step(BLOCK_SIZE) do |block_ptr|
+      plaintext_block = padded_plaintext[block_ptr, BLOCK_SIZE]
+      xor_block!(plaintext_block, ciphertext_block) if Mode::CBC == @mode
+      result << ciphertext_block = encrypt_block(plaintext_block)
     end
     result
   end
@@ -475,8 +488,9 @@ class Twofish
   # chaining modes. If @iv is not set then we use the first block
   # as the initialization vector when chaining.
   def decrypt(ciphertext)
-    raise ArgumentError, "Ciphertext is not a multiple of #{BLOCK_SIZE} bytes" unless (ciphertext.length % BLOCK_SIZE).zero?
-    result = ''
+    ciphertext = ciphertext.dup.force_encoding('ASCII-8BIT')
+    raise ArgumentError, "ciphertext is not a multiple of #{BLOCK_SIZE} bytes" unless (ciphertext.length % BLOCK_SIZE).zero?
+    result = ''.force_encoding('ASCII-8BIT')
     if Mode::CBC == @mode
       if @iv
         feedback = @iv
@@ -485,542 +499,542 @@ class Twofish
         ciphertext = ciphertext[BLOCK_SIZE..-1]
       end
     end
-    (0..ciphertext.length-1).step(BLOCK_SIZE) do |block_ptr|
+    (0...ciphertext.length).step(BLOCK_SIZE) do |block_ptr|
       ciphertext_block = ciphertext[block_ptr, BLOCK_SIZE]
-      plaintext_block = self.decrypt_block(ciphertext_block)
-      (0..BLOCK_SIZE-1).each { |i| plaintext_block[i] = (plaintext_block[i].ord ^ feedback[i].ord).chr } if Mode::CBC == @mode
+      plaintext_block = decrypt_block(ciphertext_block)
+      xor_block!(plaintext_block, feedback) if Mode::CBC == @mode
       result << plaintext_block
       feedback = ciphertext_block
     end
-    Padding::unpad(result, BLOCK_SIZE, self.padding)
+    Padding.unpad!(result, BLOCK_SIZE, @padding)
+  end
+  # Exclusive-or two blocks together, byte-by-byte, storing the result
+  # in the first block.
+  def xor_block!(target, source)
+    (0...BLOCK_SIZE).each { |i| target[i] = (target[i].ord ^ source[i].ord).chr }
   end
   # Encrypt a single block (16 bytes).
   def encrypt_block(plain_text)
     words = plain_text.unpack('V4')
-    k = @k
-    r0 = k[0] ^ words[0]
-    r1 = k[1] ^ words[1]
-    r2 = k[2] ^ words[2]
-    r3 = k[3] ^ words[3]
-    xS0, xS1, xS2, xS3 = *@s
+    r0 = @k[0] ^ words[0]
+    r1 = @k[1] ^ words[1]
+    r2 = @k[2] ^ words[2]
+    r3 = @k[3] ^ words[3]
     # i = 0
-    t0 = xS0[r0 & 0xff] ^
-         xS1[(r0 >> 8) & 0xff] ^
-         xS2[(r0 >> 16) & 0xff] ^
-         xS3[(r0 >> 24) & 0xff]
-    t1 = xS0[(r1 >> 24) & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[(r1 >> 8) & 0xff] ^
-         xS3[(r1 >> 16) & 0xff]
-    r2 ^= mask32(t0 + t1 + k[8])
-    r2 = (r2 >> 1 & 0x7fffffff) | mask32(r2 << 31)
-    r3 = ((r3 >> 31) & 1) | mask32(r3 << 1)
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[9])
-    t0 = xS0[r2 & 0xff] ^
-         xS1[(r2 >> 8) & 0xff] ^
-         xS2[(r2 >> 16) & 0xff] ^
-         xS3[(r2 >> 24) & 0xff]
-    t1 = xS0[(r3 >> 24) & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[(r3 >> 8) & 0xff] ^
-         xS3[(r3 >> 16) & 0xff]
-    r0 ^= mask32(t0 + t1 + k[10])
-    r0 = (r0 >> 1 & 0x7fffffff) | mask32(r0 << 31)
-    r1 = ((r1 >> 31) & 1) | mask32(r1 << 1)
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[11])
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[(r0 >> 8) & 0xff] ^
+         @xS2[(r0 >> 16) & 0xff] ^
+         @xS3[(r0 >> 24) & 0xff]
+    t1 = @xS0[(r1 >> 24) & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[(r1 >> 8) & 0xff] ^
+         @xS3[(r1 >> 16) & 0xff]
+    r2 ^= 0xffffffff & (t0 + t1 + @k[8])
+    r2 = (r2 >> 1 & 0x7fffffff) | (r2 & 0x1) << 31
+    r3 = ((r3 >> 31) & 1) | (r3 & 0x7fffffff) << 1
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[9])
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[(r2 >> 8) & 0xff] ^
+         @xS2[(r2 >> 16) & 0xff] ^
+         @xS3[(r2 >> 24) & 0xff]
+    t1 = @xS0[(r3 >> 24) & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[(r3 >> 8) & 0xff] ^
+         @xS3[(r3 >> 16) & 0xff]
+    r0 ^= 0xffffffff & (t0 + t1 + @k[10])
+    r0 = (r0 >> 1 & 0x7fffffff) | (r0 & 0x1) << 31
+    r1 = ((r1 >> 31) & 1) | (r1 & 0x7fffffff) << 1
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[11])
     # i = 1
-    t0 = xS0[r0 & 0xff] ^
-         xS1[(r0 >> 8) & 0xff] ^
-         xS2[(r0 >> 16) & 0xff] ^
-         xS3[(r0 >> 24) & 0xff]
-    t1 = xS0[(r1 >> 24) & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[(r1 >> 8) & 0xff] ^
