/src/botan/src/lib/block/camellia/camellia.cpp

Source (jump to first uncovered line)
/*
* Camellia
* (C) 2012,2020 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/internal/camellia.h>
#include <botan/internal/loadstor.h>
#include <botan/internal/rotate.h>

namespace Botan {

namespace {

namespace Camellia_F {

alignas(256) static const uint8_t SBOX1[256] = {
   0x70, 0x82, 0x2C, 0xEC, 0xB3, 0x27, 0xC0, 0xE5, 0xE4, 0x85, 0x57,
   0x35, 0xEA, 0x0C, 0xAE, 0x41, 0x23, 0xEF, 0x6B, 0x93, 0x45, 0x19,
   0xA5, 0x21, 0xED, 0x0E, 0x4F, 0x4E, 0x1D, 0x65, 0x92, 0xBD, 0x86,
   0xB8, 0xAF, 0x8F, 0x7C, 0xEB, 0x1F, 0xCE, 0x3E, 0x30, 0xDC, 0x5F,
   0x5E, 0xC5, 0x0B, 0x1A, 0xA6, 0xE1, 0x39, 0xCA, 0xD5, 0x47, 0x5D,
   0x3D, 0xD9, 0x01, 0x5A, 0xD6, 0x51, 0x56, 0x6C, 0x4D, 0x8B, 0x0D,
   0x9A, 0x66, 0xFB, 0xCC, 0xB0, 0x2D, 0x74, 0x12, 0x2B, 0x20, 0xF0,
   0xB1, 0x84, 0x99, 0xDF, 0x4C, 0xCB, 0xC2, 0x34, 0x7E, 0x76, 0x05,
   0x6D, 0xB7, 0xA9, 0x31, 0xD1, 0x17, 0x04, 0xD7, 0x14, 0x58, 0x3A,
   0x61, 0xDE, 0x1B, 0x11, 0x1C, 0x32, 0x0F, 0x9C, 0x16, 0x53, 0x18,
   0xF2, 0x22, 0xFE, 0x44, 0xCF, 0xB2, 0xC3, 0xB5, 0x7A, 0x91, 0x24,
   0x08, 0xE8, 0xA8, 0x60, 0xFC, 0x69, 0x50, 0xAA, 0xD0, 0xA0, 0x7D,
   0xA1, 0x89, 0x62, 0x97, 0x54, 0x5B, 0x1E, 0x95, 0xE0, 0xFF, 0x64,
   0xD2, 0x10, 0xC4, 0x00, 0x48, 0xA3, 0xF7, 0x75, 0xDB, 0x8A, 0x03,
   0xE6, 0xDA, 0x09, 0x3F, 0xDD, 0x94, 0x87, 0x5C, 0x83, 0x02, 0xCD,
   0x4A, 0x90, 0x33, 0x73, 0x67, 0xF6, 0xF3, 0x9D, 0x7F, 0xBF, 0xE2,
   0x52, 0x9B, 0xD8, 0x26, 0xC8, 0x37, 0xC6, 0x3B, 0x81, 0x96, 0x6F,
   0x4B, 0x13, 0xBE, 0x63, 0x2E, 0xE9, 0x79, 0xA7, 0x8C, 0x9F, 0x6E,
   0xBC, 0x8E, 0x29, 0xF5, 0xF9, 0xB6, 0x2F, 0xFD, 0xB4, 0x59, 0x78,
   0x98, 0x06, 0x6A, 0xE7, 0x46, 0x71, 0xBA, 0xD4, 0x25, 0xAB, 0x42,
   0x88, 0xA2, 0x8D, 0xFA, 0x72, 0x07, 0xB9, 0x55, 0xF8, 0xEE, 0xAC,
   0x0A, 0x36, 0x49, 0x2A, 0x68, 0x3C, 0x38, 0xF1, 0xA4, 0x40, 0x28,
   0xD3, 0x7B, 0xBB, 0xC9, 0x43, 0xC1, 0x15, 0xE3, 0xAD, 0xF4, 0x77,
   0xC7, 0x80, 0x9E };

// SBOX2[x] = rotl<1>(SBOX1[x])
alignas(256) static const uint8_t SBOX2[256] = {
   0xE0, 0x05, 0x58, 0xD9, 0x67, 0x4E, 0x81, 0xCB, 0xC9, 0x0B, 0xAE,
   0x6A, 0xD5, 0x18, 0x5D, 0x82, 0x46, 0xDF, 0xD6, 0x27, 0x8A, 0x32,
   0x4B, 0x42, 0xDB, 0x1C, 0x9E, 0x9C, 0x3A, 0xCA, 0x25, 0x7B, 0x0D,
   0x71, 0x5F, 0x1F, 0xF8, 0xD7, 0x3E, 0x9D, 0x7C, 0x60, 0xB9, 0xBE,
   0xBC, 0x8B, 0x16, 0x34, 0x4D, 0xC3, 0x72, 0x95, 0xAB, 0x8E, 0xBA,
   0x7A, 0xB3, 0x02, 0xB4, 0xAD, 0xA2, 0xAC, 0xD8, 0x9A, 0x17, 0x1A,
   0x35, 0xCC, 0xF7, 0x99, 0x61, 0x5A, 0xE8, 0x24, 0x56, 0x40, 0xE1,
   0x63, 0x09, 0x33, 0xBF, 0x98, 0x97, 0x85, 0x68, 0xFC, 0xEC, 0x0A,
   0xDA, 0x6F, 0x53, 0x62, 0xA3, 0x2E, 0x08, 0xAF, 0x28, 0xB0, 0x74,
   0xC2, 0xBD, 0x36, 0x22, 0x38, 0x64, 0x1E, 0x39, 0x2C, 0xA6, 0x30,
   0xE5, 0x44, 0xFD, 0x88, 0x9F, 0x65, 0x87, 0x6B, 0xF4, 0x23, 0x48,
   0x10, 0xD1, 0x51, 0xC0, 0xF9, 0xD2, 0xA0, 0x55, 0xA1, 0x41, 0xFA,
   0x43, 0x13, 0xC4, 0x2F, 0xA8, 0xB6, 0x3C, 0x2B, 0xC1, 0xFF, 0xC8,
   0xA5, 0x20, 0x89, 0x00, 0x90, 0x47, 0xEF, 0xEA, 0xB7, 0x15, 0x06,
   0xCD, 0xB5, 0x12, 0x7E, 0xBB, 0x29, 0x0F, 0xB8, 0x07, 0x04, 0x9B,
   0x94, 0x21, 0x66, 0xE6, 0xCE, 0xED, 0xE7, 0x3B, 0xFE, 0x7F, 0xC5,
   0xA4, 0x37, 0xB1, 0x4C, 0x91, 0x6E, 0x8D, 0x76, 0x03, 0x2D, 0xDE,
   0x96, 0x26, 0x7D, 0xC6, 0x5C, 0xD3, 0xF2, 0x4F, 0x19, 0x3F, 0xDC,
   0x79, 0x1D, 0x52, 0xEB, 0xF3, 0x6D, 0x5E, 0xFB, 0x69, 0xB2, 0xF0,
   0x31, 0x0C, 0xD4, 0xCF, 0x8C, 0xE2, 0x75, 0xA9, 0x4A, 0x57, 0x84,
   0x11, 0x45, 0x1B, 0xF5, 0xE4, 0x0E, 0x73, 0xAA, 0xF1, 0xDD, 0x59,
   0x14, 0x6C, 0x92, 0x54, 0xD0, 0x78, 0x70, 0xE3, 0x49, 0x80, 0x50,
   0xA7, 0xF6, 0x77, 0x93, 0x86, 0x83, 0x2A, 0xC7, 0x5B, 0xE9, 0xEE,
   0x8F, 0x01, 0x3D };

