Botan  1.10.9
aes_ssse3.cpp
Go to the documentation of this file.
1 /*
2 * AES using SSSE3
3 * (C) 2010 Jack Lloyd
4 *
5 * This is more or less a direct translation of public domain x86-64
6 * assembly written by Mike Hamburg, described in "Accelerating AES
7 * with Vector Permute Instructions" (CHES 2009). His original code is
8 * available at http://crypto.stanford.edu/vpaes/
9 *
10 * Distributed under the terms of the Botan license
11 */
12 
13 #include <botan/aes_ssse3.h>
14 #include <tmmintrin.h>
15 
16 namespace Botan {
17 
18 namespace {
19 
20 const __m128i low_nibs = _mm_set1_epi8(0x0F);
21 
22 const __m128i k_ipt1 = _mm_set_epi32(
23  0xCABAE090, 0x52227808, 0xC2B2E898, 0x5A2A7000);
24 const __m128i k_ipt2 = _mm_set_epi32(
25  0xCD80B1FC, 0xB0FDCC81, 0x4C01307D, 0x317C4D00);
26 
27 const __m128i k_inv1 = _mm_set_epi32(
28  0x04070309, 0x0A0B0C02, 0x0E05060F, 0x0D080180);
29 const __m128i k_inv2 = _mm_set_epi32(
30  0x030D0E0C, 0x02050809, 0x01040A06, 0x0F0B0780);
31 
32 const __m128i sb1u = _mm_set_epi32(
33  0xA5DF7A6E, 0x142AF544, 0xB19BE18F, 0xCB503E00);
34 const __m128i sb1t = _mm_set_epi32(
35  0x3BF7CCC1, 0x0D2ED9EF, 0x3618D415, 0xFAE22300);
36 
37 const __m128i mc_forward[4] = {
38  _mm_set_epi32(0x0C0F0E0D, 0x080B0A09, 0x04070605, 0x00030201),
39  _mm_set_epi32(0x00030201, 0x0C0F0E0D, 0x080B0A09, 0x04070605),
40  _mm_set_epi32(0x04070605, 0x00030201, 0x0C0F0E0D, 0x080B0A09),
41  _mm_set_epi32(0x080B0A09, 0x04070605, 0x00030201, 0x0C0F0E0D)
42 };
43 
44 const __m128i sr[4] = {
45  _mm_set_epi32(0x0F0E0D0C, 0x0B0A0908, 0x07060504, 0x03020100),
46  _mm_set_epi32(0x0B06010C, 0x07020D08, 0x030E0904, 0x0F0A0500),
47  _mm_set_epi32(0x070E050C, 0x030A0108, 0x0F060D04, 0x0B020900),
48  _mm_set_epi32(0x0306090C, 0x0F020508, 0x0B0E0104, 0x070A0D00),
49 };
50 
51 #define mm_xor3(x, y, z) _mm_xor_si128(x, _mm_xor_si128(y, z))
52 
53 __m128i aes_schedule_transform(__m128i input,
54  __m128i table_1,
55  __m128i table_2)
56  {
57  __m128i i_1 = _mm_and_si128(low_nibs, input);
58  __m128i i_2 = _mm_srli_epi32(_mm_andnot_si128(low_nibs, input), 4);
59 
60  input = _mm_and_si128(low_nibs, input);
61 
62  return _mm_xor_si128(
63  _mm_shuffle_epi8(table_1, i_1),
64  _mm_shuffle_epi8(table_2, i_2));
65  }
66 
67 __m128i aes_schedule_mangle(__m128i k, byte round_no)
68  {
69  __m128i t = _mm_shuffle_epi8(_mm_xor_si128(k, _mm_set1_epi8(0x5B)),
70  mc_forward[0]);
71 
72  __m128i t2 = t;
73 
74  t = _mm_shuffle_epi8(t, mc_forward[0]);
75 
76  t2 = mm_xor3(t2, t, _mm_shuffle_epi8(t, mc_forward[0]));
77 
78  return _mm_shuffle_epi8(t2, sr[round_no % 4]);
79  }
80 
81 __m128i aes_schedule_192_smear(__m128i x, __m128i y)
82  {
83  return mm_xor3(y,
84  _mm_shuffle_epi32(x, 0xFE),
85  _mm_shuffle_epi32(y, 0x80));
86  }
87 
