/src/botan/src/lib/block/camellia/camellia.cpp

Source (jump to first uncovered line)
/*
* Camellia
* (C) 2012,2020 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/internal/camellia.h>
#include <botan/internal/loadstor.h>
#include <botan/internal/rotate.h>

namespace Botan {

namespace {

namespace Camellia_F {

alignas(256) static const uint8_t SBOX1[256] = {
   0x70, 0x82, 0x2C, 0xEC, 0xB3, 0x27, 0xC0, 0xE5, 0xE4, 0x85, 0x57,
   0x35, 0xEA, 0x0C, 0xAE, 0x41, 0x23, 0xEF, 0x6B, 0x93, 0x45, 0x19,
   0xA5, 0x21, 0xED, 0x0E, 0x4F, 0x4E, 0x1D, 0x65, 0x92, 0xBD, 0x86,
   0xB8, 0xAF, 0x8F, 0x7C, 0xEB, 0x1F, 0xCE, 0x3E, 0x30, 0xDC, 0x5F,
   0x5E, 0xC5, 0x0B, 0x1A, 0xA6, 0xE1, 0x39, 0xCA, 0xD5, 0x47, 0x5D,
   0x3D, 0xD9, 0x01, 0x5A, 0xD6, 0x51, 0x56, 0x6C, 0x4D, 0x8B, 0x0D,
   0x9A, 0x66, 0xFB, 0xCC, 0xB0, 0x2D, 0x74, 0x12, 0x2B, 0x20, 0xF0,
   0xB1, 0x84, 0x99, 0xDF, 0x4C, 0xCB, 0xC2, 0x34, 0x7E, 0x76, 0x05,
   0x6D, 0xB7, 0xA9, 0x31, 0xD1, 0x17, 0x04, 0xD7, 0x14, 0x58, 0x3A,
   0x61, 0xDE, 0x1B, 0x11, 0x1C, 0x32, 0x0F, 0x9C, 0x16, 0x53, 0x18,
   0xF2, 0x22, 0xFE, 0x44, 0xCF, 0xB2, 0xC3, 0xB5, 0x7A, 0x91, 0x24,
   0x08, 0xE8, 0xA8, 0x60, 0xFC, 0x69, 0x50, 0xAA, 0xD0, 0xA0, 0x7D,
   0xA1, 0x89, 0x62, 0x97, 0x54, 0x5B, 0x1E, 0x95, 0xE0, 0xFF, 0x64,
   0xD2, 0x10, 0xC4, 0x00, 0x48, 0xA3, 0xF7, 0x75, 0xDB, 0x8A, 0x03,
   0xE6, 0xDA, 0x09, 0x3F, 0xDD, 0x94, 0x87, 0x5C, 0x83, 0x02, 0xCD,
   0x4A, 0x90, 0x33, 0x73, 0x67, 0xF6, 0xF3, 0x9D, 0x7F, 0xBF, 0xE2,
   0x52, 0x9B, 0xD8, 0x26, 0xC8, 0x37, 0xC6, 0x3B, 0x81, 0x96, 0x6F,
   0x4B, 0x13, 0xBE, 0x63, 0x2E, 0xE9, 0x79, 0xA7, 0x8C, 0x9F, 0x6E,
   0xBC, 0x8E, 0x29, 0xF5, 0xF9, 0xB6, 0x2F, 0xFD, 0xB4, 0x59, 0x78,
   0x98, 0x06, 0x6A, 0xE7, 0x46, 0x71, 0xBA, 0xD4, 0x25, 0xAB, 0x42,
   0x88, 0xA2, 0x8D, 0xFA, 0x72, 0x07, 0xB9, 0x55, 0xF8, 0xEE, 0xAC,
   0x0A, 0x36, 0x49, 0x2A, 0x68, 0x3C, 0x38, 0xF1, 0xA4, 0x40, 0x28,
   0xD3, 0x7B, 0xBB, 0xC9, 0x43, 0xC1, 0x15, 0xE3, 0xAD, 0xF4, 0x77,
   0xC7, 0x80, 0x9E };

// SBOX2[x] = rotl<1>(SBOX1[x])
alignas(256) static const uint8_t SBOX2[256] = {
   0xE0, 0x05, 0x58, 0xD9, 0x67, 0x4E, 0x81, 0xCB, 0xC9, 0x0B, 0xAE,
   0x6A, 0xD5, 0x18, 0x5D, 0x82, 0x46, 0xDF, 0xD6, 0x27, 0x8A, 0x32,
   0x4B, 0x42, 0xDB, 0x1C, 0x9E, 0x9C, 0x3A, 0xCA, 0x25, 0x7B, 0x0D,
   0x71, 0x5F, 0x1F, 0xF8, 0xD7, 0x3E, 0x9D, 0x7C, 0x60, 0xB9, 0xBE,
   0xBC, 0x8B, 0x16, 0x34, 0x4D, 0xC3, 0x72, 0x95, 0xAB, 0x8E, 0xBA,
   0x7A, 0xB3, 0x02, 0xB4, 0xAD, 0xA2, 0xAC, 0xD8, 0x9A, 0x17, 0x1A,
   0x35, 0xCC, 0xF7, 0x99, 0x61, 0x5A, 0xE8, 0x24, 0x56, 0x40, 0xE1,
   0x63, 0x09, 0x33, 0xBF, 0x98, 0x97, 0x85, 0x68, 0xFC, 0xEC, 0x0A,
   0xDA, 0x6F, 0x53, 0x62, 0xA3, 0x2E, 0x08, 0xAF, 0x28, 0xB0, 0x74,
   0xC2, 0xBD, 0x36, 0x22, 0x38, 0x64, 0x1E, 0x39, 0x2C, 0xA6, 0x30,
   0xE5, 0x44, 0xFD, 0x88, 0x9F, 0x65, 0x87, 0x6B, 0xF4, 0x23, 0x48,
   0x10, 0xD1, 0x51, 0xC0, 0xF9, 0xD2, 0xA0, 0x55, 0xA1, 0x41, 0xFA,
   0x43, 0x13, 0xC4, 0x2F, 0xA8, 0xB6, 0x3C, 0x2B, 0xC1, 0xFF, 0xC8,
   0xA5, 0x20, 0x89, 0x00, 0x90, 0x47, 0xEF, 0xEA, 0xB7, 0x15, 0x06,
   0xCD, 0xB5, 0x12, 0x7E, 0xBB, 0x29, 0x0F, 0xB8, 0x07, 0x04, 0x9B,
   0x94, 0x21, 0x66, 0xE6, 0xCE, 0xED, 0xE7, 0x3B, 0xFE, 0x7F, 0xC5,
   0xA4, 0x37, 0xB1, 0x4C, 0x91, 0x6E, 0x8D, 0x76, 0x03, 0x2D, 0xDE,
   0x96, 0x26, 0x7D, 0xC6, 0x5C, 0xD3, 0xF2, 0x4F, 0x19, 0x3F, 0xDC,
   0x79, 0x1D, 0x52, 0xEB, 0xF3, 0x6D, 0x5E, 0xFB, 0x69, 0xB2, 0xF0,
   0x31, 0x0C, 0xD4, 0xCF, 0x8C, 0xE2, 0x75, 0xA9, 0x4A, 0x57, 0x84,
   0x11, 0x45, 0x1B, 0xF5, 0xE4, 0x0E, 0x73, 0xAA, 0xF1, 0xDD, 0x59,
   0x14, 0x6C, 0x92, 0x54, 0xD0, 0x78, 0x70, 0xE3, 0x49, 0x80, 0x50,
   0xA7, 0xF6, 0x77, 0x93, 0x86, 0x83, 0x2A, 0xC7, 0x5B, 0xE9, 0xEE,
   0x8F, 0x01, 0x3D };

