Botan  1.10.9
camellia.cpp
Go to the documentation of this file.
1 /*
2 * Camellia
3 * (C) 2012 Jack Lloyd
4 *
5 * Distributed under the terms of the Botan license
6 */
7 
8 #include <botan/camellia.h>
9 #include <botan/internal/camellia_sbox.h>
10 #include <botan/loadstor.h>
11 
12 namespace Botan {
13 
14 namespace Camellia_F {
15 
16 namespace {
17 
18 /*
19 * We use the slow byte-wise version of F in the first and last rounds
20 * to help protect against timing attacks
21 */
22 u64bit F_SLOW(u64bit v, u64bit K)
23  {
24  static const byte SBOX[256] = {
25  0x70, 0x82, 0x2C, 0xEC, 0xB3, 0x27, 0xC0, 0xE5, 0xE4, 0x85, 0x57,
26  0x35, 0xEA, 0x0C, 0xAE, 0x41, 0x23, 0xEF, 0x6B, 0x93, 0x45, 0x19,
27  0xA5, 0x21, 0xED, 0x0E, 0x4F, 0x4E, 0x1D, 0x65, 0x92, 0xBD, 0x86,
28  0xB8, 0xAF, 0x8F, 0x7C, 0xEB, 0x1F, 0xCE, 0x3E, 0x30, 0xDC, 0x5F,
29  0x5E, 0xC5, 0x0B, 0x1A, 0xA6, 0xE1, 0x39, 0xCA, 0xD5, 0x47, 0x5D,
30  0x3D, 0xD9, 0x01, 0x5A, 0xD6, 0x51, 0x56, 0x6C, 0x4D, 0x8B, 0x0D,
31  0x9A, 0x66, 0xFB, 0xCC, 0xB0, 0x2D, 0x74, 0x12, 0x2B, 0x20, 0xF0,
32  0xB1, 0x84, 0x99, 0xDF, 0x4C, 0xCB, 0xC2, 0x34, 0x7E, 0x76, 0x05,
33  0x6D, 0xB7, 0xA9, 0x31, 0xD1, 0x17, 0x04, 0xD7, 0x14, 0x58, 0x3A,
34  0x61, 0xDE, 0x1B, 0x11, 0x1C, 0x32, 0x0F, 0x9C, 0x16, 0x53, 0x18,
35  0xF2, 0x22, 0xFE, 0x44, 0xCF, 0xB2, 0xC3, 0xB5, 0x7A, 0x91, 0x24,
36  0x08, 0xE8, 0xA8, 0x60, 0xFC, 0x69, 0x50, 0xAA, 0xD0, 0xA0, 0x7D,
37  0xA1, 0x89, 0x62, 0x97, 0x54, 0x5B, 0x1E, 0x95, 0xE0, 0xFF, 0x64,
38  0xD2, 0x10, 0xC4, 0x00, 0x48, 0xA3, 0xF7, 0x75, 0xDB, 0x8A, 0x03,
39  0xE6, 0xDA, 0x09, 0x3F, 0xDD, 0x94, 0x87, 0x5C, 0x83, 0x02, 0xCD,
40  0x4A, 0x90, 0x33, 0x73, 0x67, 0xF6, 0xF3, 0x9D, 0x7F, 0xBF, 0xE2,
41  0x52, 0x9B, 0xD8, 0x26, 0xC8, 0x37, 0xC6, 0x3B, 0x81, 0x96, 0x6F,
42  0x4B, 0x13, 0xBE, 0x63, 0x2E, 0xE9, 0x79, 0xA7, 0x8C, 0x9F, 0x6E,
43  0xBC, 0x8E, 0x29, 0xF5, 0xF9, 0xB6, 0x2F, 0xFD, 0xB4, 0x59, 0x78,
44  0x98, 0x06, 0x6A, 0xE7, 0x46, 0x71, 0xBA, 0xD4, 0x25, 0xAB, 0x42,
45  0x88, 0xA2, 0x8D, 0xFA, 0x72, 0x07, 0xB9, 0x55, 0xF8, 0xEE, 0xAC,
46  0x0A, 0x36, 0x49, 0x2A, 0x68, 0x3C, 0x38, 0xF1, 0xA4, 0x40, 0x28,
47  0xD3, 0x7B, 0xBB, 0xC9, 0x43, 0xC1, 0x15, 0xE3, 0xAD, 0xF4, 0x77,
48  0xC7, 0x80, 0x9E };
49 
50  const u64bit x = v ^ K;
51 
52  const byte t1 = SBOX[get_byte(0, x)];
53  const byte t2 = rotate_left(SBOX[get_byte(1, x)], 1);
54  const byte t3 = rotate_left(SBOX[get_byte(2, x)], 7);
55  const byte t4 = SBOX[rotate_left(get_byte(3, x), 1)];
56  const byte t5 = rotate_left(SBOX[get_byte(4, x)], 1);
57  const byte t6 = rotate_left(SBOX[get_byte(5, x)], 7);