88 __m128i aes_schedule_mangle_dec(__m128i k, byte round_no)
89  {
90  const __m128i dsk[8] = {
91  _mm_set_epi32(0x4AED9334, 0x82255BFC, 0xB6116FC8, 0x7ED9A700),
92  _mm_set_epi32(0x8BB89FAC, 0xE9DAFDCE, 0x45765162, 0x27143300),
93  _mm_set_epi32(0x4622EE8A, 0xADC90561, 0x27438FEB, 0xCCA86400),
94  _mm_set_epi32(0x73AEE13C, 0xBD602FF2, 0x815C13CE, 0x4F92DD00),
95  _mm_set_epi32(0xF83F3EF9, 0xFA3D3CFB, 0x03C4C502, 0x01C6C700),
96  _mm_set_epi32(0xA5526A9D, 0x7384BC4B, 0xEE1921D6, 0x38CFF700),
97  _mm_set_epi32(0xA080D3F3, 0x10306343, 0xE3C390B0, 0x53732000),
98  _mm_set_epi32(0x2F45AEC4, 0x8CE60D67, 0xA0CA214B, 0x036982E8)
99  };
100 
101  __m128i t = aes_schedule_transform(k, dsk[0], dsk[1]);
102  __m128i output = _mm_shuffle_epi8(t, mc_forward[0]);
103 
104  t = aes_schedule_transform(t, dsk[2], dsk[3]);
105  output = _mm_shuffle_epi8(_mm_xor_si128(t, output), mc_forward[0]);
106 
107  t = aes_schedule_transform(t, dsk[4], dsk[5]);
108  output = _mm_shuffle_epi8(_mm_xor_si128(t, output), mc_forward[0]);
109 
110  t = aes_schedule_transform(t, dsk[6], dsk[7]);
111  output = _mm_shuffle_epi8(_mm_xor_si128(t, output), mc_forward[0]);
112 
113  return _mm_shuffle_epi8(output, sr[round_no % 4]);
114  }
115 
116 __m128i aes_schedule_mangle_last(__m128i k, byte round_no)
117  {
118  const __m128i out_tr1 = _mm_set_epi32(
119  0xF7974121, 0xDEBE6808, 0xFF9F4929, 0xD6B66000);
120  const __m128i out_tr2 = _mm_set_epi32(
121  0xE10D5DB1, 0xB05C0CE0, 0x01EDBD51, 0x50BCEC00);
122 
123  k = _mm_shuffle_epi8(k, sr[round_no % 4]);
124  k = _mm_xor_si128(k, _mm_set1_epi8(0x5B));
125  return aes_schedule_transform(k, out_tr1, out_tr2);
126  }
127 
128 __m128i aes_schedule_mangle_last_dec(__m128i k)
129  {
130  const __m128i deskew1 = _mm_set_epi32(
131  0x1DFEB95A, 0x5DBEF91A, 0x07E4A340, 0x47A4E300);
132  const __m128i deskew2 = _mm_set_epi32(
133  0x2841C2AB, 0xF49D1E77, 0x5F36B5DC, 0x83EA6900);
134 
135  k = _mm_xor_si128(k, _mm_set1_epi8(0x5B));
136  return aes_schedule_transform(k, deskew1, deskew2);
137  }
138 
139 __m128i aes_schedule_round(__m128i* rcon, __m128i input1, __m128i input2)
140  {
141  if(rcon)
142  {
143  input2 = _mm_xor_si128(_mm_alignr_epi8(_mm_setzero_si128(), *rcon, 15),
144  input2);
145 
146  *rcon = _mm_alignr_epi8(*rcon, *rcon, 15); // next rcon
147 
148  input1 = _mm_shuffle_epi32(input1, 0xFF); // rotate
149  input1 = _mm_alignr_epi8(input1, input1, 1);
150  }
151 
152  __m128i smeared = _mm_xor_si128(input2, _mm_slli_si128(input2, 4));
153  smeared = mm_xor3(smeared, _mm_slli_si128(smeared, 8), _mm_set1_epi8(0x5B));
154 
155  __m128i t = _mm_srli_epi32(_mm_andnot_si128(low_nibs, input1), 4);
156 
157  input1 = _mm_and_si128(low_nibs, input1);
158 
159  __m128i t2 = _mm_shuffle_epi8(k_inv2, input1);
160 
161  input1 = _mm_xor_si128(input1, t);
162 
