








student  can  read  to  increase  his/her  comprehension  of  the Atmel  AVR AT90USB1287 microcontroller 
and  its  hardware  components,  the  Assembler  programming  language,  random  number  generation, 




other  PRNG  is  the  Advanced  Encryption  Standard  (AES)  algorithm  and  is  designated  as  the  “strong” 
PRNG algorithm.  After programming the RNG, weak PRNG, and strong PRNG on the AT90USB1287, this 




The  central  motivation  of  this  project  is  to  demonstrate  proper  implementation  of  pseudorandom 
number generators (PRNGs).    It will be assumed that the students of this project have some computer 







this  term.   The goal  is  to demonstrate  the pitfalls of a PRNG algorithm whose output an attacker  can 
easily differentiate from true random data.   This first PRNG algorithm will be referred to as the “weak 
PRNG algorithm.”   
The  second  PRNG  algorithm,  the  Advanced  Encryption  Standard  (AES),  will  be  complex,  will  produce 
data that appears to be very random, and will be cryptographically secure. The second PRNG algorithm 
will be referred to as the “strong PRNG algorithm.”  Students will contrast these two PRNG algorithms in 
order  to  understand  the  theoretical  and  practical  differences  between  weak  and  strong  PRNG 
algorithms.    Students will  learn  that  even  supposedly  strong  PRNG  algorithms must  be  implemented 
carefully to avoid producing predictable data.   
From a low‐level perspective, students will be required to code the weak PRNG algorithm in Assembler 
and  execute  it  on  the  Atmel  AVR  AT90USB1287  microcontroller.    This  will  provide  students  will  an 
excellent opportunity to learn the finer components of Assembler.  Coding a secure PRNG algorithm will 
require a vast knowledge of algorithm analysis, Assembler programming tactics, and debugging on the 





confirm  the  need  for  a  PRNG  algorithm  to  be  thoroughly  tested  to  ensure  that  it  produces  strongly 
random data. 
Background and Related Theory 
Pseudorandom  number  generators  (PRNGs)  are  commonly  encountered  throughout  many  areas  of 
computer  science.    The  demand  for  PRNGs  results  from  a  need  for  randomness  in  numerous 
applications.  Random data is essential for many gaming applications, cryptographic protocols, statistical 




keystroke or mouse movement,  and nuclear decay.    The  reality of  these  forms of  randomness  is  that 
they often  require significant  resources  to generate  relatively  low amounts of  random data.    In  short, 
random data tends not to be cost‐effective. 
This downside of random data has lead to the widespread use of pseudorandom data.  The applications 
that  need  randomness  often  require  the  random data  to  be  generated quickly  and  in  large  amounts.  
Accordingly,  pseudorandom  algorithms  are  designed  to  take  as  input  small  amounts  of  true  random 
data and then apply various PRNG algorithms to produce high volumes of pseudorandom data.   These 
pseudorandom  algorithms  are  of  course  deterministic  in  nature,  so  the  pseudorandom  data  that  is 
produced  is  not  truly  random.   However,  if  the  following  two  conditions  are met,  the pseudorandom 
data will be “random enough” for most applications: 









to  use  tests  offered  by  the National  Institute  of  Standards  and  Technology  (NIST).    The NIST website 
offers a suite of tests that evaluate and provide quantifiable statistics on the data’s level of randomness.  
NIST  has  certified  that  these  tests  provide  an  accurate  estimation  of  how  random  the  data  is.    For 
example,  it  is reasonable to expect that true random binary data should have approximately the same 
number  of  ones  and  zeros.    One  of  the NIST  randomness  tests  is  therefore  to  determine  if  the  total 
number  of  ones  and  zeros  versus  the  length  of  the  binary  string  falls  within  an  acceptable  range  of 
randomness. 
Solution Implemented and Justification 
The  preceding  sections  have  provided  a  detailed  overview  of  the  solution  implemented  and  the 
justifications for the decisions made.  What remains is to discuss which PRNG algorithms were selected 






also demonstrate to the students what  it means to be easily  implemented  in hardware, which 
will solidify the point for them when they hear that term with respect to algorithms such as DES 
• Output  is  a  stream  of  ones  and  zeroes,  which  can  be  readily  input  into  the  NIST  suite  of 
randomness tests 
• LFSRs  are  used  in  the  real  world  for  such  applications  as  GPS,  digital  broadcasting  and 
communications systems, and some gaming consoles, so the student would not be learning an 
antiquated algorithm that is solely used for pedagogical purposes 




• Involves  concepts  of  polynomials  to  map  sequences  of  transformations  and  concepts  of 






• Outputs  of  LFSRs  are  linear,  which means  that  they  are  susceptible  to  cryptanalysis;  this  will 
perfectly  demonstrate  to  the  students  the  difference  between  this  weak  PRNG  and  a  strong 
PRNG (cryptographically speaking) 




• Considered  to  be  one  of  the most  cryptographically  secure  (if  not  the most  cryptographically 
secure) PRNGs available 
• Thus,  it  will  do  very  well  on  NIST’s  suite  of  randomness  tests,  which  will  demonstrate  the 
differences to the students between weak and strong PRNGs 




















The  on‐board  thermometer  is  a  resistor  that  displays  various  levels  of  resistance  that  are  directly 
affected  by  the  temperature  of  the  microcontroller.    The  resistance  of  this  resistor  increases  as  the 
temperature decreases, which is referred to as a Negative Temperature Coefficient (NTC).  This resistor 
is  consequently  labeled  as  a  temperature‐sensitive  resistor,  or  more  commonly  as  a  thermistor.  
Because  the  values  read  from  the  thermistor  fluctuate  in  proportion  to  the  temperature  of  the 
microcontroller, the thermistor can be effectively used as a thermometer for the microcontroller.   The 
assumption behind the RNG is that the temperature of the microcontroller, or at the very least the least 




Analog Multiplexer  is  connected  to  8  voltage  inputs  from  one  of  the microcontroller’s  ports.    These 
voltage inputs are labeled ADC0, ADC1, ADC2, ADC3, ADC4, ADC5, ADC6, and ADC7.   The thermistor  is 
the ADC0 voltage  input.   ADC0  sends analog voltage data  to  the 8‐channel Analog Multiplexer, which 
then sends this analog data to the on‐board Analog‐to‐Digital Converter  (ADC).   The ADC converts the 
analog  data  from  the Multiplexer  into  10‐bit  values.    This  system  of  the  ADC  and  8‐channel  Analog 
Multiplexer is referred to as the ADMUX.  The digital data from the ADMUX is the sent to the ADC Data 
Register.    Because  the  ADC  generates  10‐bit  values,  the  ADC Data  Register  is  comprised  of  two  8‐bit 
registers, labeled ADCH (ADC High) and ADCL (ADC Low).  ADCL contains the least significant 8 bits of the 
ADC output; ADCH contains  the 2 most significant bits of  the ADC output  in bits 0 and 1 of  the ADCH 
register.  The programmer can then read data from this system through the ADC Data Registers (ADCH 
and  ADCL).    In  the  specific  case  of  the  thermistor,  temperature  data  can  be  read  by  configuring  the 
ADMUX to read data from ADC0 (the voltage input of the thermistor) and then reading in data from the 
ADC Data Registers (ADCH and ADCL). 