58  const byte t7 = SBOX[rotate_left(get_byte(6, x), 1)];
59  const byte t8 = SBOX[get_byte(7, x)];
60 
61  const byte y1 = t1 ^ t3 ^ t4 ^ t6 ^ t7 ^ t8;
62  const byte y2 = t1 ^ t2 ^ t4 ^ t5 ^ t7 ^ t8;
63  const byte y3 = t1 ^ t2 ^ t3 ^ t5 ^ t6 ^ t8;
64  const byte y4 = t2 ^ t3 ^ t4 ^ t5 ^ t6 ^ t7;
65  const byte y5 = t1 ^ t2 ^ t6 ^ t7 ^ t8;
66  const byte y6 = t2 ^ t3 ^ t5 ^ t7 ^ t8;
67  const byte y7 = t3 ^ t4 ^ t5 ^ t6 ^ t8;
68  const byte y8 = t1 ^ t4 ^ t5 ^ t6 ^ t7;
69 
70  return make_u64bit(y1, y2, y3, y4, y5, y6, y7, y8);
71  }
72 
73 inline u64bit F(u64bit v, u64bit K)
74  {
75  const u64bit x = v ^ K;
76 
77  return Camellia_SBOX1[get_byte(0, x)] ^
78  Camellia_SBOX2[get_byte(1, x)] ^
79  Camellia_SBOX3[get_byte(2, x)] ^
80  Camellia_SBOX4[get_byte(3, x)] ^
81  Camellia_SBOX5[get_byte(4, x)] ^
82  Camellia_SBOX6[get_byte(5, x)] ^
83  Camellia_SBOX7[get_byte(6, x)] ^
84  Camellia_SBOX8[get_byte(7, x)];
85  }
86 
87 inline u64bit FL(u64bit v, u64bit K)
88  {
89  u32bit x1 = (v >> 32);
90  u32bit x2 = (v & 0xFFFFFFFF);
91 
92  const u32bit k1 = (K >> 32);
93  const u32bit k2 = (K & 0xFFFFFFFF);
94 
95  x2 ^= rotate_left(x1 & k1, 1);
96  x1 ^= (x2 | k2);
97 
98  return ((static_cast<u64bit>(x1) << 32) | x2);
99  }
100 
101 inline u64bit FLINV(u64bit v, u64bit K)
102  {
103  u32bit x1 = (v >> 32);
104  u32bit x2 = (v & 0xFFFFFFFF);
105 
106  const u32bit k1 = (K >> 32);
107  const u32bit k2 = (K & 0xFFFFFFFF);
108 
109  x1 ^= (x2 | k2);
110  x2 ^= rotate_left(x1 & k1, 1);
111 
112  return ((static_cast<u64bit>(x1) << 32) | x2);
113  }
114 
115 /*
116 * Camellia Encryption
117 */
118 void encrypt(const byte in[], byte out[], size_t blocks,
119  const SecureVector<u64bit>& SK, const size_t rounds)
120  {
121  for(size_t i = 0; i != blocks; ++i)
122  {
123  u64bit D1 = load_be<u64bit>(in, 0);
124  u64bit D2 = load_be<u64bit>(in, 1);
125 
126  const u64bit* K = &SK[0];
127 
128  D1 ^= *K++;
129  D2 ^= *K++;
130 
131  D2 ^= F_SLOW(D1, *K++);
132  D1 ^= F_SLOW(D2, *K++);
133 
134  for(size_t r = 1; r != rounds - 1; ++r)
135  {
136  if(r % 3 == 0)
137  {
138  D1 = FL (D1, *K++);
139  D2 = FLINV(D2, *K++);
140  }
141 
142  D2 ^= F(D1, *K++);
143  D1 ^= F(D2, *K++);
144  }
145 
146  D2 ^= F_SLOW(D1, *K++);
147  D1 ^= F_SLOW(D2, *K++);
148 
149  D2 ^= *K++;
150  D1 ^= *K++;
151 
152  store_be(out, D2, D1);
153 
154  in += 16;
155  out += 16;
156  }
157  }
158 
159 /*
160 * Camellia Decryption
161 */
162 void decrypt(const byte in[], byte out[], size_t blocks,
163  const SecureVector<u64bit>& SK, const size_t rounds)