-         xS3[(r1 >> 16) & 0xff]
-    r2 ^= mask32(t0 + t1 + k[12])
-    r2 = (r2 >> 1 & 0x7fffffff) | mask32(r2 << 31)
-    r3 = ((r3 >> 31) & 1) | mask32(r3 << 1)
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[13])
-    t0 = xS0[r2 & 0xff] ^
-         xS1[(r2 >> 8) & 0xff] ^
-         xS2[(r2 >> 16) & 0xff] ^
-         xS3[(r2 >> 24) & 0xff]
-    t1 = xS0[(r3 >> 24) & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[(r3 >> 8) & 0xff] ^
-         xS3[(r3 >> 16) & 0xff]
-    r0 ^= mask32(t0 + t1 + k[14])
-    r0 = (r0 >> 1 & 0x7fffffff) | mask32(r0 << 31)
-    r1 = ((r1 >> 31) & 1) | mask32(r1 << 1)
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[15])
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[(r0 >> 8) & 0xff] ^
+         @xS2[(r0 >> 16) & 0xff] ^
+         @xS3[(r0 >> 24) & 0xff]
+    t1 = @xS0[(r1 >> 24) & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[(r1 >> 8) & 0xff] ^
+         @xS3[(r1 >> 16) & 0xff]
+    r2 ^= 0xffffffff & (t0 + t1 + @k[12])
+    r2 = (r2 >> 1 & 0x7fffffff) | (r2 & 0x1) << 31
+    r3 = ((r3 >> 31) & 1) | (r3 & 0x7fffffff) << 1
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[13])
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[(r2 >> 8) & 0xff] ^
+         @xS2[(r2 >> 16) & 0xff] ^
+         @xS3[(r2 >> 24) & 0xff]
+    t1 = @xS0[(r3 >> 24) & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[(r3 >> 8) & 0xff] ^
+         @xS3[(r3 >> 16) & 0xff]
+    r0 ^= 0xffffffff & (t0 + t1 + @k[14])
+    r0 = (r0 >> 1 & 0x7fffffff) | (r0 & 0x1) << 31
+    r1 = ((r1 >> 31) & 1) | (r1 & 0x7fffffff) << 1
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[15])
     # i = 2
-    t0 = xS0[r0 & 0xff] ^
-         xS1[(r0 >> 8) & 0xff] ^
-         xS2[(r0 >> 16) & 0xff] ^
-         xS3[(r0 >> 24) & 0xff]
-    t1 = xS0[(r1 >> 24) & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[(r1 >> 8) & 0xff] ^
-         xS3[(r1 >> 16) & 0xff]
-    r2 ^= mask32(t0 + t1 + k[16])
-    r2 = (r2 >> 1 & 0x7fffffff) | mask32(r2 << 31)
-    r3 = ((r3 >> 31) & 1) | mask32(r3 << 1)
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[17])
-    t0 = xS0[r2 & 0xff] ^
-         xS1[(r2 >> 8) & 0xff] ^
-         xS2[(r2 >> 16) & 0xff] ^
-         xS3[(r2 >> 24) & 0xff]
-    t1 = xS0[(r3 >> 24) & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[(r3 >> 8) & 0xff] ^
-         xS3[(r3 >> 16) & 0xff]
-    r0 ^= mask32(t0 + t1 + k[18])
-    r0 = (r0 >> 1 & 0x7fffffff) | mask32(r0 << 31)
-    r1 = ((r1 >> 31) & 1) | mask32(r1 << 1)
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[19])
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[(r0 >> 8) & 0xff] ^
+         @xS2[(r0 >> 16) & 0xff] ^
+         @xS3[(r0 >> 24) & 0xff]
+    t1 = @xS0[(r1 >> 24) & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[(r1 >> 8) & 0xff] ^
+         @xS3[(r1 >> 16) & 0xff]
+    r2 ^= 0xffffffff & (t0 + t1 + @k[16])
+    r2 = (r2 >> 1 & 0x7fffffff) | (r2 & 0x1) << 31
+    r3 = ((r3 >> 31) & 1) | (r3 & 0x7fffffff) << 1
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[17])
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[(r2 >> 8) & 0xff] ^
+         @xS2[(r2 >> 16) & 0xff] ^
+         @xS3[(r2 >> 24) & 0xff]
+    t1 = @xS0[(r3 >> 24) & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[(r3 >> 8) & 0xff] ^
+         @xS3[(r3 >> 16) & 0xff]
+    r0 ^= 0xffffffff & (t0 + t1 + @k[18])
+    r0 = (r0 >> 1 & 0x7fffffff) | (r0 & 0x1) << 31
+    r1 = ((r1 >> 31) & 1) | (r1 & 0x7fffffff) << 1
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[19])
     # i = 3
-    t0 = xS0[r0 & 0xff] ^
-         xS1[(r0 >> 8) & 0xff] ^
-         xS2[(r0 >> 16) & 0xff] ^
-         xS3[(r0 >> 24) & 0xff]
-    t1 = xS0[(r1 >> 24) & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[(r1 >> 8) & 0xff] ^
-         xS3[(r1 >> 16) & 0xff]
-    r2 ^= mask32(t0 + t1 + k[20])
-    r2 = (r2 >> 1 & 0x7fffffff) | mask32(r2 << 31)
-    r3 = ((r3 >> 31) & 1) | mask32(r3 << 1)
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[21])
-    t0 = xS0[r2 & 0xff] ^
-         xS1[(r2 >> 8) & 0xff] ^
-         xS2[(r2 >> 16) & 0xff] ^
-         xS3[(r2 >> 24) & 0xff]
-    t1 = xS0[(r3 >> 24) & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[(r3 >> 8) & 0xff] ^
-         xS3[(r3 >> 16) & 0xff]
-    r0 ^= mask32(t0 + t1 + k[22])
-    r0 = (r0 >> 1 & 0x7fffffff) | mask32(r0 << 31)