.org 0x003A               
call ADC_ISR 




as  the “reset vector”.   The next  line  is a  relative  jump to  the  label of  the “main”  routine  to begin  the 
program. 
The  last  two  lines of  the  code  snippet  above  relate  to  the ADC  interrupt  routine.    The purpose of  an 
interrupt  is  to  stop  program  execution  in  order  to  perform  a  specified  routine.    After  the  interrupt 
routine has  completed,  it  is  required  that  program  control  be  transferred back  to  the  location where 
program execution was originally stopped.  This requirement necessitates the use of the stack in order 
to  store  the  address  to  which  program  execution  must  be  returned  after  the  interrupt  routine  has 
completed (named the return address). 
The “.org 0x003A” informs the compiler of the address of the ADC interrupt vector.  As discussed above, 




interrupt  triggered.    The  specific  interrupt  vectors  that  correspond  to  each  type  of  interrupt  are 
hardware‐dependent.    For  the AT90USB1287,  the programmer  can use Atmel’s  usb1287def.inc  file  to 
find  this  information.   The usb1287def.inc  file  contains  the  following  line  that  is pertinent  to  the ADC 
interrupt vector: 
.equ  ADCCaddr  = 0x003a  ; ADC Conversion Complete       
This  line  indicates that the address of the ADC Conversion  interrupt vector  is 0x003A.   This  is why the 










push r16         
in r16, SREG       
push r16         
push r17 
Recall  that  an  interrupt  stops  program  execution,  performs  a  specific  routine,  and  then  transfers 
program execution to the original location where it was stopped.  It is very important to ensure that the 
state of the program that is not related to the interrupt is not modified by the interrupt routine.  Most 
notably,  the  interrupt should not permanently modify any registers  (including the status register)  that 
the  interrupt uses.   As a  result,  it  is  common practice  to push  the values of any  registers used by  the 
interrupt onto  the stack before performing any other actions.   These values  remain on  the stack until 
the  interrupt  is  completed,  after which  these  values  are popped off  the  stack  into  the  corresponding 
registers.  When program control is transferred back to the return address, the registers (including the 
status  register)  have  the  same  values  as  they  did  immediately  before  the  interrupt  was  triggered.  
Because the stack is a Last‐In‐First‐Out (LIFO) operation, values must be popped off in the reverse order 
as they were pushed on.  This is why the last lines of the ADC_ISR routine are the following: 
pop r17        
pop r16          
out SREG, r16         
















added  to  RNGSeed  (i.e.,  the  oldest)  is  removed,  and  new  bit  of  randomness  is  extracted  from  the 
thermistor  and  added  to  RNGSeed.    This  is  analogous  to  a  First‐In‐First‐Out  (FIFO)  method.    Bits  of 
















homongenous.   This was quite detrimental  to  this  study because of  the need  for highly unpredictable 
data to be used as the RNG.   In order to remedy the homogeneity observed from the thermistor, only 
the least significant bit (LSB) of the readings from the thermistor was used in the RNG.  The assumption 























RNGSeed  register  into  the  PRNGSeed  register.    This  command  is  present  within  the  ADC  Conversion 
interrupt so that PRNGSeed always contains the latest version of RNGSeed.   As will be discussed later, 
when the PRNG functionality of this program is called, the PRNGSeed register is used as the seed to the 






data  generated  from  the  ADC  Converstion  interrupt  are  written  to  EEPROM  memory  within  the 
interrupt.    EEPROM  is  a  component  on  the AT90USB1287 microcontroller  that  functions  as  a  type  of 
memory.  EEPROM is used in this code to record the random data that is generated by the thermistor to 
be evaluated later by the NIST tests.  Recall, however, that each run of the interrupt only generates one 
bit  of  randomness,  not  one  byte.    If  the  RNGSeed  register were  copied  into  EEPROM every  time  the 
interrupt was  run, patterns of bits would emerge.    This  can be observed  from  the  following example.  
Suppose that at any given time, RNGSeed contained the following byte:   10010101.   Suppose that the 
next run of the interrupt generated a 0 for the random digit.  RNGSeed would then become 00101010.  






before writing  to EEPROM.   Because nothing  is written to EEPROM before all bits have been replaced 
with  newly  generated  values  from  the  thermistor,  no  patterns  should  form.    This  solution  is 
implemented  by  placing  a  counter  register  in  the  interrupt,  named  RNGCounter.    RNGCounter  is 
initialized  to  zero  in  the  main  routine  and  is  incremented  every  time  the  interrupt  is  run.    When 










be  written  to  EEPROM  and  RNGCounter  should  be  reset  to  zero,  as  described  above.    The  register 
EightRegister  is declared  to be 0x08  in  the main  routine and  is not  changed at any other point  in  the 
code.   RNGCounter  is  compared  to EightRegister  to determine  if RNGCounter equals  eight.    If  so,  the 
cpse  command  evaluates  as  true,  skips  the  next  statement  (rjmp  finishinterrupt),  and  begins  the 
writerngeeprom  routine.    If  RNGCounter  is  not  equal  to  eight,  the  next  statement  is  executed  (rjmp 










status of EEPROM.   Bit 1 of  the EECR  is  the EEPE EEPROM Programming Enable  (EEPE) bit.   When the 
programmer is ready to write to EEPROM, the EEPE bit must be set to one.  After setting the EEPE bit to 
one, the CPU is halted for two cycles before the next  instruction is executed.    It  is very important that 
the program not attempt to write to EEPROM while another write to EEPROM is already taking place.  
Due to this, the code shown above contains a loop that continues to loop until the EEPE bit is zero.  The 
first  line  of  the  loop  (sbic  EECR,  EEPE)  skips  the  next  instruction  if  the  bit  in  question  (EEPE)  is  clear, 




again.    This  is  referred  to  as  a  polling  looop.    As  a  side  note,  the  programmer must  be  sure  that  an 




















r25  and  r26  hold  the  addresses  of  EEARL  and  EEARH,  respectively,  that  correspond  to  the  byte  of 
EEPROM to which the next byte of data will be written.  In order to maximize the amount of data that 




















This  is why the EEPE bit  is  set  to one  (using  the sbi command)  immediately after EEMPE  is  set  to one 








range  of  byte  addresses  in  EEPROM  requires  the  use  of  two  registers,  EEARH  and  EEARL.    In  this 
program,  the  registers  r25  and  r26 hold  the  values of  the next byte  in  EEPROM  to which  the  current 
value  of  RNGSeed  is  written.    R25  and  r26  correspond  directly  to  EEARL  and  EEARH,  respectively.  
Because of the need for two registers, a simple increment will not suffice.  There has to be some method 
of organization between r25 and r26 to ensure that all byte addresses  in EEPROM are used.   Consider 
the  following  example.    Suppose  r25  is  currently  set  to  11111111  (0xFF)  and  r26  is  currently  set  to 
00000000  (0x00).    This  corresponds  to byte address 255  (recall  that byte addresses  in EEPROM range 








this code).    If the two registers are equal, the breq command branches and program control  is sent to 




line of  code  that  is not  the  label of  a  routine.    If  the  r25 and FullRegister  registers are not equal,  the 


















an  overflow  has  just  been  performed.    If  OverFlowReg  is  zero,  no  overflow  has  just  taken  place;  if 
OverFlowReg is 0xFF, an overflow has just taken place.  Because an overflow has just taken place in the 
overflowrng routine, the OverFlowReg register is set to 0xFF in the “ldi OverFlowReg, 0xFF” command.  










The  “cpse  OverFlowReg,  FullRegister”  command  determines  whether  an  overflow  has  just  been 
performed.    It does  so by  testing whether OverFlowReg  is equal  to FullRegister,  the  latter of which  is 
always set  to 0xFF.    If  so, an overflow has  just been performed  (as described above), and so  the cpse 




there has been no overflow,  “cpse OverFlowReg, FullRegister” evaluates  to  false and  thus “inc  r25”  is 
executed.    This  is done  so  that  the next byte of EEPROM will be written  to during  the next  interrupt.  





pop r17        
     pop r16          
      out SREG, r16         































This  portion  of main  was  copied  verbatim  from  the  Lights  program  that  was  given  and  explained  to 













SP  is a two‐byte pointer that can be accessed  in the same manner as a port.   The two bytes of SP are 





RAMEND.    As  is  traditionally  true  with  stack  architecture,  the  stack  of  the  AT90USB1287  grows 
downward, starting from higher addresses and moving downward toward lower addresses.  This is why 
the SP is initialized to the highest address of SRAM and not the lowest address.  RAMEND represents the 













Recall  from the RNG section the ADMUX component of  the AT90USB1287.   This segment of code sets 





.equ  MUX0  = 0  ; Analog Channel and Gain Selection Bits 
.equ  MUX1  = 1  ; Analog Channel and Gain Selection Bits 
.equ  MUX2  = 2  ; Analog Channel and Gain Selection Bits 
.equ  MUX3  = 3  ; Analog Channel and Gain Selection Bits 
.equ  MUX4  = 4  ; Analog Channel and Gain Selection Bits 
.equ  ADLAR  = 5  ; Left Adjust Result 
.equ  REFS0  = 6  ; Reference Selection Bit 0 
.equ  REFS1  = 7  ; Reference Selection Bit 1     
 
The numbers 0 ‐7 shown above correspond to the eight bits of the ADMUX register.  Setting any of these 
bits  to 1 enables  the  corresponding  feature;  setting any of  these bits  to 0 disables  the  corresponding 