163  __m128i t3 = _mm_xor_si128(t2, _mm_shuffle_epi8(k_inv1, t));
164  __m128i t4 = _mm_xor_si128(t2, _mm_shuffle_epi8(k_inv1, input1));
165 
166  __m128i t5 = _mm_xor_si128(input1, _mm_shuffle_epi8(k_inv1, t3));
167  __m128i t6 = _mm_xor_si128(t, _mm_shuffle_epi8(k_inv1, t4));
168 
169  return mm_xor3(_mm_shuffle_epi8(sb1u, t5),
170  _mm_shuffle_epi8(sb1t, t6),
171  smeared);
172  }
173 
174 __m128i aes_ssse3_encrypt(__m128i B, const __m128i* keys, size_t rounds)
175  {
176  const __m128i sb2u = _mm_set_epi32(
177  0x5EB7E955, 0xBC982FCD, 0xE27A93C6, 0x0B712400);
178  const __m128i sb2t = _mm_set_epi32(
179  0xC2A163C8, 0xAB82234A, 0x69EB8840, 0x0AE12900);
180 
181  const __m128i sbou = _mm_set_epi32(
182  0x15AABF7A, 0xC502A878, 0xD0D26D17, 0x6FBDC700);
183  const __m128i sbot = _mm_set_epi32(
184  0x8E1E90D1, 0x412B35FA, 0xCFE474A5, 0x5FBB6A00);
185 
186  const __m128i mc_backward[4] = {
187  _mm_set_epi32(0x0E0D0C0F, 0x0A09080B, 0x06050407, 0x02010003),
188  _mm_set_epi32(0x0A09080B, 0x06050407, 0x02010003, 0x0E0D0C0F),
189  _mm_set_epi32(0x06050407, 0x02010003, 0x0E0D0C0F, 0x0A09080B),
190  _mm_set_epi32(0x02010003, 0x0E0D0C0F, 0x0A09080B, 0x06050407),
191  };
192 
193  B = mm_xor3(_mm_shuffle_epi8(k_ipt1, _mm_and_si128(low_nibs, B)),
194  _mm_shuffle_epi8(k_ipt2,
195  _mm_srli_epi32(
196  _mm_andnot_si128(low_nibs, B),
197  4)),
198  _mm_loadu_si128(keys));
199 
200  for(size_t r = 1; ; ++r)
201  {
202  const __m128i K = _mm_loadu_si128(keys + r);
203 
204  __m128i t = _mm_srli_epi32(_mm_andnot_si128(low_nibs, B), 4);
205 
206  B = _mm_and_si128(low_nibs, B);
207 
208  __m128i t2 = _mm_shuffle_epi8(k_inv2, B);
209 
210  B = _mm_xor_si128(B, t);
211 
212  __m128i t3 = _mm_xor_si128(t2, _mm_shuffle_epi8(k_inv1, t));
213  __m128i t4 = _mm_xor_si128(t2, _mm_shuffle_epi8(k_inv1, B));
214 
215  __m128i t5 = _mm_xor_si128(B, _mm_shuffle_epi8(k_inv1, t3));
216  __m128i t6 = _mm_xor_si128(t, _mm_shuffle_epi8(k_inv1, t4));
217 
218  if(r == rounds)
219  {
220  B = _mm_shuffle_epi8(
221  mm_xor3(_mm_shuffle_epi8(sbou, t5),
222  _mm_shuffle_epi8(sbot, t6),
223  K),
224  sr[r % 4]);
225 
226  return B;
227  }
228 
229  __m128i t7 = mm_xor3(_mm_shuffle_epi8(sb1t, t6),
230  _mm_shuffle_epi8(sb1u, t5),
231  K);
232 
233  __m128i t8 = mm_xor3(_mm_shuffle_epi8(sb2t, t6),
234  _mm_shuffle_epi8(sb2u, t5),
235  _mm_shuffle_epi8(t7, mc_forward[r % 4]));
236 
237  B = mm_xor3(_mm_shuffle_epi8(t8, mc_forward[r % 4]),
238  _mm_shuffle_epi8(t7, mc_backward[r % 4]),
239  t8);
240  }
241  }
242 
243 __m128i aes_ssse3_decrypt(__m128i B, const __m128i* keys, size_t rounds)
244  {
245  const __m128i k_dipt1 = _mm_set_epi32(
246  0x154A411E, 0x114E451A, 0x0F505B04, 0x0B545F00);
247  const __m128i k_dipt2 = _mm_set_epi32(
248  0x12771772, 0xF491F194, 0x86E383E6, 0x60056500);