// SBOX3[x] = rotl<7>(SBOX1[x])
alignas(256) static const uint8_t SBOX3[256] = {
   0x38, 0x41, 0x16, 0x76, 0xD9, 0x93, 0x60, 0xF2, 0x72, 0xC2, 0xAB,
   0x9A, 0x75, 0x06, 0x57, 0xA0, 0x91, 0xF7, 0xB5, 0xC9, 0xA2, 0x8C,
   0xD2, 0x90, 0xF6, 0x07, 0xA7, 0x27, 0x8E, 0xB2, 0x49, 0xDE, 0x43,
   0x5C, 0xD7, 0xC7, 0x3E, 0xF5, 0x8F, 0x67, 0x1F, 0x18, 0x6E, 0xAF,
   0x2F, 0xE2, 0x85, 0x0D, 0x53, 0xF0, 0x9C, 0x65, 0xEA, 0xA3, 0xAE,
   0x9E, 0xEC, 0x80, 0x2D, 0x6B, 0xA8, 0x2B, 0x36, 0xA6, 0xC5, 0x86,
   0x4D, 0x33, 0xFD, 0x66, 0x58, 0x96, 0x3A, 0x09, 0x95, 0x10, 0x78,
   0xD8, 0x42, 0xCC, 0xEF, 0x26, 0xE5, 0x61, 0x1A, 0x3F, 0x3B, 0x82,
   0xB6, 0xDB, 0xD4, 0x98, 0xE8, 0x8B, 0x02, 0xEB, 0x0A, 0x2C, 0x1D,
   0xB0, 0x6F, 0x8D, 0x88, 0x0E, 0x19, 0x87, 0x4E, 0x0B, 0xA9, 0x0C,
   0x79, 0x11, 0x7F, 0x22, 0xE7, 0x59, 0xE1, 0xDA, 0x3D, 0xC8, 0x12,
   0x04, 0x74, 0x54, 0x30, 0x7E, 0xB4, 0x28, 0x55, 0x68, 0x50, 0xBE,
   0xD0, 0xC4, 0x31, 0xCB, 0x2A, 0xAD, 0x0F, 0xCA, 0x70, 0xFF, 0x32,
   0x69, 0x08, 0x62, 0x00, 0x24, 0xD1, 0xFB, 0xBA, 0xED, 0x45, 0x81,
   0x73, 0x6D, 0x84, 0x9F, 0xEE, 0x4A, 0xC3, 0x2E, 0xC1, 0x01, 0xE6,
   0x25, 0x48, 0x99, 0xB9, 0xB3, 0x7B, 0xF9, 0xCE, 0xBF, 0xDF, 0x71,
   0x29, 0xCD, 0x6C, 0x13, 0x64, 0x9B, 0x63, 0x9D, 0xC0, 0x4B, 0xB7,
   0xA5, 0x89, 0x5F, 0xB1, 0x17, 0xF4, 0xBC, 0xD3, 0x46, 0xCF, 0x37,
   0x5E, 0x47, 0x94, 0xFA, 0xFC, 0x5B, 0x97, 0xFE, 0x5A, 0xAC, 0x3C,
   0x4C, 0x03, 0x35, 0xF3, 0x23, 0xB8, 0x5D, 0x6A, 0x92, 0xD5, 0x21,
   0x44, 0x51, 0xC6, 0x7D, 0x39, 0x83, 0xDC, 0xAA, 0x7C, 0x77, 0x56,
   0x05, 0x1B, 0xA4, 0x15, 0x34, 0x1E, 0x1C, 0xF8, 0x52, 0x20, 0x14,
   0xE9, 0xBD, 0xDD, 0xE4, 0xA1, 0xE0, 0x8A, 0xF1, 0xD6, 0x7A, 0xBB,
   0xE3, 0x40, 0x4F };

// SBOX4[x] = SBOX1[rotl<1>(x)]
alignas(256) static const uint8_t SBOX4[256] = {
   0x70, 0x2C, 0xB3, 0xC0, 0xE4, 0x57, 0xEA, 0xAE, 0x23, 0x6B, 0x45,
   0xA5, 0xED, 0x4F, 0x1D, 0x92, 0x86, 0xAF, 0x7C, 0x1F, 0x3E, 0xDC,
   0x5E, 0x0B, 0xA6, 0x39, 0xD5, 0x5D, 0xD9, 0x5A, 0x51, 0x6C, 0x8B,
   0x9A, 0xFB, 0xB0, 0x74, 0x2B, 0xF0, 0x84, 0xDF, 0xCB, 0x34, 0x76,
   0x6D, 0xA9, 0xD1, 0x04, 0x14, 0x3A, 0xDE, 0x11, 0x32, 0x9C, 0x53,
   0xF2, 0xFE, 0xCF, 0xC3, 0x7A, 0x24, 0xE8, 0x60, 0x69, 0xAA, 0xA0,
   0xA1, 0x62, 0x54, 0x1E, 0xE0, 0x64, 0x10, 0x00, 0xA3, 0x75, 0x8A,
   0xE6, 0x09, 0xDD, 0x87, 0x83, 0xCD, 0x90, 0x73, 0xF6, 0x9D, 0xBF,
   0x52, 0xD8, 0xC8, 0xC6, 0x81, 0x6F, 0x13, 0x63, 0xE9, 0xA7, 0x9F,
   0xBC, 0x29, 0xF9, 0x2F, 0xB4, 0x78, 0x06, 0xE7, 0x71, 0xD4, 0xAB,
   0x88, 0x8D, 0x72, 0xB9, 0xF8, 0xAC, 0x36, 0x2A, 0x3C, 0xF1, 0x40,
   0xD3, 0xBB, 0x43, 0x15, 0xAD, 0x77, 0x80, 0x82, 0xEC, 0x27, 0xE5,
   0x85, 0x35, 0x0C, 0x41, 0xEF, 0x93, 0x19, 0x21, 0x0E, 0x4E, 0x65,
   0xBD, 0xB8, 0x8F, 0xEB, 0xCE, 0x30, 0x5F, 0xC5, 0x1A, 0xE1, 0xCA,
   0x47, 0x3D, 0x01, 0xD6, 0x56, 0x4D, 0x0D, 0x66, 0xCC, 0x2D, 0x12,
   0x20, 0xB1, 0x99, 0x4C, 0xC2, 0x7E, 0x05, 0xB7, 0x31, 0x17, 0xD7,
   0x58, 0x61, 0x1B, 0x1C, 0x0F, 0x16, 0x18, 0x22, 0x44, 0xB2, 0xB5,
   0x91, 0x08, 0xA8, 0xFC, 0x50, 0xD0, 0x7D, 0x89, 0x97, 0x5B, 0x95,
   0xFF, 0xD2, 0xC4, 0x48, 0xF7, 0xDB, 0x03, 0xDA, 0x3F, 0x94, 0x5C,
   0x02, 0x4A, 0x33, 0x67, 0xF3, 0x7F, 0xE2, 0x9B, 0x26, 0x37, 0x3B,
   0x96, 0x4B, 0xBE, 0x2E, 0x79, 0x8C, 0x6E, 0x8E, 0xF5, 0xB6, 0xFD,
   0x59, 0x98, 0x6A, 0x46, 0xBA, 0x25, 0x42, 0xA2, 0xFA, 0x07, 0x55,
   0xEE, 0x0A, 0x49, 0x68, 0x38, 0xA4, 0x28, 0x7B, 0xC9, 0xC1, 0xE3,
   0xF4, 0xC7, 0x9E };