164  {
165  for(size_t i = 0; i != blocks; ++i)
166  {
167  u64bit D1 = load_be<u64bit>(in, 0);
168  u64bit D2 = load_be<u64bit>(in, 1);
169 
170  const u64bit* K = &SK[SK.size()-1];
171 
172  D2 ^= *K--;
173  D1 ^= *K--;
174 
175  D2 ^= F_SLOW(D1, *K--);
176  D1 ^= F_SLOW(D2, *K--);
177 
178  for(size_t r = 1; r != rounds - 1; ++r)
179  {
180  if(r % 3 == 0)
181  {
182  D1 = FL (D1, *K--);
183  D2 = FLINV(D2, *K--);
184  }
185 
186  D2 ^= F(D1, *K--);
187  D1 ^= F(D2, *K--);
188  }
189 
190  D2 ^= F_SLOW(D1, *K--);
191  D1 ^= F_SLOW(D2, *K--);
192 
193  D1 ^= *K--;
194  D2 ^= *K;
195 
196  store_be(out, D2, D1);
197 
198  in += 16;
199  out += 16;
200  }
201  }
202 
203 u64bit left_rot_hi(u64bit h, u64bit l, size_t shift)
204  {
205  return (h << shift) | ((l >> (64-shift)));
206  }
207 
208 u64bit left_rot_lo(u64bit h, u64bit l, size_t shift)
209  {
210  return (h >> (64-shift)) | (l << shift);
211  }
212 
213 /*
214 * Camellia Key Schedule
215 */
216 void key_schedule(SecureVector<u64bit>& SK, const byte key[], size_t length)
217  {
218  const u64bit Sigma1 = 0xA09E667F3BCC908B;
219  const u64bit Sigma2 = 0xB67AE8584CAA73B2;
220  const u64bit Sigma3 = 0xC6EF372FE94F82BE;
221  const u64bit Sigma4 = 0x54FF53A5F1D36F1C;
222  const u64bit Sigma5 = 0x10E527FADE682D1D;
223  const u64bit Sigma6 = 0xB05688C2B3E6C1FD;
224 
225  const u64bit KL_H = load_be<u64bit>(key, 0);
226  const u64bit KL_L = load_be<u64bit>(key, 1);
227 
228  const u64bit KR_H = (length >= 24) ? load_be<u64bit>(key, 2) : 0;
229  const u64bit KR_L =
230  (length == 32) ? load_be<u64bit>(key, 3) : ((length == 24) ? ~KR_H : 0);
231 
232  u64bit D1 = KL_H ^ KR_H;
233  u64bit D2 = KL_L ^ KR_L;
234  D2 ^= F(D1, Sigma1);
235  D1 ^= F(D2, Sigma2);
236  D1 ^= KL_H;
237  D2 ^= KL_L;
238  D2 ^= F(D1, Sigma3);
239  D1 ^= F(D2, Sigma4);
240 
241  const u64bit KA_H = D1;
242  const u64bit KA_L = D2;
243 
244  D1 = KA_H ^ KR_H;
245  D2 = KA_L ^ KR_L;
246  D2 ^= F(D1, Sigma5);
247  D1 ^= F(D2, Sigma6);
248 
249  const u64bit KB_H = D1;
250  const u64bit KB_L = D2;
251 
252  if(length == 16)
253  {
254  SK.resize(26);
255 
256  SK[ 0] = KL_H;
257  SK[ 1] = KL_L;
258  SK[ 2] = KA_H;
259  SK[ 3] = KA_L;
260  SK[ 4] = left_rot_hi(KL_H, KL_L, 15);
261  SK[ 5] = left_rot_lo(KL_H, KL_L, 15);
262  SK[ 6] = left_rot_hi(KA_H, KA_L, 15);
263  SK[ 7] = left_rot_lo(KA_H, KA_L, 15);
264  SK[ 8] = left_rot_hi(KA_H, KA_L, 30);
265  SK[ 9] = left_rot_lo(KA_H, KA_L, 30);
266  SK[10] = left_rot_hi(KL_H, KL_L, 45);
267  SK[11] = left_rot_lo(KL_H, KL_L, 45);