249 
250  const __m128i sb9u = _mm_set_epi32(
251  0xCAD51F50, 0x4F994CC9, 0x851C0353, 0x9A86D600);
252  const __m128i sb9t = _mm_set_epi32(
253  0x725E2C9E, 0xB2FBA565, 0xC03B1789, 0xECD74900);
254 
255  const __m128i sbeu = _mm_set_epi32(
256  0x22426004, 0x64B4F6B0, 0x46F29296, 0x26D4D000);
257  const __m128i sbet = _mm_set_epi32(
258  0x9467F36B, 0x98593E32, 0x0C55A6CD, 0xFFAAC100);
259 
260  const __m128i sbdu = _mm_set_epi32(
261  0xF56E9B13, 0x882A4439, 0x7D57CCDF, 0xE6B1A200);
262  const __m128i sbdt = _mm_set_epi32(
263  0x2931180D, 0x15DEEFD3, 0x3CE2FAF7, 0x24C6CB00);
264 
265  const __m128i sbbu = _mm_set_epi32(
266  0x602646F6, 0xB0F2D404, 0xD0226492, 0x96B44200);
267  const __m128i sbbt = _mm_set_epi32(
268  0xF3FF0C3E, 0x3255AA6B, 0xC19498A6, 0xCD596700);
269 
270  __m128i mc = mc_forward[3];
271 
272  __m128i t =
273  _mm_shuffle_epi8(k_dipt2,
274  _mm_srli_epi32(
275  _mm_andnot_si128(low_nibs, B),
276  4));
277 
278  B = mm_xor3(t, _mm_loadu_si128(keys),
279  _mm_shuffle_epi8(k_dipt1, _mm_and_si128(B, low_nibs)));
280 
281  for(size_t r = 1; ; ++r)
282  {
283  const __m128i K = _mm_loadu_si128(keys + r);
284 
285  t = _mm_srli_epi32(_mm_andnot_si128(low_nibs, B), 4);
286 
287  B = _mm_and_si128(low_nibs, B);
288 
289  __m128i t2 = _mm_shuffle_epi8(k_inv2, B);
290 
291  B = _mm_xor_si128(B, t);
292 
293  __m128i t3 = _mm_xor_si128(t2, _mm_shuffle_epi8(k_inv1, t));
294  __m128i t4 = _mm_xor_si128(t2, _mm_shuffle_epi8(k_inv1, B));
295  __m128i t5 = _mm_xor_si128(B, _mm_shuffle_epi8(k_inv1, t3));
296  __m128i t6 = _mm_xor_si128(t, _mm_shuffle_epi8(k_inv1, t4));
297 
298  if(r == rounds)
299  {
300  const __m128i sbou = _mm_set_epi32(
301  0xC7AA6DB9, 0xD4943E2D, 0x1387EA53, 0x7EF94000);
302  const __m128i sbot = _mm_set_epi32(
303  0xCA4B8159, 0xD8C58E9C, 0x12D7560F, 0x93441D00);
304 
305  __m128i x = _mm_shuffle_epi8(sbou, t5);
306  __m128i y = _mm_shuffle_epi8(sbot, t6);
307  x = _mm_xor_si128(x, K);
308  x = _mm_xor_si128(x, y);
309 
310  const u32bit which_sr = ((((rounds - 1) << 4) ^ 48) & 48) / 16;
311  return _mm_shuffle_epi8(x, sr[which_sr]);
312  }
313 
314  __m128i t8 = _mm_xor_si128(_mm_shuffle_epi8(sb9t, t6),
315  _mm_xor_si128(_mm_shuffle_epi8(sb9u, t5), K));
316 
317  __m128i t9 = mm_xor3(_mm_shuffle_epi8(t8, mc),
318  _mm_shuffle_epi8(sbdu, t5),
319  _mm_shuffle_epi8(sbdt, t6));
320 
321  __m128i t12 = _mm_xor_si128(
322  _mm_xor_si128(
323  _mm_shuffle_epi8(t9, mc),
324  _mm_shuffle_epi8(sbbu, t5)),
325  _mm_shuffle_epi8(sbbt, t6));
326 
327  B = _mm_xor_si128(_mm_xor_si128(_mm_shuffle_epi8(t12, mc),
328  _mm_shuffle_epi8(sbeu, t5)),
329  _mm_shuffle_epi8(sbet, t6));
330 
331  mc = _mm_alignr_epi8(mc, mc, 12);
332  }
333  }
334 
335 }
336 
337 /*
338 * AES-128 Encryption
339 */