uint64_t F(uint64_t v, uint64_t K)
   {
   const uint64_t M1 = 0x0101010001000001;
   const uint64_t M2 = 0x0001010101010000;
   const uint64_t M3 = 0x0100010100010100;
   const uint64_t M4 = 0x0101000100000101;
   const uint64_t M5 = 0x0001010100010101;
   const uint64_t M6 = 0x0100010101000101;
   const uint64_t M7 = 0x0101000101010001;
   const uint64_t M8 = 0x0101010001010100;

   const uint64_t x = v ^ K;

   const uint64_t Z1 = M1 * SBOX1[get_byte<0>(x)];
   const uint64_t Z2 = M2 * SBOX2[get_byte<1>(x)];
   const uint64_t Z3 = M3 * SBOX3[get_byte<2>(x)];
   const uint64_t Z4 = M4 * SBOX4[get_byte<3>(x)];
   const uint64_t Z5 = M5 * SBOX2[get_byte<4>(x)];
   const uint64_t Z6 = M6 * SBOX3[get_byte<5>(x)];
   const uint64_t Z7 = M7 * SBOX4[get_byte<6>(x)];
   const uint64_t Z8 = M8 * SBOX1[get_byte<7>(x)];

   return Z1 ^ Z2 ^ Z3 ^ Z4 ^ Z5 ^ Z6 ^ Z7 ^ Z8;
   }

inline uint64_t FL(uint64_t v, uint64_t K)
   {
   uint32_t x1 = static_cast<uint32_t>(v >> 32);
   uint32_t x2 = static_cast<uint32_t>(v & 0xFFFFFFFF);

   const uint32_t k1 = static_cast<uint32_t>(K >> 32);
   const uint32_t k2 = static_cast<uint32_t>(K & 0xFFFFFFFF);

   x2 ^= rotl<1>(x1 & k1);
   x1 ^= (x2 | k2);

   return ((static_cast<uint64_t>(x1) << 32) | x2);
   }

inline uint64_t FLINV(uint64_t v, uint64_t K)
   {
   uint32_t x1 = static_cast<uint32_t>(v >> 32);
   uint32_t x2 = static_cast<uint32_t>(v & 0xFFFFFFFF);

   const uint32_t k1 = static_cast<uint32_t>(K >> 32);
   const uint32_t k2 = static_cast<uint32_t>(K & 0xFFFFFFFF);

   x1 ^= (x2 | k2);
   x2 ^= rotl<1>(x1 & k1);

   return ((static_cast<uint64_t>(x1) << 32) | x2);
   }

/*
* Camellia Encryption
*/
void encrypt(const uint8_t in[], uint8_t out[], size_t blocks,
             const secure_vector<uint64_t>& SK, const size_t rounds)
   {
   for(size_t i = 0; i < blocks; ++i)
      {
      uint64_t D1, D2;
      load_be(in + 16*i, D1, D2);

      const uint64_t* K = SK.data();

      D1 ^= *K++;
      D2 ^= *K++;

      D2 ^= F(D1, *K++);
      D1 ^= F(D2, *K++);

      for(size_t r = 1; r != rounds - 1; ++r)
         {
         if(r % 3 == 0)
            {
            D1 = FL   (D1, *K++);
            D2 = FLINV(D2, *K++);
            }

         D2 ^= F(D1, *K++);
         D1 ^= F(D2, *K++);
         }

      D2 ^= F(D1, *K++);
      D1 ^= F(D2, *K++);

      D2 ^= *K++;
      D1 ^= *K++;

      store_be(out + 16*i, D2, D1);
      }
   }

/*
* Camellia Decryption
*/
void decrypt(const uint8_t in[], uint8_t out[], size_t blocks,
             const secure_vector<uint64_t>& SK, const size_t rounds)
   {
   for(size_t i = 0; i < blocks; ++i)
      {
      uint64_t D1, D2;
      load_be(in + 16*i, D1, D2);

      const uint64_t* K = &SK[SK.size()-1];

      D2 ^= *K--;
      D1 ^= *K--;

      D2 ^= F(D1, *K--);
      D1 ^= F(D2, *K--);

      for(size_t r = 1; r != rounds - 1; ++r)
         {
         if(r % 3 == 0)
            {
            D1 = FL   (D1, *K--);
            D2 = FLINV(D2, *K--);
            }

         D2 ^= F(D1, *K--);
         D1 ^= F(D2, *K--);
         }

      D2 ^= F(D1, *K--);
      D1 ^= F(D2, *K--);

      D1 ^= *K--;
      D2 ^= *K;

      store_be(out + 16*i, D2, D1);
      }
   }

inline uint64_t left_rot_hi(uint64_t h, uint64_t l, size_t shift)
   {
   if(shift >= 64)
      shift -= 64;
   return (h << shift) | (l >> (64-shift));
   }

inline uint64_t left_rot_lo(uint64_t h, uint64_t l, size_t shift)
   {
   if(shift >= 64)
      shift -= 64;
   return (h >> (64-shift)) | (l << shift);
   }

/*
* Camellia Key Schedule
*/
void key_schedule(secure_vector<uint64_t>& SK, const uint8_t key[], size_t length)
   {
   const uint64_t Sigma1 = 0xA09E667F3BCC908B;
   const uint64_t Sigma2 = 0xB67AE8584CAA73B2;
   const uint64_t Sigma3 = 0xC6EF372FE94F82BE;
   const uint64_t Sigma4 = 0x54FF53A5F1D36F1C;
   const uint64_t Sigma5 = 0x10E527FADE682D1D;
   const uint64_t Sigma6 = 0xB05688C2B3E6C1FD;

   const uint64_t KL_H = load_be<uint64_t>(key, 0);
   const uint64_t KL_L = load_be<uint64_t>(key, 1);

   const uint64_t KR_H = (length >= 24) ? load_be<uint64_t>(key, 2) : 0;
   const uint64_t KR_L =
      (length == 32) ? load_be<uint64_t>(key, 3) : ((length == 24) ? ~KR_H : 0);

   uint64_t D1 = KL_H ^ KR_H;
   uint64_t D2 = KL_L ^ KR_L;
   D2 ^= F(D1, Sigma1);
   D1 ^= F(D2, Sigma2);
   D1 ^= KL_H;
   D2 ^= KL_L;
   D2 ^= F(D1, Sigma3);
   D1 ^= F(D2, Sigma4);

   const uint64_t KA_H = D1;
   const uint64_t KA_L = D2;

   D1 = KA_H ^ KR_H;
   D2 = KA_L ^ KR_L;
   D2 ^= F(D1, Sigma5);
   D1 ^= F(D2, Sigma6);

   const uint64_t KB_H = D1;
   const uint64_t KB_L = D2;

   if(length == 16)
      {
      SK.resize(26);