-    r1 = ((r1 >> 31) & 1) | mask32(r1 << 1)
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[23])
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[(r0 >> 8) & 0xff] ^
+         @xS2[(r0 >> 16) & 0xff] ^
+         @xS3[(r0 >> 24) & 0xff]
+    t1 = @xS0[(r1 >> 24) & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[(r1 >> 8) & 0xff] ^
+         @xS3[(r1 >> 16) & 0xff]
+    r2 ^= 0xffffffff & (t0 + t1 + @k[20])
+    r2 = (r2 >> 1 & 0x7fffffff) | (r2 & 0x1) << 31
+    r3 = ((r3 >> 31) & 1) | ((r3 & 0x7fffffff) << 1)
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[21])
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[(r2 >> 8) & 0xff] ^
+         @xS2[(r2 >> 16) & 0xff] ^
+         @xS3[(r2 >> 24) & 0xff]
+    t1 = @xS0[(r3 >> 24) & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[(r3 >> 8) & 0xff] ^
+         @xS3[(r3 >> 16) & 0xff]
+    r0 ^= 0xffffffff & (t0 + t1 + @k[22])
+    r0 = (r0 >> 1 & 0x7fffffff) | (r0 & 0x1) << 31
+    r1 = ((r1 >> 31) & 1) | (r1 & 0x7fffffff) << 1
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[23])
     # i = 4
-    t0 = xS0[r0 & 0xff] ^
-         xS1[(r0 >> 8) & 0xff] ^
-         xS2[(r0 >> 16) & 0xff] ^
-         xS3[(r0 >> 24) & 0xff]
-    t1 = xS0[(r1 >> 24) & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[(r1 >> 8) & 0xff] ^
-         xS3[(r1 >> 16) & 0xff]
-    r2 ^= mask32(t0 + t1 + k[24])
-    r2 = (r2 >> 1 & 0x7fffffff) | mask32(r2 << 31)
-    r3 = ((r3 >> 31) & 1) | mask32(r3 << 1)
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[25])
-    t0 = xS0[r2 & 0xff] ^
-         xS1[(r2 >> 8) & 0xff] ^
-         xS2[(r2 >> 16) & 0xff] ^
-         xS3[(r2 >> 24) & 0xff]
-    t1 = xS0[(r3 >> 24) & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[(r3 >> 8) & 0xff] ^
-         xS3[(r3 >> 16) & 0xff]
-    r0 ^= mask32(t0 + t1 + k[26])
-    r0 = (r0 >> 1 & 0x7fffffff) | mask32(r0 << 31);
-    r1 = ((r1 >> 31) & 1) | mask32(r1 << 1)
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[27])
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[(r0 >> 8) & 0xff] ^
+         @xS2[(r0 >> 16) & 0xff] ^
+         @xS3[(r0 >> 24) & 0xff]
+    t1 = @xS0[(r1 >> 24) & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[(r1 >> 8) & 0xff] ^
+         @xS3[(r1 >> 16) & 0xff]
+    r2 ^= 0xffffffff & (t0 + t1 + @k[24])
+    r2 = (r2 >> 1 & 0x7fffffff) | (r2 & 0x1) << 31
+    r3 = ((r3 >> 31) & 1) | (r3 & 0x7fffffff) << 1
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[25])
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[(r2 >> 8) & 0xff] ^
+         @xS2[(r2 >> 16) & 0xff] ^
+         @xS3[(r2 >> 24) & 0xff]
+    t1 = @xS0[(r3 >> 24) & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[(r3 >> 8) & 0xff] ^
+         @xS3[(r3 >> 16) & 0xff]
+    r0 ^= 0xffffffff & (t0 + t1 + @k[26])
+    r0 = (r0 >> 1 & 0x7fffffff) | (r0 & 0x1) << 31
+    r1 = ((r1 >> 31) & 1) | ((r1 & 0x7fffffff) << 1)
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[27])
     # i = 5
-    t0 = xS0[r0 & 0xff] ^
-         xS1[(r0 >> 8) & 0xff] ^
-         xS2[(r0 >> 16) & 0xff] ^
-         xS3[(r0 >> 24) & 0xff]
-    t1 = xS0[(r1 >> 24) & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[(r1 >> 8) & 0xff] ^
-         xS3[(r1 >> 16) & 0xff]
-    r2  ^= mask32(t0 + t1 + k[28])
-    r2 = (r2 >> 1 & 0x7fffffff) | mask32(r2 << 31)
-    r3 = ((r3 >> 31) & 1) | mask32(r3 << 1)
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[29])
-    t0 = xS0[r2 & 0xff] ^
-         xS1[(r2 >> 8) & 0xff] ^
-         xS2[(r2 >> 16) & 0xff] ^
-         xS3[(r2 >> 24) & 0xff]
-    t1 = xS0[(r3 >> 24) & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[(r3 >> 8) & 0xff] ^
-         xS3[(r3 >> 16) & 0xff]
-    r0 ^= mask32(t0 + t1 + k[30])
-    r0 = (r0 >> 1 & 0x7fffffff) | mask32(r0 << 31)
-    r1 = ((r1 >> 31) & 1) | mask32(r1 << 1)
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[31])
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[(r0 >> 8) & 0xff] ^
+         @xS2[(r0 >> 16) & 0xff] ^
+         @xS3[(r0 >> 24) & 0xff]
+    t1 = @xS0[(r1 >> 24) & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[(r1 >> 8) & 0xff] ^
+         @xS3[(r1 >> 16) & 0xff]
+    r2 ^= 0xffffffff & (t0 + t1 + @k[28])
+    r2 = (r2 >> 1 & 0x7fffffff) | (r2 & 0x1) << 31
+    r3 = ((r3 >> 31) & 1) | (r3 & 0x7fffffff) << 1
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[29])