268  SK[12] = left_rot_hi(KA_H, KA_L, 45);
269  SK[13] = left_rot_lo(KL_H, KL_L, 60);
270  SK[14] = left_rot_hi(KA_H, KA_L, 60);
271  SK[15] = left_rot_lo(KA_H, KA_L, 60);
272  SK[16] = left_rot_lo(KL_H, KL_L, 77-64);
273  SK[17] = left_rot_hi(KL_H, KL_L, 77-64);
274  SK[18] = left_rot_lo(KL_H, KL_L, 94-64);
275  SK[19] = left_rot_hi(KL_H, KL_L, 94-64);
276  SK[20] = left_rot_lo(KA_H, KA_L, 94-64);
277  SK[21] = left_rot_hi(KA_H, KA_L, 94-64);
278  SK[22] = left_rot_lo(KL_H, KL_L, 111-64);
279  SK[23] = left_rot_hi(KL_H, KL_L, 111-64);
280  SK[24] = left_rot_lo(KA_H, KA_L, 111-64);
281  SK[25] = left_rot_hi(KA_H, KA_L, 111-64);
282  }
283  else
284  {
285  SK.resize(34);
286 
287  SK[ 0] = KL_H;
288  SK[ 1] = KL_L;
289  SK[ 2] = KB_H;
290  SK[ 3] = KB_L;
291 
292  SK[ 4] = left_rot_hi(KR_H, KR_L, 15);
293  SK[ 5] = left_rot_lo(KR_H, KR_L, 15);
294  SK[ 6] = left_rot_hi(KA_H, KA_L, 15);
295  SK[ 7] = left_rot_lo(KA_H, KA_L, 15);
296 
297  SK[ 8] = left_rot_hi(KR_H, KR_L, 30);
298  SK[ 9] = left_rot_lo(KR_H, KR_L, 30);
299  SK[10] = left_rot_hi(KB_H, KB_L, 30);
300  SK[11] = left_rot_lo(KB_H, KB_L, 30);
301 
302  SK[12] = left_rot_hi(KL_H, KL_L, 45);
303  SK[13] = left_rot_lo(KL_H, KL_L, 45);
304  SK[14] = left_rot_hi(KA_H, KA_L, 45);
305  SK[15] = left_rot_lo(KA_H, KA_L, 45);
306 
307  SK[16] = left_rot_hi(KL_H, KL_L, 60);
308  SK[17] = left_rot_lo(KL_H, KL_L, 60);
309  SK[18] = left_rot_hi(KR_H, KR_L, 60);
310  SK[19] = left_rot_lo(KR_H, KR_L, 60);
311  SK[20] = left_rot_hi(KB_H, KB_L, 60);
312  SK[21] = left_rot_lo(KB_H, KB_L, 60);
313 
314  SK[22] = left_rot_lo(KL_H, KL_L, 77-64);
315  SK[23] = left_rot_hi(KL_H, KL_L, 77-64);
316  SK[24] = left_rot_lo(KA_H, KA_L, 77-64);
317  SK[25] = left_rot_hi(KA_H, KA_L, 77-64);
318 
319  SK[26] = left_rot_lo(KR_H, KR_L, 94-64);
320  SK[27] = left_rot_hi(KR_H, KR_L, 94-64);
321  SK[28] = left_rot_lo(KA_H, KA_L, 94-64);
322  SK[29] = left_rot_hi(KA_H, KA_L, 94-64);
323  SK[30] = left_rot_lo(KL_H, KL_L, 111-64);
324  SK[31] = left_rot_hi(KL_H, KL_L, 111-64);
325  SK[32] = left_rot_lo(KB_H, KB_L, 111-64);
326  SK[33] = left_rot_hi(KB_H, KB_L, 111-64);
327  }
328  }
329 
330 }
331 
332 }
333 
334 void Camellia_128::encrypt_n(const byte in[], byte out[], size_t blocks) const
335  {
336  Camellia_F::encrypt(in, out, blocks, SK, 9);
337  }
338 
339 void Camellia_192::encrypt_n(const byte in[], byte out[], size_t blocks) const
340  {
341  Camellia_F::encrypt(in, out, blocks, SK, 12);
342  }
343 
344 void Camellia_256::encrypt_n(const byte in[], byte out[], size_t blocks) const
345  {