      SK[ 0] = KL_H;
      SK[ 1] = KL_L;
      SK[ 2] = KA_H;
      SK[ 3] = KA_L;
      SK[ 4] = left_rot_hi(KL_H, KL_L, 15);
      SK[ 5] = left_rot_lo(KL_H, KL_L, 15);
      SK[ 6] = left_rot_hi(KA_H, KA_L, 15);
      SK[ 7] = left_rot_lo(KA_H, KA_L, 15);
      SK[ 8] = left_rot_hi(KA_H, KA_L, 30);
      SK[ 9] = left_rot_lo(KA_H, KA_L, 30);
      SK[10] = left_rot_hi(KL_H, KL_L, 45);
      SK[11] = left_rot_lo(KL_H, KL_L, 45);
      SK[12] = left_rot_hi(KA_H, KA_L,  45);
      SK[13] = left_rot_lo(KL_H, KL_L,  60);
      SK[14] = left_rot_hi(KA_H, KA_L,  60);
      SK[15] = left_rot_lo(KA_H, KA_L,  60);
      SK[16] = left_rot_lo(KL_H, KL_L,  77);
      SK[17] = left_rot_hi(KL_H, KL_L,  77);
      SK[18] = left_rot_lo(KL_H, KL_L,  94);
      SK[19] = left_rot_hi(KL_H, KL_L,  94);
      SK[20] = left_rot_lo(KA_H, KA_L,  94);
      SK[21] = left_rot_hi(KA_H, KA_L,  94);
      SK[22] = left_rot_lo(KL_H, KL_L, 111);
      SK[23] = left_rot_hi(KL_H, KL_L, 111);
      SK[24] = left_rot_lo(KA_H, KA_L, 111);
      SK[25] = left_rot_hi(KA_H, KA_L, 111);
      }
   else
      {
      SK.resize(34);

      SK[ 0] = KL_H;
      SK[ 1] = KL_L;
      SK[ 2] = KB_H;
      SK[ 3] = KB_L;

      SK[ 4] = left_rot_hi(KR_H, KR_L, 15);
      SK[ 5] = left_rot_lo(KR_H, KR_L, 15);
      SK[ 6] = left_rot_hi(KA_H, KA_L, 15);
      SK[ 7] = left_rot_lo(KA_H, KA_L, 15);

      SK[ 8] = left_rot_hi(KR_H, KR_L, 30);
      SK[ 9] = left_rot_lo(KR_H, KR_L, 30);
      SK[10] = left_rot_hi(KB_H, KB_L, 30);
      SK[11] = left_rot_lo(KB_H, KB_L, 30);

      SK[12] = left_rot_hi(KL_H, KL_L, 45);
      SK[13] = left_rot_lo(KL_H, KL_L, 45);
      SK[14] = left_rot_hi(KA_H, KA_L, 45);
      SK[15] = left_rot_lo(KA_H, KA_L, 45);

      SK[16] = left_rot_hi(KL_H, KL_L, 60);
      SK[17] = left_rot_lo(KL_H, KL_L, 60);
      SK[18] = left_rot_hi(KR_H, KR_L, 60);
      SK[19] = left_rot_lo(KR_H, KR_L, 60);
      SK[20] = left_rot_hi(KB_H, KB_L, 60);
      SK[21] = left_rot_lo(KB_H, KB_L, 60);

      SK[22] = left_rot_lo(KL_H, KL_L,  77);
      SK[23] = left_rot_hi(KL_H, KL_L,  77);
      SK[24] = left_rot_lo(KA_H, KA_L,  77);
      SK[25] = left_rot_hi(KA_H, KA_L,  77);

      SK[26] = left_rot_lo(KR_H, KR_L,  94);
      SK[27] = left_rot_hi(KR_H, KR_L,  94);
      SK[28] = left_rot_lo(KA_H, KA_L,  94);
      SK[29] = left_rot_hi(KA_H, KA_L,  94);
      SK[30] = left_rot_lo(KL_H, KL_L, 111);
      SK[31] = left_rot_hi(KL_H, KL_L, 111);
      SK[32] = left_rot_lo(KB_H, KB_L, 111);
      SK[33] = left_rot_hi(KB_H, KB_L, 111);
      }
   }

}

}

void Camellia_128::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
   {
   verify_key_set(m_SK.empty() == false);
   Camellia_F::encrypt(in, out, blocks, m_SK, 9);
   }

void Camellia_192::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
   {
   verify_key_set(m_SK.empty() == false);
   Camellia_F::encrypt(in, out, blocks, m_SK, 12);
   }

void Camellia_256::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
   {
   verify_key_set(m_SK.empty() == false);
   Camellia_F::encrypt(in, out, blocks, m_SK, 12);
   }

void Camellia_128::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
   {
   verify_key_set(m_SK.empty() == false);
   Camellia_F::decrypt(in, out, blocks, m_SK, 9);
   }

void Camellia_192::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
   {
   verify_key_set(m_SK.empty() == false);
   Camellia_F::decrypt(in, out, blocks, m_SK, 12);
   }

void Camellia_256::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
   {
   verify_key_set(m_SK.empty() == false);
   Camellia_F::decrypt(in, out, blocks, m_SK, 12);
   }

void Camellia_128::key_schedule(const uint8_t key[], size_t length)
   {
   Camellia_F::key_schedule(m_SK, key, length);
   }

void Camellia_192::key_schedule(const uint8_t key[], size_t length)
   {
   Camellia_F::key_schedule(m_SK, key, length);
   }

void Camellia_256::key_schedule(const uint8_t key[], size_t length)
   {
   Camellia_F::key_schedule(m_SK, key, length);
   }