// SBOX3[x] = rotl<7>(SBOX1[x])
alignas(256) static const uint8_t SBOX3[256] = {
   0x38, 0x41, 0x16, 0x76, 0xD9, 0x93, 0x60, 0xF2, 0x72, 0xC2, 0xAB,
   0x9A, 0x75, 0x06, 0x57, 0xA0, 0x91, 0xF7, 0xB5, 0xC9, 0xA2, 0x8C,
   0xD2, 0x90, 0xF6, 0x07, 0xA7, 0x27, 0x8E, 0xB2, 0x49, 0xDE, 0x43,
   0x5C, 0xD7, 0xC7, 0x3E, 0xF5, 0x8F, 0x67, 0x1F, 0x18, 0x6E, 0xAF,
   0x2F, 0xE2, 0x85, 0x0D, 0x53, 0xF0, 0x9C, 0x65, 0xEA, 0xA3, 0xAE,
   0x9E, 0xEC, 0x80, 0x2D, 0x6B, 0xA8, 0x2B, 0x36, 0xA6, 0xC5, 0x86,
   0x4D, 0x33, 0xFD, 0x66, 0x58, 0x96, 0x3A, 0x09, 0x95, 0x10, 0x78,
   0xD8, 0x42, 0xCC, 0xEF, 0x26, 0xE5, 0x61, 0x1A, 0x3F, 0x3B, 0x82,
   0xB6, 0xDB, 0xD4, 0x98, 0xE8, 0x8B, 0x02, 0xEB, 0x0A, 0x2C, 0x1D,
   0xB0, 0x6F, 0x8D, 0x88, 0x0E, 0x19, 0x87, 0x4E, 0x0B, 0xA9, 0x0C,
   0x79, 0x11, 0x7F, 0x22, 0xE7, 0x59, 0xE1, 0xDA, 0x3D, 0xC8, 0x12,
   0x04, 0x74, 0x54, 0x30, 0x7E, 0xB4, 0x28, 0x55, 0x68, 0x50, 0xBE,
   0xD0, 0xC4, 0x31, 0xCB, 0x2A, 0xAD, 0x0F, 0xCA, 0x70, 0xFF, 0x32,
   0x69, 0x08, 0x62, 0x00, 0x24, 0xD1, 0xFB, 0xBA, 0xED, 0x45, 0x81,
   0x73, 0x6D, 0x84, 0x9F, 0xEE, 0x4A, 0xC3, 0x2E, 0xC1, 0x01, 0xE6,
   0x25, 0x48, 0x99, 0xB9, 0xB3, 0x7B, 0xF9, 0xCE, 0xBF, 0xDF, 0x71,
   0x29, 0xCD, 0x6C, 0x13, 0x64, 0x9B, 0x63, 0x9D, 0xC0, 0x4B, 0xB7,
   0xA5, 0x89, 0x5F, 0xB1, 0x17, 0xF4, 0xBC, 0xD3, 0x46, 0xCF, 0x37,
   0x5E, 0x47, 0x94, 0xFA, 0xFC, 0x5B, 0x97, 0xFE, 0x5A, 0xAC, 0x3C,
   0x4C, 0x03, 0x35, 0xF3, 0x23, 0xB8, 0x5D, 0x6A, 0x92, 0xD5, 0x21,
   0x44, 0x51, 0xC6, 0x7D, 0x39, 0x83, 0xDC, 0xAA, 0x7C, 0x77, 0x56,
   0x05, 0x1B, 0xA4, 0x15, 0x34, 0x1E, 0x1C, 0xF8, 0x52, 0x20, 0x14,
   0xE9, 0xBD, 0xDD, 0xE4, 0xA1, 0xE0, 0x8A, 0xF1, 0xD6, 0x7A, 0xBB,
   0xE3, 0x40, 0x4F };