340 void AES_128_SSSE3::encrypt_n(const byte in[], byte out[], size_t blocks) const
341  {
342  const __m128i* in_mm = reinterpret_cast<const __m128i*>(in);
343  __m128i* out_mm = reinterpret_cast<__m128i*>(out);
344 
345  const __m128i* keys = reinterpret_cast<const __m128i*>(&EK[0]);
346 
347  for(size_t i = 0; i != blocks; ++i)
348  {
349  __m128i B = _mm_loadu_si128(in_mm + i);
350  _mm_storeu_si128(out_mm + i, aes_ssse3_encrypt(B, keys, 10));
351  }
352  }
353 
354 /*
355 * AES-128 Decryption
356 */
357 void AES_128_SSSE3::decrypt_n(const byte in[], byte out[], size_t blocks) const
358  {
359  const __m128i* in_mm = reinterpret_cast<const __m128i*>(in);
360  __m128i* out_mm = reinterpret_cast<__m128i*>(out);
361 
362  const __m128i* keys = reinterpret_cast<const __m128i*>(&DK[0]);
363 
364  for(size_t i = 0; i != blocks; ++i)
365  {
366  __m128i B = _mm_loadu_si128(in_mm + i);
367  _mm_storeu_si128(out_mm + i, aes_ssse3_decrypt(B, keys, 10));
368  }
369  }
370 
371 /*
372 * AES-128 Key Schedule
373 */
374 void AES_128_SSSE3::key_schedule(const byte keyb[], size_t)
375  {
376  __m128i rcon = _mm_set_epi32(0x702A9808, 0x4D7C7D81,
377  0x1F8391B9, 0xAF9DEEB6);
378 
379  __m128i key = _mm_loadu_si128(reinterpret_cast<const __m128i*>(keyb));
380 
381  __m128i* EK_mm = reinterpret_cast<__m128i*>(&EK[0]);
382  __m128i* DK_mm = reinterpret_cast<__m128i*>(&DK[0]);
383 
384  _mm_storeu_si128(DK_mm + 10, _mm_shuffle_epi8(key, sr[2]));
385 
386  key = aes_schedule_transform(key, k_ipt1, k_ipt2);
387 
388  _mm_storeu_si128(EK_mm, key);
389 
390  for(size_t i = 1; i != 10; ++i)
391  {
392  key = aes_schedule_round(&rcon, key, key);
393 
394  _mm_storeu_si128(EK_mm + i,
395  aes_schedule_mangle(key, (12-i) % 4));
396 
397  _mm_storeu_si128(DK_mm + (10-i),
398  aes_schedule_mangle_dec(key, (10-i) % 4));
399  }
400 
401  key = aes_schedule_round(&rcon, key, key);
402  _mm_storeu_si128(EK_mm + 10, aes_schedule_mangle_last(key, 2));
403  _mm_storeu_si128(DK_mm, aes_schedule_mangle_last_dec(key));
404  }
405 
406 /*
407 * AES-192 Encryption
408 */
409 void AES_192_SSSE3::encrypt_n(const byte in[], byte out[], size_t blocks) const
410  {
411  const __m128i* in_mm = reinterpret_cast<const __m128i*>(in);
412  __m128i* out_mm = reinterpret_cast<__m128i*>(out);
413 
414  const __m128i* keys = reinterpret_cast<const __m128i*>(&EK[0]);
415 
416  for(size_t i = 0; i != blocks; ++i)
417  {
418  __m128i B = _mm_loadu_si128(in_mm + i);
419  _mm_storeu_si128(out_mm + i, aes_ssse3_encrypt(B, keys, 12));
420  }
421  }
422 
423 /*
424 * AES-192 Decryption
425 */
426 void AES_192_SSSE3::decrypt_n(const byte in[], byte out[], size_t blocks) const
427  {
428  const __m128i* in_mm = reinterpret_cast<const __m128i*>(in);
429  __m128i* out_mm = reinterpret_cast<__m128i*>(out);
430 