void Camellia_128::clear()
   {
   zap(m_SK);
   }

void Camellia_192::clear()
   {
   zap(m_SK);
   }

void Camellia_256::clear()
   {
   zap(m_SK);
   }

}

Coverage Report

Created: 2021-05-04 09:02

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Camellia
3		* (C) 2012,2020 Jack Lloyd
4		*
5		* Botan is released under the Simplified BSD License (see license.txt)
6		*/
7
8		#include <botan/internal/camellia.h>
9		#include <botan/internal/loadstor.h>
10		#include <botan/internal/rotate.h>
11
12		namespace Botan {
13
14		namespace {
15
16		namespace Camellia_F {
17
18		alignas(256) static const uint8_t SBOX1[256] = {
19		0x70, 0x82, 0x2C, 0xEC, 0xB3, 0x27, 0xC0, 0xE5, 0xE4, 0x85, 0x57,
20		0x35, 0xEA, 0x0C, 0xAE, 0x41, 0x23, 0xEF, 0x6B, 0x93, 0x45, 0x19,
21		0xA5, 0x21, 0xED, 0x0E, 0x4F, 0x4E, 0x1D, 0x65, 0x92, 0xBD, 0x86,
22		0xB8, 0xAF, 0x8F, 0x7C, 0xEB, 0x1F, 0xCE, 0x3E, 0x30, 0xDC, 0x5F,
23		0x5E, 0xC5, 0x0B, 0x1A, 0xA6, 0xE1, 0x39, 0xCA, 0xD5, 0x47, 0x5D,
24		0x3D, 0xD9, 0x01, 0x5A, 0xD6, 0x51, 0x56, 0x6C, 0x4D, 0x8B, 0x0D,
25		0x9A, 0x66, 0xFB, 0xCC, 0xB0, 0x2D, 0x74, 0x12, 0x2B, 0x20, 0xF0,
26		0xB1, 0x84, 0x99, 0xDF, 0x4C, 0xCB, 0xC2, 0x34, 0x7E, 0x76, 0x05,
27		0x6D, 0xB7, 0xA9, 0x31, 0xD1, 0x17, 0x04, 0xD7, 0x14, 0x58, 0x3A,
28		0x61, 0xDE, 0x1B, 0x11, 0x1C, 0x32, 0x0F, 0x9C, 0x16, 0x53, 0x18,
29		0xF2, 0x22, 0xFE, 0x44, 0xCF, 0xB2, 0xC3, 0xB5, 0x7A, 0x91, 0x24,
30		0x08, 0xE8, 0xA8, 0x60, 0xFC, 0x69, 0x50, 0xAA, 0xD0, 0xA0, 0x7D,
31		0xA1, 0x89, 0x62, 0x97, 0x54, 0x5B, 0x1E, 0x95, 0xE0, 0xFF, 0x64,
32		0xD2, 0x10, 0xC4, 0x00, 0x48, 0xA3, 0xF7, 0x75, 0xDB, 0x8A, 0x03,
33		0xE6, 0xDA, 0x09, 0x3F, 0xDD, 0x94, 0x87, 0x5C, 0x83, 0x02, 0xCD,
34		0x4A, 0x90, 0x33, 0x73, 0x67, 0xF6, 0xF3, 0x9D, 0x7F, 0xBF, 0xE2,
35		0x52, 0x9B, 0xD8, 0x26, 0xC8, 0x37, 0xC6, 0x3B, 0x81, 0x96, 0x6F,
36		0x4B, 0x13, 0xBE, 0x63, 0x2E, 0xE9, 0x79, 0xA7, 0x8C, 0x9F, 0x6E,
37		0xBC, 0x8E, 0x29, 0xF5, 0xF9, 0xB6, 0x2F, 0xFD, 0xB4, 0x59, 0x78,
38		0x98, 0x06, 0x6A, 0xE7, 0x46, 0x71, 0xBA, 0xD4, 0x25, 0xAB, 0x42,
39		0x88, 0xA2, 0x8D, 0xFA, 0x72, 0x07, 0xB9, 0x55, 0xF8, 0xEE, 0xAC,
40		0x0A, 0x36, 0x49, 0x2A, 0x68, 0x3C, 0x38, 0xF1, 0xA4, 0x40, 0x28,
41		0xD3, 0x7B, 0xBB, 0xC9, 0x43, 0xC1, 0x15, 0xE3, 0xAD, 0xF4, 0x77,
42		0xC7, 0x80, 0x9E };
43
44		// SBOX2[x] = rotl<1>(SBOX1[x])
45		alignas(256) static const uint8_t SBOX2[256] = {
46		0xE0, 0x05, 0x58, 0xD9, 0x67, 0x4E, 0x81, 0xCB, 0xC9, 0x0B, 0xAE,
47		0x6A, 0xD5, 0x18, 0x5D, 0x82, 0x46, 0xDF, 0xD6, 0x27, 0x8A, 0x32,
48		0x4B, 0x42, 0xDB, 0x1C, 0x9E, 0x9C, 0x3A, 0xCA, 0x25, 0x7B, 0x0D,
49		0x71, 0x5F, 0x1F, 0xF8, 0xD7, 0x3E, 0x9D, 0x7C, 0x60, 0xB9, 0xBE,
50		0xBC, 0x8B, 0x16, 0x34, 0x4D, 0xC3, 0x72, 0x95, 0xAB, 0x8E, 0xBA,
51		0x7A, 0xB3, 0x02, 0xB4, 0xAD, 0xA2, 0xAC, 0xD8, 0x9A, 0x17, 0x1A,
52		0x35, 0xCC, 0xF7, 0x99, 0x61, 0x5A, 0xE8, 0x24, 0x56, 0x40, 0xE1,
53		0x63, 0x09, 0x33, 0xBF, 0x98, 0x97, 0x85, 0x68, 0xFC, 0xEC, 0x0A,
54		0xDA, 0x6F, 0x53, 0x62, 0xA3, 0x2E, 0x08, 0xAF, 0x28, 0xB0, 0x74,
55		0xC2, 0xBD, 0x36, 0x22, 0x38, 0x64, 0x1E, 0x39, 0x2C, 0xA6, 0x30,
56		0xE5, 0x44, 0xFD, 0x88, 0x9F, 0x65, 0x87, 0x6B, 0xF4, 0x23, 0x48,
57		0x10, 0xD1, 0x51, 0xC0, 0xF9, 0xD2, 0xA0, 0x55, 0xA1, 0x41, 0xFA,
58		0x43, 0x13, 0xC4, 0x2F, 0xA8, 0xB6, 0x3C, 0x2B, 0xC1, 0xFF, 0xC8,
59		0xA5, 0x20, 0x89, 0x00, 0x90, 0x47, 0xEF, 0xEA, 0xB7, 0x15, 0x06,
60		0xCD, 0xB5, 0x12, 0x7E, 0xBB, 0x29, 0x0F, 0xB8, 0x07, 0x04, 0x9B,
61		0x94, 0x21, 0x66, 0xE6, 0xCE, 0xED, 0xE7, 0x3B, 0xFE, 0x7F, 0xC5,
62		0xA4, 0x37, 0xB1, 0x4C, 0x91, 0x6E, 0x8D, 0x76, 0x03, 0x2D, 0xDE,
63		0x96, 0x26, 0x7D, 0xC6, 0x5C, 0xD3, 0xF2, 0x4F, 0x19, 0x3F, 0xDC,
64		0x79, 0x1D, 0x52, 0xEB, 0xF3, 0x6D, 0x5E, 0xFB, 0x69, 0xB2, 0xF0,
65		0x31, 0x0C, 0xD4, 0xCF, 0x8C, 0xE2, 0x75, 0xA9, 0x4A, 0x57, 0x84,
66		0x11, 0x45, 0x1B, 0xF5, 0xE4, 0x0E, 0x73, 0xAA, 0xF1, 0xDD, 0x59,
67		0x14, 0x6C, 0x92, 0x54, 0xD0, 0x78, 0x70, 0xE3, 0x49, 0x80, 0x50,
68		0xA7, 0xF6, 0x77, 0x93, 0x86, 0x83, 0x2A, 0xC7, 0x5B, 0xE9, 0xEE,
69		0x8F, 0x01, 0x3D };
70
71		// SBOX3[x] = rotl<7>(SBOX1[x])
72		alignas(256) static const uint8_t SBOX3[256] = {
73		0x38, 0x41, 0x16, 0x76, 0xD9, 0x93, 0x60, 0xF2, 0x72, 0xC2, 0xAB,
74		0x9A, 0x75, 0x06, 0x57, 0xA0, 0x91, 0xF7, 0xB5, 0xC9, 0xA2, 0x8C,
75		0xD2, 0x90, 0xF6, 0x07, 0xA7, 0x27, 0x8E, 0xB2, 0x49, 0xDE, 0x43,