// SBOX4[x] = SBOX1[rotl<1>(x)]
alignas(256) static const uint8_t SBOX4[256] = {
   0x70, 0x2C, 0xB3, 0xC0, 0xE4, 0x57, 0xEA, 0xAE, 0x23, 0x6B, 0x45,
   0xA5, 0xED, 0x4F, 0x1D, 0x92, 0x86, 0xAF, 0x7C, 0x1F, 0x3E, 0xDC,
   0x5E, 0x0B, 0xA6, 0x39, 0xD5, 0x5D, 0xD9, 0x5A, 0x51, 0x6C, 0x8B,
   0x9A, 0xFB, 0xB0, 0x74, 0x2B, 0xF0, 0x84, 0xDF, 0xCB, 0x34, 0x76,
   0x6D, 0xA9, 0xD1, 0x04, 0x14, 0x3A, 0xDE, 0x11, 0x32, 0x9C, 0x53,
   0xF2, 0xFE, 0xCF, 0xC3, 0x7A, 0x24, 0xE8, 0x60, 0x69, 0xAA, 0xA0,
   0xA1, 0x62, 0x54, 0x1E, 0xE0, 0x64, 0x10, 0x00, 0xA3, 0x75, 0x8A,
   0xE6, 0x09, 0xDD, 0x87, 0x83, 0xCD, 0x90, 0x73, 0xF6, 0x9D, 0xBF,
   0x52, 0xD8, 0xC8, 0xC6, 0x81, 0x6F, 0x13, 0x63, 0xE9, 0xA7, 0x9F,
   0xBC, 0x29, 0xF9, 0x2F, 0xB4, 0x78, 0x06, 0xE7, 0x71, 0xD4, 0xAB,
   0x88, 0x8D, 0x72, 0xB9, 0xF8, 0xAC, 0x36, 0x2A, 0x3C, 0xF1, 0x40,
   0xD3, 0xBB, 0x43, 0x15, 0xAD, 0x77, 0x80, 0x82, 0xEC, 0x27, 0xE5,
   0x85, 0x35, 0x0C, 0x41, 0xEF, 0x93, 0x19, 0x21, 0x0E, 0x4E, 0x65,
   0xBD, 0xB8, 0x8F, 0xEB, 0xCE, 0x30, 0x5F, 0xC5, 0x1A, 0xE1, 0xCA,
   0x47, 0x3D, 0x01, 0xD6, 0x56, 0x4D, 0x0D, 0x66, 0xCC, 0x2D, 0x12,
   0x20, 0xB1, 0x99, 0x4C, 0xC2, 0x7E, 0x05, 0xB7, 0x31, 0x17, 0xD7,
   0x58, 0x61, 0x1B, 0x1C, 0x0F, 0x16, 0x18, 0x22, 0x44, 0xB2, 0xB5,
   0x91, 0x08, 0xA8, 0xFC, 0x50, 0xD0, 0x7D, 0x89, 0x97, 0x5B, 0x95,
   0xFF, 0xD2, 0xC4, 0x48, 0xF7, 0xDB, 0x03, 0xDA, 0x3F, 0x94, 0x5C,
   0x02, 0x4A, 0x33, 0x67, 0xF3, 0x7F, 0xE2, 0x9B, 0x26, 0x37, 0x3B,
   0x96, 0x4B, 0xBE, 0x2E, 0x79, 0x8C, 0x6E, 0x8E, 0xF5, 0xB6, 0xFD,
   0x59, 0x98, 0x6A, 0x46, 0xBA, 0x25, 0x42, 0xA2, 0xFA, 0x07, 0x55,
   0xEE, 0x0A, 0x49, 0x68, 0x38, 0xA4, 0x28, 0x7B, 0xC9, 0xC1, 0xE3,
   0xF4, 0xC7, 0x9E };

uint64_t F(uint64_t v, uint64_t K)
   {
   const uint64_t M1 = 0x0101010001000001;
   const uint64_t M2 = 0x0001010101010000;
   const uint64_t M3 = 0x0100010100010100;
   const uint64_t M4 = 0x0101000100000101;
   const uint64_t M5 = 0x0001010100010101;
   const uint64_t M6 = 0x0100010101000101;
   const uint64_t M7 = 0x0101000101010001;
   const uint64_t M8 = 0x0101010001010100;

   const uint64_t x = v ^ K;

   const uint64_t Z1 = M1 * SBOX1[get_byte<0>(x)];
   const uint64_t Z2 = M2 * SBOX2[get_byte<1>(x)];
   const uint64_t Z3 = M3 * SBOX3[get_byte<2>(x)];
   const uint64_t Z4 = M4 * SBOX4[get_byte<3>(x)];
   const uint64_t Z5 = M5 * SBOX2[get_byte<4>(x)];
   const uint64_t Z6 = M6 * SBOX3[get_byte<5>(x)];
   const uint64_t Z7 = M7 * SBOX4[get_byte<6>(x)];
   const uint64_t Z8 = M8 * SBOX1[get_byte<7>(x)];

   return Z1 ^ Z2 ^ Z3 ^ Z4 ^ Z5 ^ Z6 ^ Z7 ^ Z8;
   }

inline uint64_t FL(uint64_t v, uint64_t K)
   {
   uint32_t x1 = static_cast<uint32_t>(v >> 32);
   uint32_t x2 = static_cast<uint32_t>(v & 0xFFFFFFFF);

   const uint32_t k1 = static_cast<uint32_t>(K >> 32);
   const uint32_t k2 = static_cast<uint32_t>(K & 0xFFFFFFFF);

   x2 ^= rotl<1>(x1 & k1);
   x1 ^= (x2 | k2);

   return ((static_cast<uint64_t>(x1) << 32) | x2);
   }

inline uint64_t FLINV(uint64_t v, uint64_t K)
   {
   uint32_t x1 = static_cast<uint32_t>(v >> 32);
   uint32_t x2 = static_cast<uint32_t>(v & 0xFFFFFFFF);

   const uint32_t k1 = static_cast<uint32_t>(K >> 32);
   const uint32_t k2 = static_cast<uint32_t>(K & 0xFFFFFFFF);

   x1 ^= (x2 | k2);
   x2 ^= rotl<1>(x1 & k1);

   return ((static_cast<uint64_t>(x1) << 32) | x2);
   }

/*
* Camellia Encryption
*/
void encrypt(const uint8_t in[], uint8_t out[], size_t blocks,
             const secure_vector<uint64_t>& SK, const size_t rounds)
   {
   for(size_t i = 0; i < blocks; ++i)
      {
      uint64_t D1, D2;
      load_be(in + 16*i, D1, D2);

      const uint64_t* K = SK.data();

      D1 ^= *K++;
      D2 ^= *K++;