431  const __m128i* keys = reinterpret_cast<const __m128i*>(&DK[0]);
432 
433  for(size_t i = 0; i != blocks; ++i)
434  {
435  __m128i B = _mm_loadu_si128(in_mm + i);
436  _mm_storeu_si128(out_mm + i, aes_ssse3_decrypt(B, keys, 12));
437  }
438  }
439 
440 /*
441 * AES-192 Key Schedule
442 */
443 void AES_192_SSSE3::key_schedule(const byte keyb[], size_t)
444  {
445  __m128i rcon = _mm_set_epi32(0x702A9808, 0x4D7C7D81,
446  0x1F8391B9, 0xAF9DEEB6);
447 
448  __m128i* EK_mm = reinterpret_cast<__m128i*>(&EK[0]);
449  __m128i* DK_mm = reinterpret_cast<__m128i*>(&DK[0]);
450 
451  __m128i key1 = _mm_loadu_si128(reinterpret_cast<const __m128i*>(keyb));
452  __m128i key2 = _mm_loadu_si128(reinterpret_cast<const __m128i*>((keyb + 8)));
453 
454  _mm_storeu_si128(DK_mm + 12, _mm_shuffle_epi8(key1, sr[0]));
455 
456  key1 = aes_schedule_transform(key1, k_ipt1, k_ipt2);
457  key2 = aes_schedule_transform(key2, k_ipt1, k_ipt2);
458 
459  _mm_storeu_si128(EK_mm + 0, key1);
460 
461  // key2 with 8 high bytes masked off
462  __m128i t = _mm_slli_si128(_mm_srli_si128(key2, 8), 8);
463 
464  for(size_t i = 0; i != 4; ++i)
465  {
466  key2 = aes_schedule_round(&rcon, key2, key1);
467 
468  _mm_storeu_si128(EK_mm + 3*i+1,
469  aes_schedule_mangle(_mm_alignr_epi8(key2, t, 8), (i+3)%4));
470  _mm_storeu_si128(DK_mm + 11-3*i,
471  aes_schedule_mangle_dec(_mm_alignr_epi8(key2, t, 8), (i+3)%4));
472 
473  t = aes_schedule_192_smear(key2, t);
474 
475  _mm_storeu_si128(EK_mm + 3*i+2,
476  aes_schedule_mangle(t, (i+2)%4));
477  _mm_storeu_si128(DK_mm + 10-3*i,
478  aes_schedule_mangle_dec(t, (i+2)%4));
479 
480  key2 = aes_schedule_round(&rcon, t, key2);
481 
482  if(i == 3)
483  {
484  _mm_storeu_si128(EK_mm + 3*i+3,
485  aes_schedule_mangle_last(key2, (i+1)%4));
486  _mm_storeu_si128(DK_mm + 9-3*i,
487  aes_schedule_mangle_last_dec(key2));
488  }
489  else
490  {
491  _mm_storeu_si128(EK_mm + 3*i+3,
492  aes_schedule_mangle(key2, (i+1)%4));
493  _mm_storeu_si128(DK_mm + 9-3*i,
494  aes_schedule_mangle_dec(key2, (i+1)%4));
495  }
496 
497  key1 = key2;
498  key2 = aes_schedule_192_smear(key2,
499  _mm_slli_si128(_mm_srli_si128(t, 8), 8));
500  t = _mm_slli_si128(_mm_srli_si128(key2, 8), 8);
501  }
502  }
503 
504 
505 /*
506 * AES-256 Encryption
507 */
508 void AES_256_SSSE3::encrypt_n(const byte in[], byte out[], size_t blocks) const
509  {
510  const __m128i* in_mm = reinterpret_cast<const __m128i*>(in);
511  __m128i* out_mm = reinterpret_cast<__m128i*>(out);
512 
513  const __m128i* keys = reinterpret_cast<const __m128i*>(&EK[0]);
514 
515  for(size_t i = 0; i != blocks; ++i)
516  {
517  __m128i B = _mm_loadu_si128(in_mm + i);
518  _mm_storeu_si128(out_mm + i, aes_ssse3_encrypt(B, keys, 14));
519  }
520  }
521 
522 /*
523 * AES-256 Decryption
524 */