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[(r2 >> 8) & 0xff] ^
+         @xS2[(r2 >> 16) & 0xff] ^
+         @xS3[(r2 >> 24) & 0xff]
+    t1 = @xS0[(r3 >> 24) & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[(r3 >> 8) & 0xff] ^
+         @xS3[(r3 >> 16) & 0xff]
+    r0 ^= 0xffffffff & (t0 + t1 + @k[30])
+    r0 = (r0 >> 1 & 0x7fffffff) | (r0 & 0x1) << 31
+    r1 = ((r1 >> 31) & 1) | (r1 & 0x7fffffff) << 1
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[31])
     # i = 6
-    t0 = xS0[r0 & 0xff] ^
-         xS1[(r0 >> 8) & 0xff] ^
-         xS2[(r0 >> 16) & 0xff] ^
-         xS3[(r0 >> 24) & 0xff]
-    t1 = xS0[(r1 >> 24) & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[(r1 >> 8) & 0xff] ^
-         xS3[(r1 >> 16) & 0xff]
-    r2 ^= mask32(t0 + t1 + k[32])
-    r2 = (r2 >> 1 & 0x7fffffff) | mask32(r2 << 31)
-    r3 = ((r3 >> 31) & 1) | mask32(r3 << 1)
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[33])
-    t0 = xS0[r2 & 0xff] ^
-         xS1[(r2 >> 8) & 0xff] ^
-         xS2[(r2 >> 16) & 0xff] ^
-         xS3[(r2 >> 24) & 0xff]
-    t1 = xS0[(r3 >> 24) & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[(r3 >> 8) & 0xff] ^
-         xS3[(r3 >> 16) & 0xff]
-    r0 ^= mask32(t0 + t1 + k[34])
-    r0 = (r0 >> 1 & 0x7fffffff) | mask32(r0 << 31)
-    r1 = ((r1 >> 31) & 1) | mask32(r1 << 1)
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[35])
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[(r0 >> 8) & 0xff] ^
+         @xS2[(r0 >> 16) & 0xff] ^
+         @xS3[(r0 >> 24) & 0xff]
+    t1 = @xS0[(r1 >> 24) & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[(r1 >> 8) & 0xff] ^
+         @xS3[(r1 >> 16) & 0xff]
+    r2 ^= 0xffffffff & (t0 + t1 + @k[32])
+    r2 = (r2 >> 1 & 0x7fffffff) | (r2 & 0x1) << 31
+    r3 = ((r3 >> 31) & 1) | (r3 & 0x7fffffff) << 1
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[33])
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[(r2 >> 8) & 0xff] ^
+         @xS2[(r2 >> 16) & 0xff] ^
+         @xS3[(r2 >> 24) & 0xff]
+    t1 = @xS0[(r3 >> 24) & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[(r3 >> 8) & 0xff] ^
+         @xS3[(r3 >> 16) & 0xff]
+    r0 ^= 0xffffffff & (t0 + t1 + @k[34])
+    r0 = (r0 >> 1 & 0x7fffffff) | (r0 & 0x1) << 31
+    r1 = ((r1 >> 31) & 1) | (r1 & 0x7fffffff) << 1
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[35])
     # i = 7
-    t0 = xS0[r0 & 0xff] ^
-         xS1[(r0 >> 8) & 0xff] ^
-         xS2[(r0 >> 16) & 0xff] ^
-         xS3[(r0 >> 24) & 0xff]
-    t1 = xS0[(r1 >> 24) & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[(r1 >> 8) & 0xff] ^
-         xS3[(r1 >> 16) & 0xff]
-    r2 ^= mask32(t0 + t1 + k[36])
-    r2 = (r2 >> 1 & 0x7fffffff) | mask32(r2 << 31)
-    r3 = ((r3 >> 31) & 1) | mask32(r3 << 1)
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[37])
-    t0 = xS0[r2 & 0xff] ^
-         xS1[(r2 >> 8) & 0xff] ^
-         xS2[(r2 >> 16) & 0xff] ^
-         xS3[(r2 >> 24) & 0xff]
-    t1 = xS0[(r3 >> 24) & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[(r3 >> 8) & 0xff] ^
-         xS3[(r3 >> 16) & 0xff]
-    r0 ^= mask32(t0 + t1 + k[38])
-    r0 = (r0 >> 1 & 0x7fffffff) | mask32(r0 << 31)
-    r1 = ((r1 >> 31) & 1) | mask32(r1 << 1)
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[39])
-    [k[4] ^ r2, k[5] ^ r3, k[6] ^ r0, k[7] ^ r1].pack("V4")
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[(r0 >> 8) & 0xff] ^
+         @xS2[(r0 >> 16) & 0xff] ^
+         @xS3[(r0 >> 24) & 0xff]
+    t1 = @xS0[(r1 >> 24) & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[(r1 >> 8) & 0xff] ^
+         @xS3[(r1 >> 16) & 0xff]
+    r2 ^= 0xffffffff & (t0 + t1 + @k[36])
+    r2 = (r2 >> 1 & 0x7fffffff) | (r2 & 0x1) << 31
+    r3 = ((r3 >> 31) & 1) | (r3 & 0x7fffffff) << 1
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[37])
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[(r2 >> 8) & 0xff] ^
+         @xS2[(r2 >> 16) & 0xff] ^
+         @xS3[(r2 >> 24) & 0xff]
+    t1 = @xS0[(r3 >> 24) & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[(r3 >> 8) & 0xff] ^
+         @xS3[(r3 >> 16) & 0xff]
+    r0 ^= 0xffffffff & (t0 + t1 + @k[38])
+    r0 = (r0 >> 1 & 0x7fffffff) | (r0 & 0x1) << 31
+    r1 = ((r1 >> 31) & 1) | (r1 & 0x7fffffff) << 1
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[39])
+    [@k[4] ^ r2, @k[5] ^ r3, @k[6] ^ r0, @k[7] ^ r1].pack("V4")