      D2 ^= F(D1, *K++);
      D1 ^= F(D2, *K++);

      for(size_t r = 1; r != rounds - 1; ++r)
         {
         if(r % 3 == 0)
            {
            D1 = FL   (D1, *K++);
            D2 = FLINV(D2, *K++);
            }

         D2 ^= F(D1, *K++);
         D1 ^= F(D2, *K++);
         }

      D2 ^= F(D1, *K++);
      D1 ^= F(D2, *K++);

      D2 ^= *K++;
      D1 ^= *K++;

      store_be(out + 16*i, D2, D1);
      }
   }

/*
* Camellia Decryption
*/
void decrypt(const uint8_t in[], uint8_t out[], size_t blocks,
             const secure_vector<uint64_t>& SK, const size_t rounds)
   {
   for(size_t i = 0; i < blocks; ++i)
      {
      uint64_t D1, D2;
      load_be(in + 16*i, D1, D2);

      const uint64_t* K = &SK[SK.size()-1];

      D2 ^= *K--;
      D1 ^= *K--;

      D2 ^= F(D1, *K--);
      D1 ^= F(D2, *K--);

      for(size_t r = 1; r != rounds - 1; ++r)
         {
         if(r % 3 == 0)
            {
            D1 = FL   (D1, *K--);
            D2 = FLINV(D2, *K--);
            }

         D2 ^= F(D1, *K--);
         D1 ^= F(D2, *K--);
         }

      D2 ^= F(D1, *K--);
      D1 ^= F(D2, *K--);

      D1 ^= *K--;
      D2 ^= *K;

      store_be(out + 16*i, D2, D1);
      }
   }

inline uint64_t left_rot_hi(uint64_t h, uint64_t l, size_t shift)
   {
   if(shift >= 64)
      shift -= 64;
   return (h << shift) | (l >> (64-shift));
   }

inline uint64_t left_rot_lo(uint64_t h, uint64_t l, size_t shift)
   {
   if(shift >= 64)
      shift -= 64;
   return (h >> (64-shift)) | (l << shift);
   }

/*
* Camellia Key Schedule
*/
void key_schedule(secure_vector<uint64_t>& SK, const uint8_t key[], size_t length)
   {
   const uint64_t Sigma1 = 0xA09E667F3BCC908B;
   const uint64_t Sigma2 = 0xB67AE8584CAA73B2;
   const uint64_t Sigma3 = 0xC6EF372FE94F82BE;
   const uint64_t Sigma4 = 0x54FF53A5F1D36F1C;
   const uint64_t Sigma5 = 0x10E527FADE682D1D;
   const uint64_t Sigma6 = 0xB05688C2B3E6C1FD;

   const uint64_t KL_H = load_be<uint64_t>(key, 0);
   const uint64_t KL_L = load_be<uint64_t>(key, 1);

   const uint64_t KR_H = (length >= 24) ? load_be<uint64_t>(key, 2) : 0;
   const uint64_t KR_L =
      (length == 32) ? load_be<uint64_t>(key, 3) : ((length == 24) ? ~KR_H : 0);

   uint64_t D1 = KL_H ^ KR_H;
   uint64_t D2 = KL_L ^ KR_L;
   D2 ^= F(D1, Sigma1);
   D1 ^= F(D2, Sigma2);
   D1 ^= KL_H;
   D2 ^= KL_L;
   D2 ^= F(D1, Sigma3);
   D1 ^= F(D2, Sigma4);

   const uint64_t KA_H = D1;
   const uint64_t KA_L = D2;

   D1 = KA_H ^ KR_H;
   D2 = KA_L ^ KR_L;
   D2 ^= F(D1, Sigma5);
   D1 ^= F(D2, Sigma6);

   const uint64_t KB_H = D1;
   const uint64_t KB_L = D2;

   if(length == 16)
      {
      SK.resize(26);

      SK[ 0] = KL_H;
      SK[ 1] = KL_L;
      SK[ 2] = KA_H;
      SK[ 3] = KA_L;
      SK[ 4] = left_rot_hi(KL_H, KL_L, 15);
      SK[ 5] = left_rot_lo(KL_H, KL_L, 15);
      SK[ 6] = left_rot_hi(KA_H, KA_L, 15);
      SK[ 7] = left_rot_lo(KA_H, KA_L, 15);
      SK[ 8] = left_rot_hi(KA_H, KA_L, 30);
      SK[ 9] = left_rot_lo(KA_H, KA_L, 30);
      SK[10] = left_rot_hi(KL_H, KL_L, 45);
      SK[11] = left_rot_lo(KL_H, KL_L, 45);
      SK[12] = left_rot_hi(KA_H, KA_L,  45);
      SK[13] = left_rot_lo(KL_H, KL_L,  60);
      SK[14] = left_rot_hi(KA_H, KA_L,  60);
      SK[15] = left_rot_lo(KA_H, KA_L,  60);
      SK[16] = left_rot_lo(KL_H, KL_L,  77);
      SK[17] = left_rot_hi(KL_H, KL_L,  77);
      SK[18] = left_rot_lo(KL_H, KL_L,  94);
      SK[19] = left_rot_hi(KL_H, KL_L,  94);
      SK[20] = left_rot_lo(KA_H, KA_L,  94);
      SK[21] = left_rot_hi(KA_H, KA_L,  94);
      SK[22] = left_rot_lo(KL_H, KL_L, 111);
      SK[23] = left_rot_hi(KL_H, KL_L, 111);
      SK[24] = left_rot_lo(KA_H, KA_L, 111);
      SK[25] = left_rot_hi(KA_H, KA_L, 111);
      }
   else
      {
      SK.resize(34);

      SK[ 0] = KL_H;
      SK[ 1] = KL_L;
      SK[ 2] = KB_H;
      SK[ 3] = KB_L;

      SK[ 4] = left_rot_hi(KR_H, KR_L, 15);
      SK[ 5] = left_rot_lo(KR_H, KR_L, 15);
      SK[ 6] = left_rot_hi(KA_H, KA_L, 15);
      SK[ 7] = left_rot_lo(KA_H, KA_L, 15);