.equ  ADPS0  = 0  ; ADC  Prescaler Select Bits 
.equ  ADPS1  = 1  ; ADC  Prescaler Select Bits 
.equ  ADPS2  = 2  ; ADC  Prescaler Select Bits 
.equ  ADIE  = 3  ; ADC Interrupt Enable 
.equ  ADIF  = 4  ; ADC Interrupt Flag 
.equ  ADATE  = 5  ; ADC Auto Trigger Enable 
.equ  ADSC  = 6  ; ADC Start Conversion 








scope  of  this  project  and  this  report.    It  is  sufficient  to  say  that  empirical  testing  and  data 




• Bit 4  is  the ADC  Interrupt Flag.   The hardware of  the AT90USB1287 modifies  this bit based on 
whether  an ADC  converstion  interrupt  has  been  completed.    As  such,  the  programmer need 
not concern himself/herself with this bit.  This bit should be disabled (zero) at first because no 
interrupt has yet taken place. 













































































random data using  the ADC Conversion  interrupt  routine,  and would  like  to use  that  random data  as 
input into the PRNG.  No further random data need be collected; the interrupt functionality should be 
disabled  as  a  result.    Disabling  the  interrupt  functionality  is  also  necessary  to  avoid  disrupting  or 
interfering with  the prng  routine.   Accordingly,  the cli  command clears  the  Interrupt bit on  the Status 
Register  (SREG).    This  is  the  opposite  effect  of  the  sei  command.   When  the  Interrupt  bit  on  SREG  is 
cleared, no  further  interrupts  can  take place.   Although  it  should not be necessary,  this program also 
clears  all  of  the ADC  enable  bits  of  the ADCSRA  register  as  a  redundant means  of  canceling  the ADC 























from forming.   The same methodology  is used for the prng routine.   PRNGCounter  is  the counter that 
stores  the  number  of  bits  of  PRNGSeed  that  have  been  replaced  with  fresh  pseudorandom  data.  













As  discussed  above,  when  PRNGCounter  reaches  zero,  PRNGSeed  is  written  to  EEPROM.    The  code 
segment shown above is the algorithm used to do this.  It is mostly identical to the algorithm used in the 














routine,  it  uses  the  same methodology  and algorithms as does  the RNG  routine  to write  to  EEPROM.  

































the  next  bit  generated  by  the  LFSR.    The  list  of  taps  in  the  LFSR  is  referred  to  as  the  tap 
sequence. 
3) It  is  to  the user’s advantage to choose taps  that produce a maximum LFSR.   A maximum LFSR 
will cycle through all possible states of ones and zeroes that the register can assume (except for 
the  state  in which  all  bits  are  zero, which will  never  change,  no matter  how many  iterations) 
before repeating a state.  Increasing the number of unique states that the LFSR produces before 
repeating a state is advantageous so that patterns do not form in the pseudorandom data.  The 
user  is  thus  advised  to  choose  taps  that  produce  a  maximal  LFSR.    In  this  project,  the  tap 
sequence is the 8th bit, the 6th bit, the 5th bit, and the 4th bit, which is labeled [8, 6, 5, 4]. 
4) The  values  of  the  taps  are  EORed  together  to  form  the  next  bit  to  be  added  to  the  register.  
Because the [8, 6, 5, 4] tap sequence was chosen for this project, the 8th, 6th, 5th, and 4th bits are 
EORed together to produce the next bit to be added to the register. 






















of  PRNGSeed  in  its  leftmost bit  position,  and TempSeed holds  the 6th  bit  of  PRNGSeed  in  its  leftmost 








TempSeed  is  now  shifted  left  so  that  the  5th  bit  of  PRNGSeed  is  now  in  the  leftmost  bit  position  of 
TempSeed.    This bit  is  EORed with PrevSeed and  stored  in PrevSeed.    This  is  equivalent  to  taking  the 
result of the EOR of the 8th and 6th bits of PRNGSeed (the step just completed) and EORing it with the 5th 







Lastly,  TempSeed  is  shifted  left  so  that  the 4th  bit  of  PRNGSeed  is  now  in  the  leftmost bit  position of 




























The  first  statement  of  the  code  segment  shown  above  tests  to  see  if  ZeroCounter  is  equal  to 
PRNGCounter.   ZeroCounter  is a register that statically stores 0x00.   ZeroCounter was  initialized  in the 
main  routine  to  hold  0x00  and  its  value  is  never  changed  throughout  the  program.    As  a  result, 
comparing ZeroCounter to PRNGCounter is actually a test to determine if PRNGCounter equals 0x00.  If 
PRNGCounter  does  equal  zero,  it  means  that  the  lfsr  routine  has  been  performed  eight  times.    This 





hand,  if PRNGCounter  is not equal  to 0x00,  it means  that  lfsr has not been yet been performed eight 
times.  In this case, the lfsr needs to be run again.  The “cpse ZeroCounter, PRNGCounter” statement will 
























program  allows  EEPROM  to  be  overwritten  indefinitely.    As  long  as  the  user  does  not  terminate  the 
program,  EEPROM will  continue  to write  over  itself.    This  is  not  the  case with  the  PRNG  in  order  to 























from being overwritten,  the program needs  to  stop when  the EEARH and EEARL  registers evaluate  to 
4096.    Recall  that  this  program  controls  EEARH  and  EEARL  with  registers  r26  and  r25,  respectively.  
Consequently, when r26 and r25 evaluate to 4096, the program should terminate.  R26 and r25 evaluate 
to 4096 when r26 is equal to 0b00010000 and r25 is equal to 0b00000000 because 2 ^ 12 = 4096 (the bit 
that  is  set  to  one  in  r26  is  the  12th  bit  of  r26  and  r25)..    It  is  sufficient,  though,  to  simply  test  to 
determine if r26 is equal to 0b00010000.  This is what the first two lines of the sub‐code snippet shown 
above  does.    If  r26  does  not  equal  0b00010000,  the  program  control  follows  the  same  overflow 
algorithm as used in the RNG.  If r26 does equal 0b00010000, program control is transferred to a routine 






Generation  Technical Working  Group  (NIST  RNG‐TWG).    These  tests  were  implemented  because  this 









For  each  of  these  tests,  a  test  statistic  named  the  p‐value  is  generated.    NIST  considers  data  to  be 
sufficiently random is the p‐value is greater than 0.01. 
 
The  Frequency  (Monobit)  Test  was  chosen  because,  as  stated  in  the  NIST  RNG‐TWG  software 
documentation,  “It  is  recommended  that  the Frequency  test be  run  first,  since  this  supplies  the most 
basic evidence for the existence of non‐randomness in a sequence, specifically, non‐uniformity.”  Due to 




The Runs  and  the  Longest‐Run‐of‐Ones  (Block)  Tests  both  examine  the oscillation of  ones  and  zeroes 
within a string to determine randomness.  The Runs Test measures the total number of runs within the 
target  string, whereas  the  Longest‐Run‐of‐Ones  (Block)  Test measures  the  longest  run  of  ones within 
blocks of  the  target string.   The Runs Test was chosen because the sample size  is  relatively  low (4096 
bytes). 
 