   end
   # Decrypt a single block (16 bytes).
   def decrypt_block(plain)
-    words = plain.unpack("V4")
-    k = @k
-    r0 = k[4] ^ words[0]
-    r1 = k[5] ^ words[1]
-    r2 = k[6] ^ words[2]
-    r3 = k[7] ^ words[3]
+    words = plain.unpack("V4")
-    xS0, xS1, xS2, xS3 = *@s
+    r0 = @k[4] ^ words[0]
+    r1 = @k[5] ^ words[1]
+    r2 = @k[6] ^ words[2]
+    r3 = @k[7] ^ words[3]
     # i = 7
-    t0 = xS0[r0 & 0xff] ^
-         xS1[r0 >> 8 & 0xff] ^
-         xS2[r0 >> 16 & 0xff] ^
-         xS3[r0 >> 24 & 0xff]
-    t1 = xS0[r1 >> 24 & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[r1 >> 8 & 0xff] ^
-         xS3[r1 >> 16 & 0xff]
-    r2 = r2 >> 31 & 0x1 | mask32(r2 << 1)
-    r2 ^= mask32(t0 + t1 + k[38])
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[39])
-    r3 = r3 >> 1 & 0x7fffffff | mask32(r3 << 31)
-    t0 = xS0[r2 & 0xff] ^
-         xS1[r2 >> 8 & 0xff] ^
-         xS2[r2 >> 16 & 0xff] ^
-         xS3[r2 >> 24 & 0xff]
-    t1 = xS0[r3 >> 24 & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[r3 >> 8 & 0xff] ^
-         xS3[r3 >> 16 & 0xff]
-    r0 = r0 >> 31 & 0x1 | mask32(r0 << 1)
-    r0 ^= mask32(t0 + t1 + k[36])
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[37])
-    r1 = r1 >> 1 & 0x7fffffff | mask32(r1 << 31)
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[r0 >> 8 & 0xff] ^
+         @xS2[r0 >> 16 & 0xff] ^
+         @xS3[r0 >> 24 & 0xff]
+    t1 = @xS0[r1 >> 24 & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[r1 >> 8 & 0xff] ^
+         @xS3[r1 >> 16 & 0xff]
+    r2 = r2 >> 31 & 0x1 | (r2 & 0x7fffffff) << 1
+    r2 ^= 0xffffffff & (t0 + t1 + @k[38])
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[39])
+    r3 = r3 >> 1 & 0x7fffffff | (r3 & 0x1) << 31
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[r2 >> 8 & 0xff] ^
+         @xS2[r2 >> 16 & 0xff] ^
+         @xS3[r2 >> 24 & 0xff]
+    t1 = @xS0[r3 >> 24 & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[r3 >> 8 & 0xff] ^
+         @xS3[r3 >> 16 & 0xff]
+    r0 = r0 >> 31 & 0x1 | (r0 & 0x7fffffff) << 1
+    r0 ^= 0xffffffff & (t0 + t1 + @k[36])
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[37])
+    r1 = r1 >> 1 & 0x7fffffff | (r1 & 0x1) << 31
     # i = 6
-    t0 = xS0[r0 & 0xff] ^
-         xS1[r0 >> 8 & 0xff] ^
-         xS2[r0 >> 16 & 0xff] ^
-         xS3[r0 >> 24 & 0xff]
-    t1 = xS0[r1 >> 24 & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[r1 >> 8 & 0xff] ^
-         xS3[r1 >> 16 & 0xff]
-    r2 = r2 >> 31 & 0x1 | mask32(r2 << 1)
-    r2 ^= mask32(t0 + t1 + k[34])
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[35])
-    r3 = r3 >> 1 & 0x7fffffff | mask32(r3 << 31)
-    t0 = xS0[r2 & 0xff] ^
-         xS1[r2 >> 8 & 0xff] ^
-         xS2[r2 >> 16 & 0xff] ^
-         xS3[r2 >> 24 & 0xff]
-    t1 = xS0[r3 >> 24 & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[r3 >> 8 & 0xff] ^
-         xS3[r3 >> 16 & 0xff]
-    r0 = r0 >> 31 & 0x1 | mask32(r0 << 1)
-    r0 ^= mask32(t0 + t1 + k[32])
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[33])
-    r1 = r1 >> 1 & 0x7fffffff | mask32(r1 << 31)
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[r0 >> 8 & 0xff] ^
+         @xS2[r0 >> 16 & 0xff] ^
+         @xS3[r0 >> 24 & 0xff]
+    t1 = @xS0[r1 >> 24 & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[r1 >> 8 & 0xff] ^
+         @xS3[r1 >> 16 & 0xff]
+    r2 = r2 >> 31 & 0x1 | (r2 & 0x7fffffff) << 1
+    r2 ^= 0xffffffff & (t0 + t1 + @k[34])
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[35])
+    r3 = r3 >> 1 & 0x7fffffff | (r3 & 0x1) << 31
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[r2 >> 8 & 0xff] ^
+         @xS2[r2 >> 16 & 0xff] ^
+         @xS3[r2 >> 24 & 0xff]
+    t1 = @xS0[r3 >> 24 & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[r3 >> 8 & 0xff] ^
+         @xS3[r3 >> 16 & 0xff]
+    r0 = r0 >> 31 & 0x1 | (r0 & 0x7fffffff) << 1
+    r0 ^= 0xffffffff & (t0 + t1 + @k[32])
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[33])
+    r1 = r1 >> 1 & 0x7fffffff | (r1 & 0x1) << 31
     # i = 5
-    t0 = xS0[r0 & 0xff] ^
-         xS1[r0 >> 8 & 0xff] ^
-         xS2[r0 >> 16 & 0xff] ^
-         xS3[r0 >> 24 & 0xff]
-    t1 = xS0[r1 >> 24 & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[r1 >> 8 & 0xff] ^
-         xS3[r1 >> 16 & 0xff]
-    r2 = r2 >> 31 & 0x1 | mask32(r2 << 1)
-    r2 ^= mask32(t0 + t1 + k[30])
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[31])
-    r3 = r3 >> 1 & 0x7fffffff | mask32(r3 << 31)
-    t0 = xS0[r2 & 0xff] ^
-         xS1[r2 >> 8 & 0xff] ^
-         xS2[r2 >> 16 & 0xff] ^
-         xS3[r2 >> 24 & 0xff]
-    t1 = xS0[r3 >> 24 & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[r3 >> 8 & 0xff] ^
-         xS3[r3 >> 16 & 0xff]
-    r0 = r0 >> 31 & 0x1 | mask32(r0 << 1)
-    r0 ^= mask32(t0 + t1 + k[28])
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[29])
-    r1 = r1 >> 1 & 0x7fffffff | mask32(r1 << 31)
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[r0 >> 8 & 0xff] ^
+         @xS2[r0 >> 16 & 0xff] ^