76		0x5C, 0xD7, 0xC7, 0x3E, 0xF5, 0x8F, 0x67, 0x1F, 0x18, 0x6E, 0xAF,
77		0x2F, 0xE2, 0x85, 0x0D, 0x53, 0xF0, 0x9C, 0x65, 0xEA, 0xA3, 0xAE,
78		0x9E, 0xEC, 0x80, 0x2D, 0x6B, 0xA8, 0x2B, 0x36, 0xA6, 0xC5, 0x86,
79		0x4D, 0x33, 0xFD, 0x66, 0x58, 0x96, 0x3A, 0x09, 0x95, 0x10, 0x78,
80		0xD8, 0x42, 0xCC, 0xEF, 0x26, 0xE5, 0x61, 0x1A, 0x3F, 0x3B, 0x82,
81		0xB6, 0xDB, 0xD4, 0x98, 0xE8, 0x8B, 0x02, 0xEB, 0x0A, 0x2C, 0x1D,
82		0xB0, 0x6F, 0x8D, 0x88, 0x0E, 0x19, 0x87, 0x4E, 0x0B, 0xA9, 0x0C,
83		0x79, 0x11, 0x7F, 0x22, 0xE7, 0x59, 0xE1, 0xDA, 0x3D, 0xC8, 0x12,
84		0x04, 0x74, 0x54, 0x30, 0x7E, 0xB4, 0x28, 0x55, 0x68, 0x50, 0xBE,
85		0xD0, 0xC4, 0x31, 0xCB, 0x2A, 0xAD, 0x0F, 0xCA, 0x70, 0xFF, 0x32,
86		0x69, 0x08, 0x62, 0x00, 0x24, 0xD1, 0xFB, 0xBA, 0xED, 0x45, 0x81,
87		0x73, 0x6D, 0x84, 0x9F, 0xEE, 0x4A, 0xC3, 0x2E, 0xC1, 0x01, 0xE6,
88		0x25, 0x48, 0x99, 0xB9, 0xB3, 0x7B, 0xF9, 0xCE, 0xBF, 0xDF, 0x71,
89		0x29, 0xCD, 0x6C, 0x13, 0x64, 0x9B, 0x63, 0x9D, 0xC0, 0x4B, 0xB7,
90		0xA5, 0x89, 0x5F, 0xB1, 0x17, 0xF4, 0xBC, 0xD3, 0x46, 0xCF, 0x37,
91		0x5E, 0x47, 0x94, 0xFA, 0xFC, 0x5B, 0x97, 0xFE, 0x5A, 0xAC, 0x3C,
92		0x4C, 0x03, 0x35, 0xF3, 0x23, 0xB8, 0x5D, 0x6A, 0x92, 0xD5, 0x21,
93		0x44, 0x51, 0xC6, 0x7D, 0x39, 0x83, 0xDC, 0xAA, 0x7C, 0x77, 0x56,
94		0x05, 0x1B, 0xA4, 0x15, 0x34, 0x1E, 0x1C, 0xF8, 0x52, 0x20, 0x14,
95		0xE9, 0xBD, 0xDD, 0xE4, 0xA1, 0xE0, 0x8A, 0xF1, 0xD6, 0x7A, 0xBB,
96		0xE3, 0x40, 0x4F };
97
98		// SBOX4[x] = SBOX1[rotl<1>(x)]
99		alignas(256) static const uint8_t SBOX4[256] = {
100		0x70, 0x2C, 0xB3, 0xC0, 0xE4, 0x57, 0xEA, 0xAE, 0x23, 0x6B, 0x45,
101		0xA5, 0xED, 0x4F, 0x1D, 0x92, 0x86, 0xAF, 0x7C, 0x1F, 0x3E, 0xDC,
102		0x5E, 0x0B, 0xA6, 0x39, 0xD5, 0x5D, 0xD9, 0x5A, 0x51, 0x6C, 0x8B,
103		0x9A, 0xFB, 0xB0, 0x74, 0x2B, 0xF0, 0x84, 0xDF, 0xCB, 0x34, 0x76,
104		0x6D, 0xA9, 0xD1, 0x04, 0x14, 0x3A, 0xDE, 0x11, 0x32, 0x9C, 0x53,
105		0xF2, 0xFE, 0xCF, 0xC3, 0x7A, 0x24, 0xE8, 0x60, 0x69, 0xAA, 0xA0,
106		0xA1, 0x62, 0x54, 0x1E, 0xE0, 0x64, 0x10, 0x00, 0xA3, 0x75, 0x8A,
107		0xE6, 0x09, 0xDD, 0x87, 0x83, 0xCD, 0x90, 0x73, 0xF6, 0x9D, 0xBF,
108		0x52, 0xD8, 0xC8, 0xC6, 0x81, 0x6F, 0x13, 0x63, 0xE9, 0xA7, 0x9F,
109		0xBC, 0x29, 0xF9, 0x2F, 0xB4, 0x78, 0x06, 0xE7, 0x71, 0xD4, 0xAB,
110		0x88, 0x8D, 0x72, 0xB9, 0xF8, 0xAC, 0x36, 0x2A, 0x3C, 0xF1, 0x40,
111		0xD3, 0xBB, 0x43, 0x15, 0xAD, 0x77, 0x80, 0x82, 0xEC, 0x27, 0xE5,
112		0x85, 0x35, 0x0C, 0x41, 0xEF, 0x93, 0x19, 0x21, 0x0E, 0x4E, 0x65,
113		0xBD, 0xB8, 0x8F, 0xEB, 0xCE, 0x30, 0x5F, 0xC5, 0x1A, 0xE1, 0xCA,
114		0x47, 0x3D, 0x01, 0xD6, 0x56, 0x4D, 0x0D, 0x66, 0xCC, 0x2D, 0x12,
115		0x20, 0xB1, 0x99, 0x4C, 0xC2, 0x7E, 0x05, 0xB7, 0x31, 0x17, 0xD7,
116		0x58, 0x61, 0x1B, 0x1C, 0x0F, 0x16, 0x18, 0x22, 0x44, 0xB2, 0xB5,
117		0x91, 0x08, 0xA8, 0xFC, 0x50, 0xD0, 0x7D, 0x89, 0x97, 0x5B, 0x95,
118		0xFF, 0xD2, 0xC4, 0x48, 0xF7, 0xDB, 0x03, 0xDA, 0x3F, 0x94, 0x5C,
119		0x02, 0x4A, 0x33, 0x67, 0xF3, 0x7F, 0xE2, 0x9B, 0x26, 0x37, 0x3B,
120		0x96, 0x4B, 0xBE, 0x2E, 0x79, 0x8C, 0x6E, 0x8E, 0xF5, 0xB6, 0xFD,
121		0x59, 0x98, 0x6A, 0x46, 0xBA, 0x25, 0x42, 0xA2, 0xFA, 0x07, 0x55,
122		0xEE, 0x0A, 0x49, 0x68, 0x38, 0xA4, 0x28, 0x7B, 0xC9, 0xC1, 0xE3,
123		0xF4, 0xC7, 0x9E };
124
125		uint64_t F(uint64_t v, uint64_t K)
126	54.2k	{
127	54.2k	const uint64_t M1 = 0x0101010001000001;
128	54.2k	const uint64_t M2 = 0x0001010101010000;
129	54.2k	const uint64_t M3 = 0x0100010100010100;
130	54.2k	const uint64_t M4 = 0x0101000100000101;
131	54.2k	const uint64_t M5 = 0x0001010100010101;
132	54.2k	const uint64_t M6 = 0x0100010101000101;
133	54.2k	const uint64_t M7 = 0x0101000101010001;
134	54.2k	const uint64_t M8 = 0x0101010001010100;
135
136	54.2k	const uint64_t x = v ^ K;
137
138	54.2k	const uint64_t Z1 = M1 * SBOX1[get_byte<0>(x)];
139	54.2k	const uint64_t Z2 = M2 * SBOX2[get_byte<1>(x)];
140	54.2k	const uint64_t Z3 = M3 * SBOX3[get_byte<2>(x)];
141	54.2k	const uint64_t Z4 = M4 * SBOX4[get_byte<3>(x)];
142	54.2k	const uint64_t Z5 = M5 * SBOX2[get_byte<4>(x)];
143	54.2k	const uint64_t Z6 = M6 * SBOX3[get_byte<5>(x)];
144	54.2k	const uint64_t Z7 = M7 * SBOX4[get_byte<6>(x)];
145	54.2k	const uint64_t Z8 = M8 * SBOX1[get_byte<7>(x)];
146
147	54.2k	return Z1 ^ Z2 ^ Z3 ^ Z4 ^ Z5 ^ Z6 ^ Z7 ^ Z8;
148	54.2k	}
149
150		inline uint64_t FL(uint64_t v, uint64_t K)
151	6.38k	{
152	6.38k	uint32_t x1 = static_cast<uint32_t>(v >> 32);