Both  the Overlapping  Template Mapping  Test  and  the Non‐overlapping  Template  Test  determine  if  a 
pre‐specified target substring occurs too frequently for the entire string to be considered random.  If the 
target  substring  is  found  beginning  at  a  certain  bit within  the  entire  string,  the Non‐overlapping  Test 






that  the  zeros  are  converted  to  (‐1).    The absolute  value of  the difference between  these  cumulative 
partial summations and zero is compared to what would be expected from a truly random string of the 
same size.  This test was chosen because its examination of sequential dependence is relatively different 
from the nature of  the other  tests.   There was no use of  the Random Excursions Test or  the Random 












ensure that  the evaluation  is an accurate representation of  the best results  to be expected from each 
algorithm, the random data generated by the thermistor was not used.  Instead, a seed created by the 






























          
  ldi r16, low(RAMEND)   





































































































































students  the  value  of  only  using  open‐source  and  freely  tested  cryptographic  algorithms  for  their 






Fantastic  code were used  in  either  the RNG or weak PRNG  code  given  in  the project  (or  both).    As  a 














Unfortunately,  the modified AES Fantastic code did not appear  to work correctly.   There were several 
checks  set up  to  test whether  the modified AES  fantastic  code was  successful,  such as:    1) Was all  of 
EEPROM  being  filled?    2) Was  all  of  EEPROM  being  filled  only  once?    3) Were  the  first  16  bytes  of 
EEPROM the original 16‐byte plaintext coded into the AES fantastic code?  4)  Did any patterns emerge 
in  the  resulting pseudorandom data  that could be detected by eye?   Etc.   The modified AES Fantastic 
code passed  all  of  these  checks with  the  exception  of  one  (but  possibly  the most  important  one).    A 
debugger was used to step through the modified AES Fantastic code line‐by‐line to determine what the 
first 16 bytes of ciphertext should be (the ciphertext produced after the first round of AES encryption).  
All  signs  from  the  debugger  indicated  that  these  16  bytes  of  ciphertext  should  have  been  written 
correctly  to  EEPROM.    However,  the  corresponding  16  bytes  in  EEPROM  did  not  match  what  the 















It  should  be  noted  that  the  results  of  the  strong  PRNG  (AES)  tests  cannot  be  fully  trusted  until  the 
discrepancy described above  is  resolved.   These numbers were generated purely as a  troubleshooting 
and/or curiosity measure. 
 
Despite  this  setback,  the  lesson  that  the  students were  supposed  to  learn was  to observe  that  the p‐
values  of  the  strong PRNG  (AES)  should have been higher  than  those of  the weak PRNG  (LFSR).    It  is 











2)  verifying  that  it  is  working  properly  on  the  AT90USB1287.    Although  I  do  have  experience  coding 
cryptographic algorithms such as RC4  in high‐level  languages such as C++ and Java,  I did not have any 
Assembler experience before enrolling  in  the Computer Security Architecture course.   This situation  is 





and  has  the  capability  to  provide  strong  encryption with  pseudorandom data.    However,  it  has  been 
shown that if RC4 is not implemented properly, a known plaintext attack can reveal information about 
the key.   






There  are  two main  suggestions  for  future  work:    1)  improve  the  RNG  to  provide  data  that  is more 
random; 2) revise the strong PRNG code (AES Fantastic) so that  it works as  intended.   With respect to 
the  former,  this  could  consist  of  researching  better  ways  to  use  the  on‐board  thermistor  so  that  it 





The  purpose  of  this  report  is  to  provide  students  with  a  better  understanding  of  programming  in 
Assembler and of random and pseudorandom data.  Both of these topics are covered in detail so as to 
demonstrate  to  the  student  their  importance  in  modern  practice.    Sample  code  and  detailed 
explanations are given to  the student of how to program the  following:   1) a RNG using  the on‐board 
thermistor of the AT90USB1287; 2) a weak PRNG using the LFSR algorithm; and 3) a strong PRNG using 


















































         
  push r16         
  in r16, SREG       




  lds r17, ADCH     
 








































  pop r17        
      pop r16          
      out SREG, r16         
















          
  ldi r16, 0xFF     
  out DDRD, r16     
 
  ldi r16, 0xCF        
      out DDRE, r16       
 
      ldi r16, 0x1F        
      out DDRB, r16       
                          
      ldi r16, 0x30        
      out PortE, r16        
      
















































      rjmp prng                 
      
































































































; Copyright (C) 2006 B. Poettering 
;  
; This program is free software; you can redistribute and/or modify 
; it under the terms of the GNU General Public License as published by 
; the Free Software Foundation; either version 2 of the License, or 
; (at your option) any later version. Whenever you redistribute a copy 
; of this document, make sure to include the copyright and license 
; agreement without modification. 
; 
; This program is distributed in the hope that it will be useful, 
; but WITHOUT ANY WARRANTY; without even the implied warranty of 
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
; GNU General Public License for more details. 
; 
; You should have received a copy of the GNU General Public License 
; along with this program; if not, write to the Free Software 
; Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA 
; The license text can be found here: http://www.gnu.org/licenses/gpl.txt 
 
;                http://point-at-infinity.org/avraes/ 
; 
; This AES implementation was written in November 2006 by B. Poettering.   
; It is published under the terms of the GNU General Public License. If  
; you need AES code, but this license is unsuitable for your project,  






;                             RijndaelFantastic 
; 
; This is a microcontroller implementation of the Rijndael block cipher, 
better 
; known as AES. The target device class is Atmel's AVR, a family of very fast  
; and very powerful flash MCUs, operating at clock rates up to 16 MHz,   
; executing one instruction per clock cycle (16 MIPS). The implementation  
; given here is optimized for RAM requirement, and achieves an encryption  
; rate of about 63 kByte/sec (on a 16MHz MCU). Decryption is done with 
; 55 kByte/sec. 
;  
; The implemented algorithm is restricted to block and key sizes of 128 bit.  
; Larger key sizes can be obtained by altering the key scheduling code, which 
; should be easy.  
; 
; This implementation makes extensive use of the AVR's "lpm" instruction, 
; which loads data bytes from program memory at given addresses (the s-boxes  
; are realized that way). Some members of the AVR family don't offer that  
; instruction at all (e.g. AT90S1200), others only in a restricted way  
; (forcing the target register to be r0). The code below requires the least  
; restricted lpm instruction (with free choice of the target register). 
; The ATmega161 devices meet the above mentioned requirements. 
;  
; Statistics:  
;  
; 16 MHz MCU | clock cycles | blocks per second | bytes per second 
; -----------+--------------+-------------------+------------------ 
; encryption |    4059      |      3942         |      63070 
; decryption |    4675      |      3422         |      54759 
; 
; (key preprocessing time is not considered) 
;  
; This source code consists of some routines and an example application,  
; which encrypts a certain plaintext and decrypts it afterwards with the 
; same key. Comments in the code clarify the interaction between the key  
; expansion and the encryption/decryption routines. 
; 
; I encourage to read the following Rijndael-related papers/books/sites: 
; [1] "The Design of Rijndael", Daemen & Rijmen, Springer, ISBN 3-540-42580-2 
; [2] http://www.esat.kuleuven.ac.be/~rijmen/rijndael/ 
; [3] http://www.esat.kuleuven.ac.be/~rijmen/rijndael/rijndaeldocV2.zip 
; [4] http://www.esat.kuleuven.ac.be/~rijmen/rijndael/atmal.zip 
; [5] http://csrc.nist.gov/CryptoToolkit/aes/rijndael/ 
; 
; [1] is *the* book about Rijndael, [2] is the official Rijndael homepage, 
; [3] contains the complete Rijndael AES specification, [4] is another 
; Rijndael-implementation for AVR MCUs (but much slower than this one,  
; taking 3815 clock cycles per encryption), [5] is the official NIST AES  
; site with further links. 
; 
; AVR and ATmega are registered trademarks by the ATMEL corporation. 
; See http://www.atmel.com and http://www.atmel.com/products/avr/ for 





.def H1  = r16 
.def H2  = r17 
.def Rcon = r18 
.def OverFlowReg = r21 ; THIS IS MY CODE 
.def FullRegister = r22 ; THIS IS MY CODE 
.def HighByteOverflow = r27; THIS IS MY CODE 
  
main: cli   ; initialize stack 
 ldi r31,high(RAMEND) 
 out SPH,r31 
 ldi r31,low(RAMEND) 
 out SPL,r31 
 
 ldi ZH, high(key<<1) ; load key to RAM position $0060 
 ldi ZL, low(key<<1) 
 ldi YH, high($0060) 
 ldi YL, low($0060) 
main0: lpm r16, Z+ 
 st Y+, r16 
 cpi YL, low($0060+16) 
 brne main0 
 
 ldi ZH, high(text<<1) ; load plaintext to r0-r15 
 ldi ZL, low(text<<1) 
 lpm r0, Z+ 
 lpm r1, Z+ 
 lpm r2, Z+ 
 lpm r3, Z+ 
 lpm r4, Z+ 
 lpm r5, Z+ 
 lpm r6, Z+ 
 lpm r7, Z+ 
 lpm r8, Z+ 
 lpm r9, Z+ 
 lpm r10, Z+ 
 lpm r11, Z+ 
 lpm r12, Z+ 
 lpm r13, Z+ 
 lpm r14, Z+ 
 lpm r15, Z+ 
 