      SK[ 8] = left_rot_hi(KR_H, KR_L, 30);
      SK[ 9] = left_rot_lo(KR_H, KR_L, 30);
      SK[10] = left_rot_hi(KB_H, KB_L, 30);
      SK[11] = left_rot_lo(KB_H, KB_L, 30);

      SK[12] = left_rot_hi(KL_H, KL_L, 45);
      SK[13] = left_rot_lo(KL_H, KL_L, 45);
      SK[14] = left_rot_hi(KA_H, KA_L, 45);
      SK[15] = left_rot_lo(KA_H, KA_L, 45);

      SK[16] = left_rot_hi(KL_H, KL_L, 60);
      SK[17] = left_rot_lo(KL_H, KL_L, 60);
      SK[18] = left_rot_hi(KR_H, KR_L, 60);
      SK[19] = left_rot_lo(KR_H, KR_L, 60);
      SK[20] = left_rot_hi(KB_H, KB_L, 60);
      SK[21] = left_rot_lo(KB_H, KB_L, 60);

      SK[22] = left_rot_lo(KL_H, KL_L,  77);
      SK[23] = left_rot_hi(KL_H, KL_L,  77);
      SK[24] = left_rot_lo(KA_H, KA_L,  77);
      SK[25] = left_rot_hi(KA_H, KA_L,  77);

      SK[26] = left_rot_lo(KR_H, KR_L,  94);
      SK[27] = left_rot_hi(KR_H, KR_L,  94);
      SK[28] = left_rot_lo(KA_H, KA_L,  94);
      SK[29] = left_rot_hi(KA_H, KA_L,  94);
      SK[30] = left_rot_lo(KL_H, KL_L, 111);
      SK[31] = left_rot_hi(KL_H, KL_L, 111);
      SK[32] = left_rot_lo(KB_H, KB_L, 111);
      SK[33] = left_rot_hi(KB_H, KB_L, 111);
      }
   }

}

}

void Camellia_128::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
   {
   verify_key_set(m_SK.empty() == false);
   Camellia_F::encrypt(in, out, blocks, m_SK, 9);
   }

void Camellia_192::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
   {
   verify_key_set(m_SK.empty() == false);
   Camellia_F::encrypt(in, out, blocks, m_SK, 12);
   }

void Camellia_256::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
   {
   verify_key_set(m_SK.empty() == false);
   Camellia_F::encrypt(in, out, blocks, m_SK, 12);
   }

void Camellia_128::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
   {
   verify_key_set(m_SK.empty() == false);
   Camellia_F::decrypt(in, out, blocks, m_SK, 9);
   }

void Camellia_192::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
   {
   verify_key_set(m_SK.empty() == false);
   Camellia_F::decrypt(in, out, blocks, m_SK, 12);
   }

void Camellia_256::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
   {
   verify_key_set(m_SK.empty() == false);
   Camellia_F::decrypt(in, out, blocks, m_SK, 12);
   }

void Camellia_128::key_schedule(const uint8_t key[], size_t length)
   {
   Camellia_F::key_schedule(m_SK, key, length);
   }

void Camellia_192::key_schedule(const uint8_t key[], size_t length)
   {
   Camellia_F::key_schedule(m_SK, key, length);
   }

void Camellia_256::key_schedule(const uint8_t key[], size_t length)
   {
   Camellia_F::key_schedule(m_SK, key, length);
   }