153	6.38k	uint32_t x2 = static_cast<uint32_t>(v & 0xFFFFFFFF);
154
155	6.38k	const uint32_t k1 = static_cast<uint32_t>(K >> 32);
156	6.38k	const uint32_t k2 = static_cast<uint32_t>(K & 0xFFFFFFFF);
157
158	6.38k	x2 ^= rotl<1>(x1 & k1);
159	6.38k	x1 ^= (x2 \| k2);
160
161	6.38k	return ((static_cast<uint64_t>(x1) << 32) \| x2);
162	6.38k	}
163
164		inline uint64_t FLINV(uint64_t v, uint64_t K)
165	6.38k	{
166	6.38k	uint32_t x1 = static_cast<uint32_t>(v >> 32);
167	6.38k	uint32_t x2 = static_cast<uint32_t>(v & 0xFFFFFFFF);
168
169	6.38k	const uint32_t k1 = static_cast<uint32_t>(K >> 32);
170	6.38k	const uint32_t k2 = static_cast<uint32_t>(K & 0xFFFFFFFF);
171
172	6.38k	x1 ^= (x2 \| k2);
173	6.38k	x2 ^= rotl<1>(x1 & k1);
174
175	6.38k	return ((static_cast<uint64_t>(x1) << 32) \| x2);
176	6.38k	}
177
178		/*
179		* Camellia Encryption
180		*/
181		void encrypt(const uint8_t in[], uint8_t out[], size_t blocks,
182		const secure_vector<uint64_t>& SK, const size_t rounds)
183	647	{
184	3.23k	for(size_t i = 0; i < blocks; ++i)
185	2.58k	{
186	2.58k	uint64_t D1, D2;
187	2.58k	load_be(in + 16*i, D1, D2);
188
189	2.58k	const uint64_t* K = SK.data();
190
191	2.58k	D1 ^= *K++;
192	2.58k	D2 ^= *K++;
193
194	2.58k	D2 ^= F(D1, *K++);
195	2.58k	D1 ^= F(D2, *K++);
196
197	24.3k	for(size_t r = 1; r != rounds - 1; ++r)
198	21.7k	{
199	21.7k	if(r % 3 == 0)
200	6.38k	{
201	6.38k	D1 = FL (D1, *K++);
202	6.38k	D2 = FLINV(D2, *K++);
203	6.38k	}
204
205	21.7k	D2 ^= F(D1, *K++);
206	21.7k	D1 ^= F(D2, *K++);
207	21.7k	}
208
209	2.58k	D2 ^= F(D1, *K++);
210	2.58k	D1 ^= F(D2, *K++);
211
212	2.58k	D2 ^= *K++;
213	2.58k	D1 ^= *K++;
214
215	2.58k	store_be(out + 16*i, D2, D1);
216	2.58k	}
217	647	}
218
219		/*
220		* Camellia Decryption
221		*/
222		void decrypt(const uint8_t in[], uint8_t out[], size_t blocks,
223		const secure_vector<uint64_t>& SK, const size_t rounds)
224	0	{
225	0	for(size_t i = 0; i < blocks; ++i)
226	0	{
227	0	uint64_t D1, D2;
228	0	load_be(in + 16*i, D1, D2);
229
230	0	const uint64_t* K = &SK[SK.size()-1];
231
232	0	D2 ^= *K--;
233	0	D1 ^= *K--;
234
235	0	D2 ^= F(D1, *K--);
236	0	D1 ^= F(D2, *K--);
237
238	0	for(size_t r = 1; r != rounds - 1; ++r)
239	0	{
240	0	if(r % 3 == 0)
241	0	{
242	0	D1 = FL (D1, *K--);
243	0	D2 = FLINV(D2, *K--);
244	0	}
245
246	0	D2 ^= F(D1, *K--);
247	0	D1 ^= F(D2, *K--);
248	0	}
249
250	0	D2 ^= F(D1, *K--);
251	0	D1 ^= F(D2, *K--);
252
253	0	D1 ^= *K--;
254	0	D2 ^= *K;
255
256	0	store_be(out + 16*i, D2, D1);
257	0	}
258	0	}
259
260		inline uint64_t left_rot_hi(uint64_t h, uint64_t l, size_t shift)
261	894	{
262	894	if(shift >= 64)
263	381	shift -= 64;
264	894	return (h << shift) \| (l >> (64-shift));
265	894	}
266
267		inline uint64_t left_rot_lo(uint64_t h, uint64_t l, size_t shift)
268	894	{
269	894	if(shift >= 64)
270	381	shift -= 64;
271	894	return (h >> (64-shift)) \| (l << shift);
272	894	}
273
274		/*
275		* Camellia Key Schedule
276		*/
277		void key_schedule(secure_vector<uint64_t>& SK, const uint8_t key[], size_t length)
278	70	{
279	70	const uint64_t Sigma1 = 0xA09E667F3BCC908B;
280	70	const uint64_t Sigma2 = 0xB67AE8584CAA73B2;
281	70	const uint64_t Sigma3 = 0xC6EF372FE94F82BE;
282	70	const uint64_t Sigma4 = 0x54FF53A5F1D36F1C;
283	70	const uint64_t Sigma5 = 0x10E527FADE682D1D;
284	70	const uint64_t Sigma6 = 0xB05688C2B3E6C1FD;
285
286	70	const uint64_t KL_H = load_be<uint64_t>(key, 0);
287	70	const uint64_t KL_L = load_be<uint64_t>(key, 1);
288
289	39	const uint64_t KR_H = (length >= 24) ? load_be<uint64_t>(key, 2) : 0;
290	70	const uint64_t KR_L =
291	39	(length == 32) ? load_be<uint64_t>(key, 3) : ((length == 24) ? ~KR_H : 0);
292
293	70	uint64_t D1 = KL_H ^ KR_H;
294	70	uint64_t D2 = KL_L ^ KR_L;
295	70	D2 ^= F(D1, Sigma1);
296	70	D1 ^= F(D2, Sigma2);
297	70	D1 ^= KL_H;
298	70	D2 ^= KL_L;
299	70	D2 ^= F(D1, Sigma3);
300	70	D1 ^= F(D2, Sigma4);
301
302	70	const uint64_t KA_H = D1;
303	70	const uint64_t KA_L = D2;
304
305	70	D1 = KA_H ^ KR_H;
306	70	D2 = KA_L ^ KR_L;
307	70	D2 ^= F(D1, Sigma5);
308	70	D1 ^= F(D2, Sigma6);
309
310	70	const uint64_t KB_H = D1;
311	70	const uint64_t KB_L = D2;
312
313	70	if(length == 16)
314	39	{
315	39	SK.resize(26);
316
317	39	SK[ 0] = KL_H;
318	39	SK[ 1] = KL_L;
319	39	SK[ 2] = KA_H;
320	39	SK[ 3] = KA_L;
321	39	SK[ 4] = left_rot_hi(KL_H, KL_L, 15);
322	39	SK[ 5] = left_rot_lo(KL_H, KL_L, 15);