; MY INSERTED CODE BEGINS HERE 
; THIS CODE IS TO WRITE THE PLAINTEXT TO EEPROM BEFORE IT IS ENCRYPTED 
 
 ldi r19, 0x00 
 ldi r20, 0x00 
 ldi OverFlowReg, 0x00 






 sbic EECR,EEPE 
 rjmp writetexteepromi 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r0 
 
 inc r19 
 
 sbi EECR,EEMPE 






 sbic EECR,EEPE 
 rjmp writetexteepromii 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r1 
 
 inc r19 
 
 sbi EECR,EEMPE 






 sbic EECR,EEPE 
 rjmp writetexteepromiii 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r2 
 
 inc r19 
 
 sbi EECR,EEMPE 






 sbic EECR,EEPE 
 rjmp writetexteepromiv 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r3 
 
 inc r19 
 
 sbi EECR,EEMPE 






 sbic EECR,EEPE 
 rjmp writetexteepromv 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r4 
 
 inc r19 
 
 sbi EECR,EEMPE 






 sbic EECR,EEPE 
 rjmp writetexteepromvi 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r5 
 
 inc r19 
 
 sbi EECR,EEMPE 






 sbic EECR,EEPE 
 rjmp writetexteepromvii 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r6 
 
 inc r19 
 
 sbi EECR,EEMPE 






 sbic EECR,EEPE 
 rjmp writeeepromviii 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r7 
 
 inc r19 
 
 sbi EECR,EEMPE 






 sbic EECR,EEPE 
 rjmp writetexteepromix 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r8 
 
 inc r19 
 
 sbi EECR,EEMPE 






 sbic EECR,EEPE 
 rjmp writetexteepromx 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r9 
 
 inc r19 
 
 sbi EECR,EEMPE 






 sbic EECR,EEPE 
 rjmp writetexteepromxi 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r10 
 
 inc r19 
 
 sbi EECR,EEMPE 






 sbic EECR,EEPE 
 rjmp writetexteepromxii 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r11 
 
 inc r19 
 
 sbi EECR,EEMPE 






 sbic EECR,EEPE 
 rjmp writetexteepromxiii 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r12 
 
 inc r19 
 
 sbi EECR,EEMPE 






 sbic EECR,EEPE 
 rjmp writetexteepromxiv 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r13 
 
 inc r19 
 
 sbi EECR,EEMPE 






 sbic EECR,EEPE 
 rjmp writetexteepromxv 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r14 
 
 inc r19 
 
 sbi EECR,EEMPE 






 sbic EECR,EEPE 
 rjmp writetexteepromxvi 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r15 
 
 inc r19 
 
 sbi EECR,EEMPE 
 sbi EECR,EEPE 
 
; MY INSERTED CODE ENDS HERE 
 
 ldi YH, high($0060) ; encrypt the plaintext 
 ldi YL, low($0060) 
 
; MY INSERTED CODE BEGINS HERE 
; THIS IS TO CONTINUOSLY RUN AES AND WRITE THE RESULTS TO EEPROM 
 
 ldi FullRegister, 0xFF 




 rcall AESEncrypt128 




 sbic EECR,EEPE 
 rjmp writecipheepromi 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r0 
 
 sbi EECR,EEMPE 




 cp r19, FullRegister 




 cpse OverFlowReg, FullRegister 
 inc r19     
 
 ldi OverFlowReg, 0x00 
 




 ldi HighByteOverflow, 0b00010000 
 
 cp r20, HighByteOverflow 
 breq endprogramone 
 
 inc r20 
 
 ldi r19, 0x00 
 
 ldi OverFlowReg, 0xFF 
 








 sbic EECR,EEPE 
 rjmp writecipheepromii 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r1 
 
 sbi EECR,EEMPE 




 cp r19, FullRegister 




 cpse OverFlowReg, FullRegister 
 inc r19     
 
 ldi OverFlowReg, 0x00 
 




 ldi HighByteOverflow, 0b00010000 
 
 cp r20, HighByteOverflow 
 breq endprogramtwo 
 
 inc r20 
 
 ldi r19, 0x00 
 
 ldi OverFlowReg, 0xFF 
 








 sbic EECR,EEPE 
 rjmp writecipheepromiii 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r2 
 
 sbi EECR,EEMPE 




 cp r19, FullRegister 




 cpse OverFlowReg, FullRegister 
 inc r19     
 
 ldi OverFlowReg, 0x00 
 




 ldi HighByteOverflow, 0b00010000 
 
 cp r20, HighByteOverflow 
 breq endprogramthree 
 
 inc r20 
 
 ldi r19, 0x00 
 
 ldi OverFlowReg, 0xFF 
 








 sbic EECR,EEPE 
 rjmp writecipheepromiv 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r3 
 
 sbi EECR,EEMPE 




 cp r19, FullRegister 




 cpse OverFlowReg, FullRegister 
 inc r19     
 
 ldi OverFlowReg, 0x00 
 




 ldi HighByteOverflow, 0b00010000 
 
 cp r20, HighByteOverflow 
 breq endprogramfour 
 
 inc r20 
 
 ldi r19, 0x00 
 
 ldi OverFlowReg, 0xFF 
 








 sbic EECR,EEPE 
 rjmp writecipheepromv 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r4 
 
 sbi EECR,EEMPE 




 cp r19, FullRegister 




 cpse OverFlowReg, FullRegister 
 inc r19     
 
 ldi OverFlowReg, 0x00 
 




 ldi HighByteOverflow, 0b00010000 
 
 cp r20, HighByteOverflow 
 breq endprogramfive 
 
 inc r20 
 
 ldi r19, 0x00 
 
 ldi OverFlowReg, 0xFF 
 








 sbic EECR,EEPE 
 rjmp writecipheepromvi 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r5 
 
 sbi EECR,EEMPE 




 cp r19, FullRegister 




 cpse OverFlowReg, FullRegister 
 inc r19     
 
 ldi OverFlowReg, 0x00 
 




 ldi HighByteOverflow, 0b00010000 
 
 cp r20, HighByteOverflow 
 breq endprogramsix 
 
 inc r20 
 
 ldi r19, 0x00 
 
 ldi OverFlowReg, 0xFF 
 








 sbic EECR,EEPE 
 rjmp writecipheepromvii 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r6 
 
 sbi EECR,EEMPE 




 cp r19, FullRegister 




 cpse OverFlowReg, FullRegister 
 inc r19     
 
 ldi OverFlowReg, 0x00 
 




 ldi HighByteOverflow, 0b00010000 
 
 cp r20, HighByteOverflow 
 breq endprogramseven 
 
 inc r20 
 
 ldi r19, 0x00 
 
 ldi OverFlowReg, 0xFF 
 








 sbic EECR,EEPE 
 rjmp writecipheepromviii 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r7 
 
 sbi EECR,EEMPE 




 cp r19, FullRegister 




 cpse OverFlowReg, FullRegister 
 inc r19     
 
 ldi OverFlowReg, 0x00 
 




 ldi HighByteOverflow, 0b00010000 
 
 cp r20, HighByteOverflow 
 breq endprogrameight 
 
 inc r20 
 
 ldi r19, 0x00 
 
 ldi OverFlowReg, 0xFF 
 








 sbic EECR,EEPE 
 rjmp writecipheepromix 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r8 
 
 sbi EECR,EEMPE 




 cp r19, FullRegister 




 cpse OverFlowReg, FullRegister 
 inc r19     
 
 ldi OverFlowReg, 0x00 
 




 ldi HighByteOverflow, 0b00010000 
 
 cp r20, HighByteOverflow 
 breq endprogramnine 
 
 inc r20 
 
 ldi r19, 0x00 
 
 ldi OverFlowReg, 0xFF 
 








 sbic EECR,EEPE 
 rjmp writecipheepromx 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r9 
 
 sbi EECR,EEMPE 




 cp r19, FullRegister 




 cpse OverFlowReg, FullRegister 
 inc r19     
 
 ldi OverFlowReg, 0x00 
 




 ldi HighByteOverflow, 0b00010000 
 
 cp r20, HighByteOverflow 
 breq endprogramten 
 
 inc r20 
 
 ldi r19, 0x00 
 
 ldi OverFlowReg, 0xFF 
 








 sbic EECR,EEPE 
 rjmp writecipheepromxi 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r10 
 