+         @xS3[r0 >> 24 & 0xff]
+    t1 = @xS0[r1 >> 24 & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[r1 >> 8 & 0xff] ^
+         @xS3[r1 >> 16 & 0xff]
+    r2 = r2 >> 31 & 0x1 | (r2 & 0x7fffffff) << 1
+    r2 ^= 0xffffffff & (t0 + t1 + @k[30])
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[31])
+    r3 = r3 >> 1 & 0x7fffffff | (r3 & 0x1) << 31
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[r2 >> 8 & 0xff] ^
+         @xS2[r2 >> 16 & 0xff] ^
+         @xS3[r2 >> 24 & 0xff]
+    t1 = @xS0[r3 >> 24 & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[r3 >> 8 & 0xff] ^
+         @xS3[r3 >> 16 & 0xff]
+    r0 = r0 >> 31 & 0x1 | (r0 & 0x7fffffff) << 1
+    r0 ^= 0xffffffff & (t0 + t1 + @k[28])
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[29])
+    r1 = r1 >> 1 & 0x7fffffff | (r1 & 0x1) << 31
     # i = 4
-    t0 = xS0[r0 & 0xff] ^
-         xS1[r0 >> 8 & 0xff] ^
-         xS2[r0 >> 16 & 0xff] ^
-         xS3[r0 >> 24 & 0xff]
-    t1 = xS0[r1 >> 24 & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[r1 >> 8 & 0xff] ^
-         xS3[r1 >> 16 & 0xff]
-    r2 = r2 >> 31 & 0x1 | mask32(r2 << 1)
-    r2 ^= mask32(t0 + t1 + k[26])
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[27])
-    r3 = r3 >> 1 & 0x7fffffff | mask32(r3 << 31)
-    t0 = xS0[r2 & 0xff] ^
-         xS1[r2 >> 8 & 0xff] ^
-         xS2[r2 >> 16 & 0xff] ^
-         xS3[r2 >> 24 & 0xff]
-    t1 = xS0[r3 >> 24 & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[r3 >> 8 & 0xff] ^
-         xS3[r3 >> 16 & 0xff]
-    r0 = r0 >> 31 & 0x1 | mask32(r0 << 1)
-    r0 ^= mask32(t0 + t1 + k[24])
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[25])
-    r1 = r1 >> 1 & 0x7fffffff | mask32(r1 << 31)
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[r0 >> 8 & 0xff] ^
+         @xS2[r0 >> 16 & 0xff] ^
+         @xS3[r0 >> 24 & 0xff]
+    t1 = @xS0[r1 >> 24 & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[r1 >> 8 & 0xff] ^
+         @xS3[r1 >> 16 & 0xff]
+    r2 = r2 >> 31 & 0x1 | (r2 & 0x7fffffff) << 1
+    r2 ^= 0xffffffff & (t0 + t1 + @k[26])
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[27])
+    r3 = r3 >> 1 & 0x7fffffff | (r3 & 0x1) << 31
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[r2 >> 8 & 0xff] ^
+         @xS2[r2 >> 16 & 0xff] ^
+         @xS3[r2 >> 24 & 0xff]
+    t1 = @xS0[r3 >> 24 & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[r3 >> 8 & 0xff] ^
+         @xS3[r3 >> 16 & 0xff]
+    r0 = r0 >> 31 & 0x1 | (r0 & 0x7fffffff) << 1
+    r0 ^= 0xffffffff & (t0 + t1 + @k[24])
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[25])
+    r1 = r1 >> 1 & 0x7fffffff | (r1 & 0x1) << 31
     # i = 3
-    t0 = xS0[r0 & 0xff] ^
-         xS1[r0 >> 8 & 0xff] ^
-         xS2[r0 >> 16 & 0xff] ^
-         xS3[r0 >> 24 & 0xff]
-    t1 = xS0[r1 >> 24 & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[r1 >> 8 & 0xff] ^
-         xS3[r1 >> 16 & 0xff]
-    r2 = r2 >> 31 & 0x1 | mask32(r2 << 1)
-    r2 ^= mask32(t0 + t1 + k[22])
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[23])
-    r3 = r3 >> 1 & 0x7fffffff | mask32(r3 << 31)
-    t0 = xS0[r2 & 0xff] ^
-         xS1[r2 >> 8 & 0xff] ^
-         xS2[r2 >> 16 & 0xff] ^
-         xS3[r2 >> 24 & 0xff]
-    t1 = xS0[r3 >> 24 & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[r3 >> 8 & 0xff] ^
-         xS3[r3 >> 16 & 0xff]
-    r0 = r0 >> 31 & 0x1 | mask32(r0 << 1)
-    r0 ^= mask32(t0 + t1 + k[20])
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[21])
-    r1 = r1 >> 1 & 0x7fffffff | mask32(r1 << 31)
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[r0 >> 8 & 0xff] ^
+         @xS2[r0 >> 16 & 0xff] ^
+         @xS3[r0 >> 24 & 0xff]
+    t1 = @xS0[r1 >> 24 & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[r1 >> 8 & 0xff] ^
+         @xS3[r1 >> 16 & 0xff]
+    r2 = r2 >> 31 & 0x1 | (r2 & 0x7fffffff) << 1
+    r2 ^= 0xffffffff & (t0 + t1 + @k[22])
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[23])
+    r3 = r3 >> 1 & 0x7fffffff | (r3 & 0x1) << 31
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[r2 >> 8 & 0xff] ^
+         @xS2[r2 >> 16 & 0xff] ^
+         @xS3[r2 >> 24 & 0xff]
+    t1 = @xS0[r3 >> 24 & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[r3 >> 8 & 0xff] ^
+         @xS3[r3 >> 16 & 0xff]
+    r0 = r0 >> 31 & 0x1 | (r0 & 0x7fffffff) << 1
+    r0 ^= 0xffffffff & (t0 + t1 + @k[20])
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[21])
+    r1 = r1 >> 1 & 0x7fffffff | (r1 & 0x1) << 31
     # i = 2
-    t0 = xS0[r0 & 0xff] ^
-         xS1[r0 >> 8 & 0xff] ^
-         xS2[r0 >> 16 & 0xff] ^
-         xS3[r0 >> 24 & 0xff]
-    t1 = xS0[r1 >> 24 & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[r1 >> 8 & 0xff] ^
-         xS3[r1 >> 16 & 0xff]
-    r2 = r2 >> 31 & 0x1 | mask32(r2 << 1)
-    r2 ^= mask32(t0 + t1 + k[18])
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[19])
-    r3 = r3 >> 1 & 0x7fffffff | mask32(r3 << 31)
-    t0 = xS0[r2 & 0xff] ^
-         xS1[r2 >> 8 & 0xff] ^
-         xS2[r2 >> 16 & 0xff] ^