void Camellia_128::clear()
   {
   zap(m_SK);
   }

void Camellia_192::clear()
   {
   zap(m_SK);
   }

void Camellia_256::clear()
   {
   zap(m_SK);
   }

}

Coverage Report

Created: 2021-10-13 08:49

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Camellia
3		* (C) 2012,2020 Jack Lloyd
4		*
5		* Botan is released under the Simplified BSD License (see license.txt)
6		*/
7
8		#include <botan/internal/camellia.h>
9		#include <botan/internal/loadstor.h>
10		#include <botan/internal/rotate.h>
11
12		namespace Botan {
13
14		namespace {
15
16		namespace Camellia_F {
17
18		alignas(256) static const uint8_t SBOX1[256] = {
19		0x70, 0x82, 0x2C, 0xEC, 0xB3, 0x27, 0xC0, 0xE5, 0xE4, 0x85, 0x57,
20		0x35, 0xEA, 0x0C, 0xAE, 0x41, 0x23, 0xEF, 0x6B, 0x93, 0x45, 0x19,
21		0xA5, 0x21, 0xED, 0x0E, 0x4F, 0x4E, 0x1D, 0x65, 0x92, 0xBD, 0x86,
22		0xB8, 0xAF, 0x8F, 0x7C, 0xEB, 0x1F, 0xCE, 0x3E, 0x30, 0xDC, 0x5F,
23		0x5E, 0xC5, 0x0B, 0x1A, 0xA6, 0xE1, 0x39, 0xCA, 0xD5, 0x47, 0x5D,
24		0x3D, 0xD9, 0x01, 0x5A, 0xD6, 0x51, 0x56, 0x6C, 0x4D, 0x8B, 0x0D,
25		0x9A, 0x66, 0xFB, 0xCC, 0xB0, 0x2D, 0x74, 0x12, 0x2B, 0x20, 0xF0,
26		0xB1, 0x84, 0x99, 0xDF, 0x4C, 0xCB, 0xC2, 0x34, 0x7E, 0x76, 0x05,
27		0x6D, 0xB7, 0xA9, 0x31, 0xD1, 0x17, 0x04, 0xD7, 0x14, 0x58, 0x3A,
28		0x61, 0xDE, 0x1B, 0x11, 0x1C, 0x32, 0x0F, 0x9C, 0x16, 0x53, 0x18,
29		0xF2, 0x22, 0xFE, 0x44, 0xCF, 0xB2, 0xC3, 0xB5, 0x7A, 0x91, 0x24,
30		0x08, 0xE8, 0xA8, 0x60, 0xFC, 0x69, 0x50, 0xAA, 0xD0, 0xA0, 0x7D,
31		0xA1, 0x89, 0x62, 0x97, 0x54, 0x5B, 0x1E, 0x95, 0xE0, 0xFF, 0x64,
32		0xD2, 0x10, 0xC4, 0x00, 0x48, 0xA3, 0xF7, 0x75, 0xDB, 0x8A, 0x03,
33		0xE6, 0xDA, 0x09, 0x3F, 0xDD, 0x94, 0x87, 0x5C, 0x83, 0x02, 0xCD,
34		0x4A, 0x90, 0x33, 0x73, 0x67, 0xF6, 0xF3, 0x9D, 0x7F, 0xBF, 0xE2,
35		0x52, 0x9B, 0xD8, 0x26, 0xC8, 0x37, 0xC6, 0x3B, 0x81, 0x96, 0x6F,
36		0x4B, 0x13, 0xBE, 0x63, 0x2E, 0xE9, 0x79, 0xA7, 0x8C, 0x9F, 0x6E,
37		0xBC, 0x8E, 0x29, 0xF5, 0xF9, 0xB6, 0x2F, 0xFD, 0xB4, 0x59, 0x78,
38		0x98, 0x06, 0x6A, 0xE7, 0x46, 0x71, 0xBA, 0xD4, 0x25, 0xAB, 0x42,
39		0x88, 0xA2, 0x8D, 0xFA, 0x72, 0x07, 0xB9, 0x55, 0xF8, 0xEE, 0xAC,
40		0x0A, 0x36, 0x49, 0x2A, 0x68, 0x3C, 0x38, 0xF1, 0xA4, 0x40, 0x28,
41		0xD3, 0x7B, 0xBB, 0xC9, 0x43, 0xC1, 0x15, 0xE3, 0xAD, 0xF4, 0x77,
42		0xC7, 0x80, 0x9E };
43
44		// SBOX2[x] = rotl<1>(SBOX1[x])
45		alignas(256) static const uint8_t SBOX2[256] = {
46		0xE0, 0x05, 0x58, 0xD9, 0x67, 0x4E, 0x81, 0xCB, 0xC9, 0x0B, 0xAE,
47		0x6A, 0xD5, 0x18, 0x5D, 0x82, 0x46, 0xDF, 0xD6, 0x27, 0x8A, 0x32,
48		0x4B, 0x42, 0xDB, 0x1C, 0x9E, 0x9C, 0x3A, 0xCA, 0x25, 0x7B, 0x0D,
49		0x71, 0x5F, 0x1F, 0xF8, 0xD7, 0x3E, 0x9D, 0x7C, 0x60, 0xB9, 0xBE,
50		0xBC, 0x8B, 0x16, 0x34, 0x4D, 0xC3, 0x72, 0x95, 0xAB, 0x8E, 0xBA,
51		0x7A, 0xB3, 0x02, 0xB4, 0xAD, 0xA2, 0xAC, 0xD8, 0x9A, 0x17, 0x1A,
52		0x35, 0xCC, 0xF7, 0x99, 0x61, 0x5A, 0xE8, 0x24, 0x56, 0x40, 0xE1,
53		0x63, 0x09, 0x33, 0xBF, 0x98, 0x97, 0x85, 0x68, 0xFC, 0xEC, 0x0A,
54		0xDA, 0x6F, 0x53, 0x62, 0xA3, 0x2E, 0x08, 0xAF, 0x28, 0xB0, 0x74,
55		0xC2, 0xBD, 0x36, 0x22, 0x38, 0x64, 0x1E, 0x39, 0x2C, 0xA6, 0x30,
56		0xE5, 0x44, 0xFD, 0x88, 0x9F, 0x65, 0x87, 0x6B, 0xF4, 0x23, 0x48,
57		0x10, 0xD1, 0x51, 0xC0, 0xF9, 0xD2, 0xA0, 0x55, 0xA1, 0x41, 0xFA,
58		0x43, 0x13, 0xC4, 0x2F, 0xA8, 0xB6, 0x3C, 0x2B, 0xC1, 0xFF, 0xC8,
59		0xA5, 0x20, 0x89, 0x00, 0x90, 0x47, 0xEF, 0xEA, 0xB7, 0x15, 0x06,
60		0xCD, 0xB5, 0x12, 0x7E, 0xBB, 0x29, 0x0F, 0xB8, 0x07, 0x04, 0x9B,
61		0x94, 0x21, 0x66, 0xE6, 0xCE, 0xED, 0xE7, 0x3B, 0xFE, 0x7F, 0xC5,
62		0xA4, 0x37, 0xB1, 0x4C, 0x91, 0x6E, 0x8D, 0x76, 0x03, 0x2D, 0xDE,