323	39	SK[ 6] = left_rot_hi(KA_H, KA_L, 15);
324	39	SK[ 7] = left_rot_lo(KA_H, KA_L, 15);
325	39	SK[ 8] = left_rot_hi(KA_H, KA_L, 30);
326	39	SK[ 9] = left_rot_lo(KA_H, KA_L, 30);
327	39	SK[10] = left_rot_hi(KL_H, KL_L, 45);
328	39	SK[11] = left_rot_lo(KL_H, KL_L, 45);
329	39	SK[12] = left_rot_hi(KA_H, KA_L, 45);
330	39	SK[13] = left_rot_lo(KL_H, KL_L, 60);
331	39	SK[14] = left_rot_hi(KA_H, KA_L, 60);
332	39	SK[15] = left_rot_lo(KA_H, KA_L, 60);
333	39	SK[16] = left_rot_lo(KL_H, KL_L, 77);
334	39	SK[17] = left_rot_hi(KL_H, KL_L, 77);
335	39	SK[18] = left_rot_lo(KL_H, KL_L, 94);
336	39	SK[19] = left_rot_hi(KL_H, KL_L, 94);
337	39	SK[20] = left_rot_lo(KA_H, KA_L, 94);
338	39	SK[21] = left_rot_hi(KA_H, KA_L, 94);
339	39	SK[22] = left_rot_lo(KL_H, KL_L, 111);
340	39	SK[23] = left_rot_hi(KL_H, KL_L, 111);
341	39	SK[24] = left_rot_lo(KA_H, KA_L, 111);
342	39	SK[25] = left_rot_hi(KA_H, KA_L, 111);
343	39	}
344	31	else
345	31	{
346	31	SK.resize(34);
347
348	31	SK[ 0] = KL_H;
349	31	SK[ 1] = KL_L;
350	31	SK[ 2] = KB_H;
351	31	SK[ 3] = KB_L;
352
353	31	SK[ 4] = left_rot_hi(KR_H, KR_L, 15);
354	31	SK[ 5] = left_rot_lo(KR_H, KR_L, 15);
355	31	SK[ 6] = left_rot_hi(KA_H, KA_L, 15);
356	31	SK[ 7] = left_rot_lo(KA_H, KA_L, 15);
357
358	31	SK[ 8] = left_rot_hi(KR_H, KR_L, 30);
359	31	SK[ 9] = left_rot_lo(KR_H, KR_L, 30);
360	31	SK[10] = left_rot_hi(KB_H, KB_L, 30);
361	31	SK[11] = left_rot_lo(KB_H, KB_L, 30);
362
363	31	SK[12] = left_rot_hi(KL_H, KL_L, 45);
364	31	SK[13] = left_rot_lo(KL_H, KL_L, 45);
365	31	SK[14] = left_rot_hi(KA_H, KA_L, 45);
366	31	SK[15] = left_rot_lo(KA_H, KA_L, 45);
367
368	31	SK[16] = left_rot_hi(KL_H, KL_L, 60);
369	31	SK[17] = left_rot_lo(KL_H, KL_L, 60);
370	31	SK[18] = left_rot_hi(KR_H, KR_L, 60);
371	31	SK[19] = left_rot_lo(KR_H, KR_L, 60);
372	31	SK[20] = left_rot_hi(KB_H, KB_L, 60);
373	31	SK[21] = left_rot_lo(KB_H, KB_L, 60);
374
375	31	SK[22] = left_rot_lo(KL_H, KL_L, 77);
376	31	SK[23] = left_rot_hi(KL_H, KL_L, 77);
377	31	SK[24] = left_rot_lo(KA_H, KA_L, 77);
378	31	SK[25] = left_rot_hi(KA_H, KA_L, 77);
379
380	31	SK[26] = left_rot_lo(KR_H, KR_L, 94);
381	31	SK[27] = left_rot_hi(KR_H, KR_L, 94);
382	31	SK[28] = left_rot_lo(KA_H, KA_L, 94);
383	31	SK[29] = left_rot_hi(KA_H, KA_L, 94);
384	31	SK[30] = left_rot_lo(KL_H, KL_L, 111);
385	31	SK[31] = left_rot_hi(KL_H, KL_L, 111);
386	31	SK[32] = left_rot_lo(KB_H, KB_L, 111);
387	31	SK[33] = left_rot_hi(KB_H, KB_L, 111);
388	31	}
389	70	}
390
391		}
392
393		}
394
395		void Camellia_128::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
396	344	{
397	344	verify_key_set(m_SK.empty() == false);
398	344	Camellia_F::encrypt(in, out, blocks, m_SK, 9);
399	344	}
400
401		void Camellia_192::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
402	0	{
403	0	verify_key_set(m_SK.empty() == false);
404	0	Camellia_F::encrypt(in, out, blocks, m_SK, 12);
405	0	}
406
407		void Camellia_256::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
408	303	{
409	303	verify_key_set(m_SK.empty() == false);
410	303	Camellia_F::encrypt(in, out, blocks, m_SK, 12);
411	303	}
412
413		void Camellia_128::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
414	0	{
415	0	verify_key_set(m_SK.empty() == false);
416	0	Camellia_F::decrypt(in, out, blocks, m_SK, 9);
417	0	}
418
419		void Camellia_192::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
420	0	{
421	0	verify_key_set(m_SK.empty() == false);
422	0	Camellia_F::decrypt(in, out, blocks, m_SK, 12);
423	0	}
424
425		void Camellia_256::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
426	0	{
427	0	verify_key_set(m_SK.empty() == false);
428	0	Camellia_F::decrypt(in, out, blocks, m_SK, 12);
429	0	}
430
431		void Camellia_128::key_schedule(const uint8_t key[], size_t length)
432	39	{
433	39	Camellia_F::key_schedule(m_SK, key, length);
434	39	}
435
436		void Camellia_192::key_schedule(const uint8_t key[], size_t length)
437	0	{
438	0	Camellia_F::key_schedule(m_SK, key, length);
439	0	}
440
441		void Camellia_256::key_schedule(const uint8_t key[], size_t length)
442	31	{
443	31	Camellia_F::key_schedule(m_SK, key, length);
444	31	}
445
446		void Camellia_128::clear()
447	0	{
448	0	zap(m_SK);
449	0	}
450
451		void Camellia_192::clear()
452	0	{
453	0	zap(m_SK);
454	0	}
455
456		void Camellia_256::clear()
457	0	{
458	0	zap(m_SK);
459	0	}
460
461		}