-         xS3[r2 >> 24 & 0xff]
-    t1 = xS0[r3 >> 24 & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[r3 >> 8 & 0xff] ^
-         xS3[r3 >> 16 & 0xff]
-    r0 = r0 >> 31 & 0x1 | mask32(r0 << 1)
-    r0 ^= mask32(t0 + t1 + k[16])
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[17])
-    r1 = r1 >> 1 & 0x7fffffff | mask32(r1 << 31)
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[r0 >> 8 & 0xff] ^
+         @xS2[r0 >> 16 & 0xff] ^
+         @xS3[r0 >> 24 & 0xff]
+    t1 = @xS0[r1 >> 24 & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[r1 >> 8 & 0xff] ^
+         @xS3[r1 >> 16 & 0xff]
+    r2 = r2 >> 31 & 0x1 | (r2 & 0x7fffffff) << 1
+    r2 ^= 0xffffffff & (t0 + t1 + @k[18])
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[19])
+    r3 = r3 >> 1 & 0x7fffffff | (r3 & 0x1) << 31
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[r2 >> 8 & 0xff] ^
+         @xS2[r2 >> 16 & 0xff] ^
+         @xS3[r2 >> 24 & 0xff]
+    t1 = @xS0[r3 >> 24 & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[r3 >> 8 & 0xff] ^
+         @xS3[r3 >> 16 & 0xff]
+    r0 = r0 >> 31 & 0x1 | (r0 & 0x7fffffff) << 1
+    r0 ^= 0xffffffff & (t0 + t1 + @k[16])
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[17])
+    r1 = r1 >> 1 & 0x7fffffff | (r1 & 0x1) << 31
     # i = 1
-    t0 = xS0[r0 & 0xff] ^
-         xS1[r0 >> 8 & 0xff] ^
-         xS2[r0 >> 16 & 0xff] ^
-         xS3[r0 >> 24 & 0xff]
-    t1 = xS0[r1 >> 24 & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[r1 >> 8 & 0xff] ^
-         xS3[r1 >> 16 & 0xff]
-    r2 = r2 >> 31 & 0x1 | mask32(r2 << 1)
-    r2 ^= mask32(t0 + t1 + k[14])
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[15])
-    r3 = r3 >> 1 & 0x7fffffff | mask32(r3 << 31)
-    t0 = xS0[r2 & 0xff] ^
-         xS1[r2 >> 8 & 0xff] ^
-         xS2[r2 >> 16 & 0xff] ^
-         xS3[r2 >> 24 & 0xff]
-    t1 = xS0[r3 >> 24 & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[r3 >> 8 & 0xff] ^
-         xS3[r3 >> 16 & 0xff]
-    r0 = r0 >> 31 & 0x1 | mask32(r0 << 1)
-    r0 ^= mask32(t0 + t1 + k[12])
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[13])
-    r1 = r1 >> 1 & 0x7fffffff | mask32(r1 << 31)
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[r0 >> 8 & 0xff] ^
+         @xS2[r0 >> 16 & 0xff] ^
+         @xS3[r0 >> 24 & 0xff]
+    t1 = @xS0[r1 >> 24 & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[r1 >> 8 & 0xff] ^
+         @xS3[r1 >> 16 & 0xff]
+    r2 = r2 >> 31 & 0x1 | (r2 & 0x7fffffff) << 1
+    r2 ^= 0xffffffff & (t0 + t1 + @k[14])
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[15])
+    r3 = r3 >> 1 & 0x7fffffff | (r3 & 0x1) << 31
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[r2 >> 8 & 0xff] ^
+         @xS2[r2 >> 16 & 0xff] ^
+         @xS3[r2 >> 24 & 0xff]
+    t1 = @xS0[r3 >> 24 & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[r3 >> 8 & 0xff] ^
+         @xS3[r3 >> 16 & 0xff]
+    r0 = r0 >> 31 & 0x1 | (r0 & 0x7fffffff) << 1
+    r0 ^= 0xffffffff & (t0 + t1 + @k[12])
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[13])
+    r1 = r1 >> 1 & 0x7fffffff | (r1 & 0x1) << 31
     # i = 0
-    t0 = xS0[r0 & 0xff] ^
-         xS1[r0 >> 8 & 0xff] ^
-         xS2[r0 >> 16 & 0xff] ^
-         xS3[r0 >> 24 & 0xff]
-    t1 = xS0[r1 >> 24 & 0xff] ^
-         xS1[r1 & 0xff] ^
-         xS2[r1 >> 8 & 0xff] ^
-         xS3[r1 >> 16 & 0xff]
-    r2 = r2 >> 31 & 0x1 | mask32(r2 << 1)
-    r2 ^= mask32(t0 + t1 + k[10])
-    r3 ^= mask32(t0 + mask32(t1 << 1) + k[11])
-    r3 = r3 >> 1 & 0x7fffffff | mask32(r3 << 31)
-    t0 = xS0[r2 & 0xff] ^
-         xS1[r2 >> 8 & 0xff] ^
-         xS2[r2 >> 16 & 0xff] ^
-         xS3[r2 >> 24 & 0xff]
-    t1 = xS0[r3 >> 24 & 0xff] ^
-         xS1[r3 & 0xff] ^
-         xS2[r3 >> 8 & 0xff] ^
-         xS3[r3 >> 16 & 0xff]
-    r0 = r0 >> 31 & 0x1 | mask32(r0 << 1)
-    r0 ^= mask32(t0 + t1 + k[8])
-    r1 ^= mask32(t0 + mask32(t1 << 1) + k[9])
-    r1 = r1 >> 1 & 0x7fffffff | mask32(r1 << 31)
-    [mask32(k[0] ^ r2), mask32(k[1] ^ r3), mask32(k[2] ^ r0), mask32(k[3] ^ r1)].pack("V4")
+    t0 = @xS0[r0 & 0xff] ^
+         @xS1[r0 >> 8 & 0xff] ^
+         @xS2[r0 >> 16 & 0xff] ^
+         @xS3[r0 >> 24 & 0xff]
+    t1 = @xS0[r1 >> 24 & 0xff] ^
+         @xS1[r1 & 0xff] ^
+         @xS2[r1 >> 8 & 0xff] ^
+         @xS3[r1 >> 16 & 0xff]
+    r2 = r2 >> 31 & 0x1 | (r2 & 0x7fffffff) << 1
+    r2 ^= 0xffffffff & (t0 + t1 + @k[10])
+    r3 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[11])
+    r3 = r3 >> 1 & 0x7fffffff | (r3 & 0x1) << 31
+    t0 = @xS0[r2 & 0xff] ^
+         @xS1[r2 >> 8 & 0xff] ^
+         @xS2[r2 >> 16 & 0xff] ^
+         @xS3[r2 >> 24 & 0xff]
+    t1 = @xS0[r3 >> 24 & 0xff] ^
+         @xS1[r3 & 0xff] ^
+         @xS2[r3 >> 8 & 0xff] ^
+         @xS3[r3 >> 16 & 0xff]
+    r0 = r0 >> 31 & 0x1 | (r0 & 0x7fffffff) << 1
+    r0 ^= 0xffffffff & (t0 + t1 + @k[8])
+    r1 ^= 0xffffffff & (t0 + ((t1 & 0x7fffffff) << 1) + @k[9])
+    r1 = r1 >> 1 & 0x7fffffff | (r1 & 0x1) << 31
+    [@k[0] ^ r2, @k[1] ^ r3, @k[2] ^ r0, @k[3] ^ r1].pack("V4")