 sbi EECR,EEMPE 




 cp r19, FullRegister 




 cpse OverFlowReg, FullRegister 
 inc r19     
 
 ldi OverFlowReg, 0x00 
 




 ldi HighByteOverflow, 0b00010000 
 
 cp r20, HighByteOverflow 
 breq endprogrameleven 
 
 inc r20 
 
 ldi r19, 0x00 
 
 ldi OverFlowReg, 0xFF 
 








 sbic EECR,EEPE 
 rjmp writecipheepromxii 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r11 
 
 sbi EECR,EEMPE 




 cp r19, FullRegister 




 cpse OverFlowReg, FullRegister 
 inc r19     
 
 ldi OverFlowReg, 0x00 
 




 ldi HighByteOverflow, 0b00010000 
 
 cp r20, HighByteOverflow 
 breq endprogramtwelve 
 
 inc r20 
 
 ldi r19, 0x00 
 
 ldi OverFlowReg, 0xFF 
 








 sbic EECR,EEPE 
 rjmp writecipheepromxiii 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r12 
 
 sbi EECR,EEMPE 




 cp r19, FullRegister 




 cpse OverFlowReg, FullRegister 
 inc r19     
 
 ldi OverFlowReg, 0x00 
 




 ldi HighByteOverflow, 0b00010000 
 
 cp r20, HighByteOverflow 
 breq endprogramthirteen 
 
 inc r20 
 
 ldi r19, 0x00 
 
 ldi OverFlowReg, 0xFF 
 








 sbic EECR,EEPE 
 rjmp writecipheepromxiv 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r13 
 
 sbi EECR,EEMPE 




 cp r19, FullRegister 




 cpse OverFlowReg, FullRegister 
 inc r19     
 
 ldi OverFlowReg, 0x00 
 




 ldi HighByteOverflow, 0b00010000 
 
 cp r20, HighByteOverflow 
 breq endprogramfourteen 
 
 inc r20 
 
 ldi r19, 0x00 
 
 ldi OverFlowReg, 0xFF 
 








 sbic EECR,EEPE 
 rjmp writecipheepromxv 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r14 
 
 sbi EECR,EEMPE 




 cp r19, FullRegister 




 cpse OverFlowReg, FullRegister 
 inc r19     
 
 ldi OverFlowReg, 0x00 
 




 ldi HighByteOverflow, 0b00010000 
 
 cp r20, HighByteOverflow 
 breq endprogramfifteen 
 
 inc r20 
 
 ldi r19, 0x00 
 
 ldi OverFlowReg, 0xFF 
 








 sbic EECR,EEPE 
 rjmp writecipheepromxvi 
 
 out EEARH, r20 
 out EEARL, r19 
 
 out EEDR, r15 
 
 sbi EECR,EEMPE 




 cp r19, FullRegister 




 cpse OverFlowReg, FullRegister 
 inc r19     
 
 ldi OverFlowReg, 0x00 
 




 ldi HighByteOverflow, 0b00010000 
 
 cp r20, HighByteOverflow 
 breq endprogram 
 
 inc r20 
 
 ldi r19, 0x00 
 
 ldi OverFlowReg, 0xFF 
 




 rjmp endprogram 
 
; MY INSERTED CODE ENDS HERE 
 
; I AM COMMENTING THIS OUT B/C WE DO NOT NEED DECRYPTION 
 
/* 
 ldi YH, high($0060) ; prepare key for decryption 
 ldi YL, low($0060) 
 rcall AESKeyDecPreprocess 
 rcall AESDecrypt128 ; decrypt the cipher text 
*/ 
  










; Encrypt the 16 byte block defined by r0-r15 under the 128 bit key [Y]. 
; Note that calling this function modifies [Y]. Therefore, before encrypting 
a  
; second block with the same key [Y] has to be restored. This can be done by 
; calling the function AESKeyRewind, but it is faster to simply backup the  
; original key somewhere to RAM and to restore it after calling 
AESEncrypt128. 
; 
; Touched registers: Rcon, H1, H2, Z 
; 
AESEncrypt128: 
 ldi Rcon, 1 
AESEnc1:rcall AddRoundKey 
 rcall RAMIncKey128 
 rcall ShiftRowsSubBytes 
 cpi Rcon, 0x6c 
 breq AddRoundKey 
 rcall MixColumns 





; Rewind the key given in [Y]. See AESEncrypt128 for more details. 
; 
; Touched registers: Rcon, H1, H2, Z 
; 
AESKeyRewind: 
 ldi Rcon, 0x36 
AESKeyR:rcall RAMDecKey128 
 cpi Rcon, 0 






; Preprocess the key given in [Y] for use for decryption. See AESDecrypt128 
; for more details. 
; 
; Touched registers: Rcon, H1, H2, Z 
; 
 




 ldi Rcon, 1 
AESKeyF:rcall RAMIncKey128 
 cpi Rcon, 0x6c 
 brne AESKeyF 
 ret 
 
   
;****************************************************************************
** 
; Decrypt the 16 byte block defined by r0-r15 under the 128 bit key [Y]. 
; The decryption key has to be preprocessed by AESKeyDecPreprocess before 
; calling this funtion. Like in AESEncrypt128 [Y] is modified by this  
; function, but the key can be restored by calling AESKeyDecPreprocess. 
Again, 
; backing up the key to RAM will be faster. 
; 
; Note that AESKeyRewind and AESKeyDecPreprocess are the inverses of each 
; other. In other words: if encryption and decryption are performed in  
; strictly alternating order, the calls to AESKeyRewind and AESKeyPreprocess 
; can be ommitted. 
; 
; Touched registers: Rcon, H1, H2, Z 
; 
AESDecrypt128: 
 ldi Rcon, 0x36 
 rcall AddRoundKey 
 rcall RAMDecKey128 
 rcall ShiftRowsSubBytesInverse 
AESDec1:rcall AddRoundKey 
 rcall RAMDecKey128 
 rcall MixColumnsInverse 
 rcall ShiftRowsSubBytesInverse 
 cpi Rcon, 0 





; The following subroutines are for internal use only. They shouldn't be  




.def ST11 = r0 
.def ST21 = r1 
.def ST31 = r2 
.def ST41 = r3 
.def ST12 = r4 
.def ST22 = r5 
.def ST32 = r6  
.def ST42 = r7 
.def ST13 = r8 
.def ST23 = r9 
.def ST33 = r10 
.def ST43 = r11 
.def ST14 = r12 
.def ST24 = r13 
.def ST34 = r14 
.def ST44 = r15 
 
AddRoundKey: ; Touched registers: ST11-ST44, H1 
 ld H1, Y 
 eor ST11, H1 
 ldd H1, Y+1 
 eor ST21, H1 
 ldd H1, Y+2 
 eor ST31, H1 
 ldd H1, Y+3 
 eor ST41, H1 
 ldd H1, Y+4 
 eor ST12, H1 
 ldd H1, Y+5 
 eor ST22, H1 
 ldd H1, Y+6 
 eor ST32, H1 
 ldd H1, Y+7 
 eor ST42, H1 
 ldd H1, Y+8 
 eor ST13, H1 
 ldd H1, Y+9 
 eor ST23, H1 
 ldd H1, Y+10 
 eor ST33, H1 
 ldd H1, Y+11 
 eor ST43, H1 
 ldd H1, Y+12 
 eor ST14, H1 
 ldd H1, Y+13 
 eor ST24, H1 
 ldd H1, Y+14 
 eor ST34, H1 
 ldd H1, Y+15 




MixColumnsInverse: ; Touched registers: ST11-ST44, H1, H2, Z 
 ldi ZH, high(xtime<<1) 
 mov ZL, ST11  ; u = xtime(xtime(a[0] ^ a[2])) 
 eor ZL, ST31 
 lpm ZL, Z 
 lpm ZL, Z 
 eor ST11, ZL  ; a[0] ^= u 
 eor ST31, ZL  ; a[2] ^= u 
 mov ZL, ST21  ; v = xtime(xtime(a[1] ^ a[3])) 
 eor ZL, ST41 
 lpm ZL, Z 
 lpm ZL, Z 
 eor ST21, ZL  ; a[1] ^= v 
 eor ST41, ZL  ; a[3] ^= v 
 
 mov ZL, ST12 
 eor ZL, ST32 
 lpm ZL, Z 
 lpm ZL, Z 
 eor ST12, ZL 
 eor ST32, ZL  
 mov ZL, ST22 
 eor ZL, ST42 
 lpm ZL, Z 
 lpm ZL, Z 
 eor ST22, ZL 
 eor ST42, ZL  
 
 mov ZL, ST13 
 eor ZL, ST33 
 lpm ZL, Z 
 lpm ZL, Z 
 eor ST13, ZL 
 eor ST33, ZL  
 mov ZL, ST23 
 eor ZL, ST43 
 lpm ZL, Z 
 lpm ZL, Z 
 eor ST23, ZL 
 eor ST43, ZL  
 
 mov ZL, ST14 
 eor ZL, ST34 
 lpm ZL, Z 
 lpm ZL, Z 
 eor ST14, ZL 
 eor ST34, ZL  
 mov ZL, ST24 
 eor ZL, ST44 
 lpm ZL, Z 
 lpm ZL, Z 
 eor ST24, ZL 
 eor ST44, ZL  
 