63		0x96, 0x26, 0x7D, 0xC6, 0x5C, 0xD3, 0xF2, 0x4F, 0x19, 0x3F, 0xDC,
64		0x79, 0x1D, 0x52, 0xEB, 0xF3, 0x6D, 0x5E, 0xFB, 0x69, 0xB2, 0xF0,
65		0x31, 0x0C, 0xD4, 0xCF, 0x8C, 0xE2, 0x75, 0xA9, 0x4A, 0x57, 0x84,
66		0x11, 0x45, 0x1B, 0xF5, 0xE4, 0x0E, 0x73, 0xAA, 0xF1, 0xDD, 0x59,
67		0x14, 0x6C, 0x92, 0x54, 0xD0, 0x78, 0x70, 0xE3, 0x49, 0x80, 0x50,
68		0xA7, 0xF6, 0x77, 0x93, 0x86, 0x83, 0x2A, 0xC7, 0x5B, 0xE9, 0xEE,
69		0x8F, 0x01, 0x3D };
70
71		// SBOX3[x] = rotl<7>(SBOX1[x])
72		alignas(256) static const uint8_t SBOX3[256] = {
73		0x38, 0x41, 0x16, 0x76, 0xD9, 0x93, 0x60, 0xF2, 0x72, 0xC2, 0xAB,
74		0x9A, 0x75, 0x06, 0x57, 0xA0, 0x91, 0xF7, 0xB5, 0xC9, 0xA2, 0x8C,
75		0xD2, 0x90, 0xF6, 0x07, 0xA7, 0x27, 0x8E, 0xB2, 0x49, 0xDE, 0x43,
76		0x5C, 0xD7, 0xC7, 0x3E, 0xF5, 0x8F, 0x67, 0x1F, 0x18, 0x6E, 0xAF,
77		0x2F, 0xE2, 0x85, 0x0D, 0x53, 0xF0, 0x9C, 0x65, 0xEA, 0xA3, 0xAE,
78		0x9E, 0xEC, 0x80, 0x2D, 0x6B, 0xA8, 0x2B, 0x36, 0xA6, 0xC5, 0x86,
79		0x4D, 0x33, 0xFD, 0x66, 0x58, 0x96, 0x3A, 0x09, 0x95, 0x10, 0x78,
80		0xD8, 0x42, 0xCC, 0xEF, 0x26, 0xE5, 0x61, 0x1A, 0x3F, 0x3B, 0x82,
81		0xB6, 0xDB, 0xD4, 0x98, 0xE8, 0x8B, 0x02, 0xEB, 0x0A, 0x2C, 0x1D,
82		0xB0, 0x6F, 0x8D, 0x88, 0x0E, 0x19, 0x87, 0x4E, 0x0B, 0xA9, 0x0C,
83		0x79, 0x11, 0x7F, 0x22, 0xE7, 0x59, 0xE1, 0xDA, 0x3D, 0xC8, 0x12,
84		0x04, 0x74, 0x54, 0x30, 0x7E, 0xB4, 0x28, 0x55, 0x68, 0x50, 0xBE,
85		0xD0, 0xC4, 0x31, 0xCB, 0x2A, 0xAD, 0x0F, 0xCA, 0x70, 0xFF, 0x32,
86		0x69, 0x08, 0x62, 0x00, 0x24, 0xD1, 0xFB, 0xBA, 0xED, 0x45, 0x81,
87		0x73, 0x6D, 0x84, 0x9F, 0xEE, 0x4A, 0xC3, 0x2E, 0xC1, 0x01, 0xE6,
88		0x25, 0x48, 0x99, 0xB9, 0xB3, 0x7B, 0xF9, 0xCE, 0xBF, 0xDF, 0x71,
89		0x29, 0xCD, 0x6C, 0x13, 0x64, 0x9B, 0x63, 0x9D, 0xC0, 0x4B, 0xB7,
90		0xA5, 0x89, 0x5F, 0xB1, 0x17, 0xF4, 0xBC, 0xD3, 0x46, 0xCF, 0x37,
91		0x5E, 0x47, 0x94, 0xFA, 0xFC, 0x5B, 0x97, 0xFE, 0x5A, 0xAC, 0x3C,
92		0x4C, 0x03, 0x35, 0xF3, 0x23, 0xB8, 0x5D, 0x6A, 0x92, 0xD5, 0x21,
93		0x44, 0x51, 0xC6, 0x7D, 0x39, 0x83, 0xDC, 0xAA, 0x7C, 0x77, 0x56,
94		0x05, 0x1B, 0xA4, 0x15, 0x34, 0x1E, 0x1C, 0xF8, 0x52, 0x20, 0x14,
95		0xE9, 0xBD, 0xDD, 0xE4, 0xA1, 0xE0, 0x8A, 0xF1, 0xD6, 0x7A, 0xBB,
96		0xE3, 0x40, 0x4F };
97
98		// SBOX4[x] = SBOX1[rotl<1>(x)]
99		alignas(256) static const uint8_t SBOX4[256] = {
100		0x70, 0x2C, 0xB3, 0xC0, 0xE4, 0x57, 0xEA, 0xAE, 0x23, 0x6B, 0x45,
101		0xA5, 0xED, 0x4F, 0x1D, 0x92, 0x86, 0xAF, 0x7C, 0x1F, 0x3E, 0xDC,
102		0x5E, 0x0B, 0xA6, 0x39, 0xD5, 0x5D, 0xD9, 0x5A, 0x51, 0x6C, 0x8B,
103		0x9A, 0xFB, 0xB0, 0x74, 0x2B, 0xF0, 0x84, 0xDF, 0xCB, 0x34, 0x76,
104		0x6D, 0xA9, 0xD1, 0x04, 0x14, 0x3A, 0xDE, 0x11, 0x32, 0x9C, 0x53,
105		0xF2, 0xFE, 0xCF, 0xC3, 0x7A, 0x24, 0xE8, 0x60, 0x69, 0xAA, 0xA0,
106		0xA1, 0x62, 0x54, 0x1E, 0xE0, 0x64, 0x10, 0x00, 0xA3, 0x75, 0x8A,
107		0xE6, 0x09, 0xDD, 0x87, 0x83, 0xCD, 0x90, 0x73, 0xF6, 0x9D, 0xBF,
108		0x52, 0xD8, 0xC8, 0xC6, 0x81, 0x6F, 0x13, 0x63, 0xE9, 0xA7, 0x9F,
109		0xBC, 0x29, 0xF9, 0x2F, 0xB4, 0x78, 0x06, 0xE7, 0x71, 0xD4, 0xAB,
110		0x88, 0x8D, 0x72, 0xB9, 0xF8, 0xAC, 0x36, 0x2A, 0x3C, 0xF1, 0x40,
111		0xD3, 0xBB, 0x43, 0x15, 0xAD, 0x77, 0x80, 0x82, 0xEC, 0x27, 0xE5,
112		0x85, 0x35, 0x0C, 0x41, 0xEF, 0x93, 0x19, 0x21, 0x0E, 0x4E, 0x65,
113		0xBD, 0xB8, 0x8F, 0xEB, 0xCE, 0x30, 0x5F, 0xC5, 0x1A, 0xE1, 0xCA,
114		0x47, 0x3D, 0x01, 0xD6, 0x56, 0x4D, 0x0D, 0x66, 0xCC, 0x2D, 0x12,
115		0x20, 0xB1, 0x99, 0x4C, 0xC2, 0x7E, 0x05, 0xB7, 0x31, 0x17, 0xD7,
116		0x58, 0x61, 0x1B, 0x1C, 0x0F, 0x16, 0x18, 0x22, 0x44, 0xB2, 0xB5,
117		0x91, 0x08, 0xA8, 0xFC, 0x50, 0xD0, 0x7D, 0x89, 0x97, 0x5B, 0x95,
118		0xFF, 0xD2, 0xC4, 0x48, 0xF7, 0xDB, 0x03, 0xDA, 0x3F, 0x94, 0x5C,