   end
 private
@@ -1058,16 +1072,16 @@ private
       t = b >> 24
       # Shift the others up.
-      b = mask32(b << 8) | (a >> 24)
-      a = mask32(a << 8)
+      b = ((b & 0xffffff) << 8) | (a >> 24)
+      a = ((a & 0xffffff) << 8)
-      u = mask32(t << 1)
+      u = ((t & 0x7fffffff) << 1)
       # Subtract the modular polynomial on overflow.
       u ^= 0x14d unless (t & 0x80).zero?
       # Remove t * (a * x^2 + 1).
-      b ^= t ^ mask32(u << 16)
+      b ^= t ^ ((u & 0xffff) << 16)
       # Form u = a*t + t/a = t*(a + 1/a).
       u ^= 0x7fffffff & (t >> 1)
@@ -1076,103 +1090,19 @@ private
       u ^= 0xa6 unless (t & 0x01).zero?
       # Remove t * (a + 1/a) * (x^3 + x).
-      b ^= mask32(u << 24) | mask32(u << 8)
+      b ^= ((u & 0xff) << 24) | ((u & 0xffffff) << 8)
     end
     [ b >> 24, b >> 16 & 0xff, b >> 8 & 0xff, b & 0xff ]
   end
-  # Retain only lowest 32 bits of the given integer.
-  def mask32(x)
-    x & 0xffffffff
-  end
   # Generates a random initialization vector of the given length.
   # Warning: use Ruby standard library Kernel#rand.
   def generate_iv(block_size)
     Array.new(block_size).
       map{ |x| rand(256) }.
-      pack("C#{block_size}")
-  end
-end
-# Encryption modes.
-#
-# The only currently implemented modes are ECB (Electronic Code Book)
-# and CBC (Cipher Block Chaining).
-module Mode
-  ECB = :ecb
-  CBC = :cbc
-  ALL = [ CBC, ECB ]
-  DEFAULT = ECB
-  # Takes a string or symbol and returns the lowercased
-  # symbol representation if this is a recognized mode.
-  # Otherwise, throws ArgumentError.
-  def Mode::validate(mode)
-    mode_sym = mode.nil? ? DEFAULT : mode.to_s.downcase.to_sym
-    raise ArgumentError, "unknown cipher mode #{mode.inspect}" unless ALL.include? mode_sym
-    mode_sym
-  end
-end
-# Implements padding modes to make plaintext into a complete
-# number of blocks before encryption and to remove that padding
-# after successful decryption.
-#
-# The only implemented padding schemes are :none and
-# :zero_byte. Note that zero byte padding is potentially
-# dangerous because if the plaintext terminates in
-# zero bytes then these will be erroneously removed by #unpad.
-# A more sensible padding scheme should be used in this case.
-module Padding
-  NONE = :none
-  ZERO_BYTE = :zero_byte
-  ALL = [ NONE, ZERO_BYTE ]
-  DEFAULT = NONE
-  # Takes a string or symbol and returns the lowercased
-  # symbol representation if this is a recognized padding scheme.
-  # Otherwise, throws ArgumentError.
-  def Padding::validate(scheme)
-    scheme_sym = scheme.nil? ? DEFAULT : scheme.to_s.downcase.to_sym
-    raise ArgumentError, "unknown padding scheme #{scheme.inspect}" unless ALL.include? scheme_sym
-    scheme_sym
-  end
-  # Pad the given plaintext to a complete number of blocks. If
-  # the padding scheme is :none and the plaintext is not a whole
-  # number of blocks then ArgumentError is thrown.
-  def Padding::pad(plaintext, block_size, scheme=DEFAULT)
-    scheme_sym = validate(scheme)
-    remainder = plaintext.length % block_size
-    case scheme_sym
-    when NONE
-      raise ArgumentError, "no padding scheme specified and plaintext length is not a multiple of the block size" unless remainder.zero?
-      plaintext.dup
-    when ZERO_BYTE
-      unless remainder.zero?
-        plaintext.dup << "\0" * (block_size - remainder)
-      else
-        plaintext.dup
-      end
-    end
-  end
-  # Unpad the given plaintext using the given scheme.
-  def Padding::unpad(plaintext, block_size, scheme=DEFAULT)
-    scheme_sym = validate(scheme)
-    case scheme_sym
-    when NONE
-      plaintext.dup
-    when ZERO_BYTE
-      plaintext.dup.sub(/\000+\Z/, '')
-    end
+      pack("C#{block_size}") # defaults to ASCII-8BIT encoding
   end
 end