 
MixColumns: ; Touched registers: ST11-ST44, H1, H2, Z 
 ldi ZH, high(xtime<<1) 
 mov H1, ST11  ; Tmp = a[0] ^ a[1] ^ a[2] ^ a[3] 
 eor H1, ST21 
 mov ZL, H1 
 eor H1, ST31 
 eor H1, ST41 
 mov H2, ST11  ; save a[0] for later use 
 lpm ZL, Z  ; Tm = xtime(a[0] ^ a[1]) 
 eor ST11, ZL  ; a[0] ^= Tm ^ Tmp 
 eor ST11, H1 
 mov ZL, ST21  ; Tm = xtime(a[1] ^ a[2]) 
 eor ZL, ST31 
 lpm ZL, Z 
 eor ST21, ZL  ; a[1] ^= Tm ^ Tmp 
 eor ST21, H1 
 mov ZL, ST31  ; Tm = xtime(a[2] ^ a[3]) 
 eor ZL, ST41 
 lpm ZL, Z 
 eor ST31, ZL  ; a[2] ^= Tm ^ Tmp 
 eor ST31, H1 
 mov ZL, ST41  ; Tm = xtime(a[3] ^ a[0]) 
 eor ZL, H2 
 lpm ZL, Z 
 eor ST41, ZL  ; a[3] ^= Tm ^ Tmp 
 eor ST41, H1 
  
 mov H1, ST12 
 eor H1, ST22 
 mov ZL, H1 
 eor H1, ST32 
 eor H1, ST42 
 mov H2, ST12 
 lpm ZL, Z 
 eor ST12, ZL 
 eor ST12, H1 
 mov ZL, ST22 
 eor ZL, ST32 
 lpm ZL, Z 
 eor ST22, ZL 
 eor ST22, H1 
 mov ZL, ST32 
 eor ZL, ST42 
 lpm ZL, Z 
 eor ST32, ZL 
 eor ST32, H1 
 mov ZL, ST42 
 eor ZL, H2 
 lpm ZL, Z 
 eor ST42, ZL 
 eor ST42, H1 
  
 mov H1, ST13 
 eor H1, ST23 
 mov ZL, H1 
 eor H1, ST33 
 eor H1, ST43 
 mov H2, ST13 
 lpm ZL, Z 
 eor ST13, ZL 
 eor ST13, H1 
 mov ZL, ST23 
 eor ZL, ST33 
 lpm ZL, Z 
 eor ST23, ZL 
 eor ST23, H1 
 mov ZL, ST33 
 eor ZL, ST43 
 lpm ZL, Z 
 eor ST33, ZL 
 eor ST33, H1 
 mov ZL, ST43 
 eor ZL, H2 
 lpm ZL, Z 
 eor ST43, ZL 
 eor ST43, H1 
 
 mov H1, ST14 
 eor H1, ST24 
 mov ZL, H1 
 eor H1, ST34 
 eor H1, ST44 
 mov H2, ST14 
 lpm ZL, Z 
 eor ST14, ZL 
 eor ST14, H1 
 mov ZL, ST24 
 eor ZL, ST34 
 lpm ZL, Z 
 eor ST24, ZL 
 eor ST24, H1 
 mov ZL, ST34 
 eor ZL, ST44 
 lpm ZL, Z 
 eor ST34, ZL 
 eor ST34, H1 
 mov ZL, ST44 
 eor ZL, H2 
 lpm ZL, Z 
 eor ST44, ZL 




ShiftRowsSubBytes: ; Touched registers: ST11-ST44, H1, Z 
 ldi ZH, high(sbox<<1) 
 mov ZL, ST11 
 lpm ST11, Z 
 mov ZL, ST12 
 lpm ST12, Z 
 mov ZL, ST13 
 lpm ST13, Z 
 mov ZL, ST14 
 lpm ST14, Z 
 mov H1, ST21 
 mov ZL, ST22 
 lpm ST21, Z 
 mov ZL, ST23 
 lpm ST22, Z 
 mov ZL, ST24 
 lpm ST23, Z 
 mov ZL, H1 
 lpm ST24, Z 
 mov H1, ST31 
 mov ZL, ST33 
 lpm ST31, Z 
 mov ZL, H1 
 lpm ST33, Z 
 mov H1, ST32 
 mov ZL, ST34 
 lpm ST32, Z 
 mov ZL, H1 
 lpm ST34, Z 
 mov H1, ST44 
 mov ZL, ST43 
 lpm ST44, Z 
 mov ZL, ST42 
 lpm ST43, Z 
 mov ZL, ST41 
 lpm ST42, Z 
 mov ZL, H1 
 lpm ST41, Z 
 ret  
 
  
ShiftRowsSubBytesInverse: ; Touched registers: ST11-ST44, H1, Z 
 ldi ZH, high(isbox<<1) 
 mov ZL, ST11 
 lpm ST11, Z 
 mov ZL, ST12 
 lpm ST12, Z 
 mov ZL, ST13 
 lpm ST13, Z 
 mov ZL, ST14 
 lpm ST14, Z 
 mov H1, ST21 
 mov ZL, ST24 
 lpm ST21, Z 
 mov ZL, ST23 
 lpm ST24, Z 
 mov ZL, ST22 
 lpm ST23, Z 
 mov ZL, H1 
 lpm ST22, Z 
 mov H1, ST31 
 mov ZL, ST33 
 lpm ST31, Z 
 mov ZL, H1 
 lpm ST33, Z 
 mov H1, ST32 
 mov ZL, ST34 
 lpm ST32, Z 
 mov ZL, H1 
 lpm ST34, Z 
 mov H1, ST44 
 mov ZL, ST41 
 lpm ST44, Z 
 mov ZL, ST42 
 lpm ST41, Z 
 mov ZL, ST43 
 lpm ST42, Z 
 mov ZL, H1 
 lpm ST43, Z 
 ret  
 
 
RAMIncKey128: ; Touched registers: Rcon, H1, H2, Z 
 ldi ZH, high(sbox<<1) 
 ldd H2, Y+12 
 ldd ZL, Y+13 
 lpm ZL, Z 
 eor ZL, Rcon 
 lsl Rcon 
 brcc PC+2 
 ldi Rcon, 0x1b 
 rcall RAMInc1 
 ldd ZL, Y+13 
 lpm ZL, Z 
 rcall RAMInc1 
 ldd ZL, Y+13 
 lpm ZL, Z 
 rcall RAMInc1 
 mov ZL, H2 
 lpm ZL, Z 
 rcall RAMInc1 
 sbiw YL, 4 
 ret 
RAMInc1:ld H1, Y 
  eor ZL, H1 
  st Y+, ZL 
  ldd H1, Y+3 
  eor ZL, H1 
  std Y+3, ZL 
  ldd H1, Y+7 
  eor ZL, H1 
  std Y+7, ZL 
  ldd H1, Y+11 
  eor ZL, H1 
  std Y+11, ZL 
  ret 
 
RAMDecKey128: ; Touched registers: Rcon, H1, H2, Z 
 ldi ZH, high(sbox<<1) 
 ldi H1, 4 
RAMDec1:ldd ZL, Y+12 
 ldd H2, Y+8 
 eor ZL, H2 
 std Y+12, ZL 
 ldd ZL, Y+4 
 eor H2, ZL 
 std Y+8, H2 
 ld H2, Y+ 
 eor ZL, H2 
 std Y+3, ZL 
 dec H1 
 brne RAMDec1 
 ldd ZL, Y+8 
 lpm ZL, Z 
 ld H1, -Y 
 eor H1, ZL 
 st Y, H1 
 ldd ZL, Y+12 
 lpm ZL, Z 
 ld H1, -Y 
 eor H1, ZL 
 st Y, H1 
 ldd ZL, Y+12 
 lpm ZL, Z 
 ld H1, -Y 
 eor H1, ZL 
 st Y, H1 
 ldd ZL, Y+12 
 lpm ZL, Z 
 ld H1, -Y 
 eor H1, ZL 
 eor H1, Rcon 
 st Y, H1 
 lsr Rcon 
 cpi Rcon, 0x0d 
 brne PC+2 
 ldi Rcon, 0x80 






;;; SBOX and "xtime" tables 
;;; 
;;; The following tables have to be aligned to a flash position with lower  
;;; address byte equal to $00. In assembler syntax: low(sbox<<1) == 0.  
;;; To ensure the proper alignment the assembler directive .ORG should be   
;;; used. The order of the tables is arbitrary. They even do not have to be 
;;; allocated in adjacent memory areas. 
  