525 void AES_256_SSSE3::decrypt_n(const byte in[], byte out[], size_t blocks) const
526  {
527  const __m128i* in_mm = reinterpret_cast<const __m128i*>(in);
528  __m128i* out_mm = reinterpret_cast<__m128i*>(out);
529 
530  const __m128i* keys = reinterpret_cast<const __m128i*>(&DK[0]);
531 
532  for(size_t i = 0; i != blocks; ++i)
533  {
534  __m128i B = _mm_loadu_si128(in_mm + i);
535  _mm_storeu_si128(out_mm + i, aes_ssse3_decrypt(B, keys, 14));
536  }
537  }
538 
539 /*
540 * AES-256 Key Schedule
541 */
542 void AES_256_SSSE3::key_schedule(const byte keyb[], size_t)
543  {
544  __m128i rcon = _mm_set_epi32(0x702A9808, 0x4D7C7D81,
545  0x1F8391B9, 0xAF9DEEB6);
546 
547  __m128i* EK_mm = reinterpret_cast<__m128i*>(&EK[0]);
548  __m128i* DK_mm = reinterpret_cast<__m128i*>(&DK[0]);
549 
550  __m128i key1 = _mm_loadu_si128(reinterpret_cast<const __m128i*>(keyb));
551  __m128i key2 = _mm_loadu_si128(reinterpret_cast<const __m128i*>((keyb + 16)));
552 
553  _mm_storeu_si128(DK_mm + 14, _mm_shuffle_epi8(key1, sr[2]));
554 
555  key1 = aes_schedule_transform(key1, k_ipt1, k_ipt2);
556  key2 = aes_schedule_transform(key2, k_ipt1, k_ipt2);
557 
558  _mm_storeu_si128(EK_mm + 0, key1);
559  _mm_storeu_si128(EK_mm + 1, aes_schedule_mangle(key2, 3));
560 
561  _mm_storeu_si128(DK_mm + 13, aes_schedule_mangle_dec(key2, 1));
562 
563  for(size_t i = 2; i != 14; i += 2)
564  {
565  __m128i k_t = key2;
566  key1 = key2 = aes_schedule_round(&rcon, key2, key1);
567 
568  _mm_storeu_si128(EK_mm + i, aes_schedule_mangle(key2, i % 4));
569  _mm_storeu_si128(DK_mm + (14-i), aes_schedule_mangle_dec(key2, (i+2) % 4));
570 
571  key2 = aes_schedule_round(NULL, _mm_shuffle_epi32(key2, 0xFF), k_t);
572  _mm_storeu_si128(EK_mm + i + 1, aes_schedule_mangle(key2, (i - 1) % 4));
573  _mm_storeu_si128(DK_mm + (13-i), aes_schedule_mangle_dec(key2, (i+1) % 4));
574  }
575 
576  key2 = aes_schedule_round(&rcon, key2, key1);
577 
578  _mm_storeu_si128(EK_mm + 14, aes_schedule_mangle_last(key2, 2));
579  _mm_storeu_si128(DK_mm + 0, aes_schedule_mangle_last_dec(key2));
580  }
581 
582 }
#define mm_xor3(x, y, z)
Definition: aes_ssse3.cpp:51
void decrypt_n(const byte in[], byte out[], size_t blocks) const
Definition: aes_ssse3.cpp:357
void encrypt_n(const byte in[], byte out[], size_t blocks) const
Definition: aes_ssse3.cpp:409
void decrypt_n(const byte in[], byte out[], size_t blocks) const
Definition: aes_ssse3.cpp:525
unsigned char byte
Definition: types.h:22
void decrypt_n(const byte in[], byte out[], size_t blocks) const
Definition: aes_ssse3.cpp:426
void encrypt_n(const byte in[], byte out[], size_t blocks) const
Definition: aes_ssse3.cpp:340
void encrypt_n(const byte in[], byte out[], size_t blocks) const
Definition: aes_ssse3.cpp:508
BigInt r
Definition: numthry.cpp:26
unsigned int u32bit
Definition: types.h:32