346  Camellia_F::encrypt(in, out, blocks, SK, 12);
347  }
348 
349 void Camellia_128::decrypt_n(const byte in[], byte out[], size_t blocks) const
350  {
351  Camellia_F::decrypt(in, out, blocks, SK, 9);
352  }
353 
354 void Camellia_192::decrypt_n(const byte in[], byte out[], size_t blocks) const
355  {
356  Camellia_F::decrypt(in, out, blocks, SK, 12);
357  }
358 
359 void Camellia_256::decrypt_n(const byte in[], byte out[], size_t blocks) const
360  {
361  Camellia_F::decrypt(in, out, blocks, SK, 12);
362  }
363 
364 void Camellia_128::key_schedule(const byte key[], size_t length)
365  {
366  Camellia_F::key_schedule(SK, key, length);
367  }
368 
369 void Camellia_192::key_schedule(const byte key[], size_t length)
370  {
371  Camellia_F::key_schedule(SK, key, length);
372  }
373 
374 void Camellia_256::key_schedule(const byte key[], size_t length)
375  {
376  Camellia_F::key_schedule(SK, key, length);
377  }
378 
379 }
void resize(size_t n)
Definition: secmem.h:211
void decrypt_n(const byte in[], byte out[], size_t blocks) const
Definition: camellia.cpp:354
const u64bit Camellia_SBOX7[256]
T rotate_left(T input, size_t rot)
Definition: rotate.h:21
byte get_byte(size_t byte_num, T input)
Definition: get_byte.h:21
void decrypt_n(const byte in[], byte out[], size_t blocks) const
Definition: camellia.cpp:349
unsigned char byte
Definition: types.h:22
unsigned long long u64bit
Definition: types.h:49
void encrypt_n(const byte in[], byte out[], size_t blocks) const
Definition: camellia.cpp:344
void decrypt_n(const byte in[], byte out[], size_t blocks) const
Definition: camellia.cpp:359
const u64bit Camellia_SBOX1[256]
Definition: camellia_sbox.h:15
size_t size() const
Definition: secmem.h:29
const u64bit Camellia_SBOX8[256]
EVP_CIPHER_CTX decrypt
Definition: ossl_bc.cpp:43
EVP_CIPHER_CTX encrypt
Definition: ossl_bc.cpp:43
u64bit load_be< u64bit >(const byte in[], size_t off)
Definition: loadstor.h:200
void encrypt_n(const byte in[], byte out[], size_t blocks) const
Definition: camellia.cpp:334
void store_be(u16bit in, byte out[2])
Definition: loadstor.h:412
BigInt r
Definition: numthry.cpp:26
void encrypt_n(const byte in[], byte out[], size_t blocks) const
Definition: camellia.cpp:339
u64bit make_u64bit(byte i0, byte i1, byte i2, byte i3, byte i4, byte i5, byte i6, byte i7)
Definition: loadstor.h:80
const u64bit Camellia_SBOX4[256]
const u64bit Camellia_SBOX5[256]
const u64bit Camellia_SBOX3[256]
const u64bit Camellia_SBOX2[256]
Definition: camellia_sbox.h:81
unsigned int u32bit
Definition: types.h:32
const u64bit Camellia_SBOX6[256]