.CSEG  
.ORG $800   ; ensure proper alignement 
  
sbox: 
.db $63,$7c,$77,$7b,$f2,$6b,$6f,$c5,$30,$01,$67,$2b,$fe,$d7,$ab,$76  
.db $ca,$82,$c9,$7d,$fa,$59,$47,$f0,$ad,$d4,$a2,$af,$9c,$a4,$72,$c0  
.db $b7,$fd,$93,$26,$36,$3f,$f7,$cc,$34,$a5,$e5,$f1,$71,$d8,$31,$15  
.db $04,$c7,$23,$c3,$18,$96,$05,$9a,$07,$12,$80,$e2,$eb,$27,$b2,$75  
.db $09,$83,$2c,$1a,$1b,$6e,$5a,$a0,$52,$3b,$d6,$b3,$29,$e3,$2f,$84  
.db $53,$d1,$00,$ed,$20,$fc,$b1,$5b,$6a,$cb,$be,$39,$4a,$4c,$58,$cf  
.db $d0,$ef,$aa,$fb,$43,$4d,$33,$85,$45,$f9,$02,$7f,$50,$3c,$9f,$a8  
.db $51,$a3,$40,$8f,$92,$9d,$38,$f5,$bc,$b6,$da,$21,$10,$ff,$f3,$d2  
.db $cd,$0c,$13,$ec,$5f,$97,$44,$17,$c4,$a7,$7e,$3d,$64,$5d,$19,$73  
.db $60,$81,$4f,$dc,$22,$2a,$90,$88,$46,$ee,$b8,$14,$de,$5e,$0b,$db  
.db $e0,$32,$3a,$0a,$49,$06,$24,$5c,$c2,$d3,$ac,$62,$91,$95,$e4,$79  
.db $e7,$c8,$37,$6d,$8d,$d5,$4e,$a9,$6c,$56,$f4,$ea,$65,$7a,$ae,$08  
.db $ba,$78,$25,$2e,$1c,$a6,$b4,$c6,$e8,$dd,$74,$1f,$4b,$bd,$8b,$8a  
.db $70,$3e,$b5,$66,$48,$03,$f6,$0e,$61,$35,$57,$b9,$86,$c1,$1d,$9e  
.db $e1,$f8,$98,$11,$69,$d9,$8e,$94,$9b,$1e,$87,$e9,$ce,$55,$28,$df  
.db $8c,$a1,$89,$0d,$bf,$e6,$42,$68,$41,$99,$2d,$0f,$b0,$54,$bb,$16  
 
isbox: 
.db $52,$09,$6a,$d5,$30,$36,$a5,$38,$bf,$40,$a3,$9e,$81,$f3,$d7,$fb  
.db $7c,$e3,$39,$82,$9b,$2f,$ff,$87,$34,$8e,$43,$44,$c4,$de,$e9,$cb  
.db $54,$7b,$94,$32,$a6,$c2,$23,$3d,$ee,$4c,$95,$0b,$42,$fa,$c3,$4e  
.db $08,$2e,$a1,$66,$28,$d9,$24,$b2,$76,$5b,$a2,$49,$6d,$8b,$d1,$25  
.db $72,$f8,$f6,$64,$86,$68,$98,$16,$d4,$a4,$5c,$cc,$5d,$65,$b6,$92  
.db $6c,$70,$48,$50,$fd,$ed,$b9,$da,$5e,$15,$46,$57,$a7,$8d,$9d,$84  
.db $90,$d8,$ab,$00,$8c,$bc,$d3,$0a,$f7,$e4,$58,$05,$b8,$b3,$45,$06  
.db $d0,$2c,$1e,$8f,$ca,$3f,$0f,$02,$c1,$af,$bd,$03,$01,$13,$8a,$6b  
.db $3a,$91,$11,$41,$4f,$67,$dc,$ea,$97,$f2,$cf,$ce,$f0,$b4,$e6,$73  
.db $96,$ac,$74,$22,$e7,$ad,$35,$85,$e2,$f9,$37,$e8,$1c,$75,$df,$6e  
.db $47,$f1,$1a,$71,$1d,$29,$c5,$89,$6f,$b7,$62,$0e,$aa,$18,$be,$1b  
.db $fc,$56,$3e,$4b,$c6,$d2,$79,$20,$9a,$db,$c0,$fe,$78,$cd,$5a,$f4  
.db $1f,$dd,$a8,$33,$88,$07,$c7,$31,$b1,$12,$10,$59,$27,$80,$ec,$5f  
.db $60,$51,$7f,$a9,$19,$b5,$4a,$0d,$2d,$e5,$7a,$9f,$93,$c9,$9c,$ef  
.db $a0,$e0,$3b,$4d,$ae,$2a,$f5,$b0,$c8,$eb,$bb,$3c,$83,$53,$99,$61  
.db $17,$2b,$04,$7e,$ba,$77,$d6,$26,$e1,$69,$14,$63,$55,$21,$0c,$7d  
 
xtime: 
.db $00,$02,$04,$06,$08,$0a,$0c,$0e,$10,$12,$14,$16,$18,$1a,$1c,$1e 
.db $20,$22,$24,$26,$28,$2a,$2c,$2e,$30,$32,$34,$36,$38,$3a,$3c,$3e 
.db $40,$42,$44,$46,$48,$4a,$4c,$4e,$50,$52,$54,$56,$58,$5a,$5c,$5e 
.db $60,$62,$64,$66,$68,$6a,$6c,$6e,$70,$72,$74,$76,$78,$7a,$7c,$7e 
.db $80,$82,$84,$86,$88,$8a,$8c,$8e,$90,$92,$94,$96,$98,$9a,$9c,$9e 
.db $a0,$a2,$a4,$a6,$a8,$aa,$ac,$ae,$b0,$b2,$b4,$b6,$b8,$ba,$bc,$be 
.db $c0,$c2,$c4,$c6,$c8,$ca,$cc,$ce,$d0,$d2,$d4,$d6,$d8,$da,$dc,$de 
.db $e0,$e2,$e4,$e6,$e8,$ea,$ec,$ee,$f0,$f2,$f4,$f6,$f8,$fa,$fc,$fe 
.db $1b,$19,$1f,$1d,$13,$11,$17,$15,$0b,$09,$0f,$0d,$03,$01,$07,$05 
.db $3b,$39,$3f,$3d,$33,$31,$37,$35,$2b,$29,$2f,$2d,$23,$21,$27,$25 
.db $5b,$59,$5f,$5d,$53,$51,$57,$55,$4b,$49,$4f,$4d,$43,$41,$47,$45 
.db $7b,$79,$7f,$7d,$73,$71,$77,$75,$6b,$69,$6f,$6d,$63,$61,$67,$65 
.db $9b,$99,$9f,$9d,$93,$91,$97,$95,$8b,$89,$8f,$8d,$83,$81,$87,$85 
.db $bb,$b9,$bf,$bd,$b3,$b1,$b7,$b5,$ab,$a9,$af,$ad,$a3,$a1,$a7,$a5 
.db $db,$d9,$df,$dd,$d3,$d1,$d7,$d5,$cb,$c9,$cf,$cd,$c3,$c1,$c7,$c5 
.db $fb,$f9,$ff,$fd,$f3,$f1,$f7,$f5,$eb,$e9,$ef,$ed,$e3,$e1,$e7,$e5 
 