119		0x02, 0x4A, 0x33, 0x67, 0xF3, 0x7F, 0xE2, 0x9B, 0x26, 0x37, 0x3B,
120		0x96, 0x4B, 0xBE, 0x2E, 0x79, 0x8C, 0x6E, 0x8E, 0xF5, 0xB6, 0xFD,
121		0x59, 0x98, 0x6A, 0x46, 0xBA, 0x25, 0x42, 0xA2, 0xFA, 0x07, 0x55,
122		0xEE, 0x0A, 0x49, 0x68, 0x38, 0xA4, 0x28, 0x7B, 0xC9, 0xC1, 0xE3,
123		0xF4, 0xC7, 0x9E };
124
125		uint64_t F(uint64_t v, uint64_t K)
126	40.9k	{
127	40.9k	const uint64_t M1 = 0x0101010001000001;
128	40.9k	const uint64_t M2 = 0x0001010101010000;
129	40.9k	const uint64_t M3 = 0x0100010100010100;
130	40.9k	const uint64_t M4 = 0x0101000100000101;
131	40.9k	const uint64_t M5 = 0x0001010100010101;
132	40.9k	const uint64_t M6 = 0x0100010101000101;
133	40.9k	const uint64_t M7 = 0x0101000101010001;
134	40.9k	const uint64_t M8 = 0x0101010001010100;
135
136	40.9k	const uint64_t x = v ^ K;
137
138	40.9k	const uint64_t Z1 = M1 * SBOX1[get_byte<0>(x)];
139	40.9k	const uint64_t Z2 = M2 * SBOX2[get_byte<1>(x)];
140	40.9k	const uint64_t Z3 = M3 * SBOX3[get_byte<2>(x)];
141	40.9k	const uint64_t Z4 = M4 * SBOX4[get_byte<3>(x)];
142	40.9k	const uint64_t Z5 = M5 * SBOX2[get_byte<4>(x)];
143	40.9k	const uint64_t Z6 = M6 * SBOX3[get_byte<5>(x)];
144	40.9k	const uint64_t Z7 = M7 * SBOX4[get_byte<6>(x)];
145	40.9k	const uint64_t Z8 = M8 * SBOX1[get_byte<7>(x)];
146
147	40.9k	return Z1 ^ Z2 ^ Z3 ^ Z4 ^ Z5 ^ Z6 ^ Z7 ^ Z8;
148	40.9k	}
149
150		inline uint64_t FL(uint64_t v, uint64_t K)
151	4.86k	{
152	4.86k	uint32_t x1 = static_cast<uint32_t>(v >> 32);
153	4.86k	uint32_t x2 = static_cast<uint32_t>(v & 0xFFFFFFFF);
154
155	4.86k	const uint32_t k1 = static_cast<uint32_t>(K >> 32);
156	4.86k	const uint32_t k2 = static_cast<uint32_t>(K & 0xFFFFFFFF);
157
158	4.86k	x2 ^= rotl<1>(x1 & k1);
159	4.86k	x1 ^= (x2 \| k2);
160
161	4.86k	return ((static_cast<uint64_t>(x1) << 32) \| x2);
162	4.86k	}
163
164		inline uint64_t FLINV(uint64_t v, uint64_t K)
165	4.86k	{
166	4.86k	uint32_t x1 = static_cast<uint32_t>(v >> 32);
167	4.86k	uint32_t x2 = static_cast<uint32_t>(v & 0xFFFFFFFF);
168
169	4.86k	const uint32_t k1 = static_cast<uint32_t>(K >> 32);
170	4.86k	const uint32_t k2 = static_cast<uint32_t>(K & 0xFFFFFFFF);
171
172	4.86k	x1 ^= (x2 \| k2);
173	4.86k	x2 ^= rotl<1>(x1 & k1);
174
175	4.86k	return ((static_cast<uint64_t>(x1) << 32) \| x2);
176	4.86k	}
177
178		/*
179		* Camellia Encryption
180		*/
181		void encrypt(const uint8_t in[], uint8_t out[], size_t blocks,
182		const secure_vector<uint64_t>& SK, const size_t rounds)
183	482	{
184	2.41k	for(size_t i = 0; i < blocks; ++i)
185	1.92k	{
186	1.92k	uint64_t D1, D2;
187	1.92k	load_be(in + 16*i, D1, D2);
188
189	1.92k	const uint64_t* K = SK.data();
190
191	1.92k	D1 ^= *K++;
192	1.92k	D2 ^= *K++;
193
194	1.92k	D2 ^= F(D1, *K++);
195	1.92k	D1 ^= F(D2, *K++);
196
197	18.4k	for(size_t r = 1; r != rounds - 1; ++r)
198	16.5k	{
199	16.5k	if(r % 3 == 0)
200	4.86k	{
201	4.86k	D1 = FL (D1, *K++);
202	4.86k	D2 = FLINV(D2, *K++);
203	4.86k	}
204
205	16.5k	D2 ^= F(D1, *K++);
206	16.5k	D1 ^= F(D2, *K++);
207	16.5k	}
208
209	1.92k	D2 ^= F(D1, *K++);
210	1.92k	D1 ^= F(D2, *K++);
211
212	1.92k	D2 ^= *K++;
213	1.92k	D1 ^= *K++;
214
215	1.92k	store_be(out + 16*i, D2, D1);
216	1.92k	}
217	482	}
218
219		/*
220		* Camellia Decryption
221		*/
222		void decrypt(const uint8_t in[], uint8_t out[], size_t blocks,
223		const secure_vector<uint64_t>& SK, const size_t rounds)
224	0	{
225	0	for(size_t i = 0; i < blocks; ++i)
226	0	{
227	0	uint64_t D1, D2;
228	0	load_be(in + 16*i, D1, D2);
229
230	0	const uint64_t* K = &SK[SK.size()-1];
231
232	0	D2 ^= *K--;
233	0	D1 ^= *K--;
234
235	0	D2 ^= F(D1, *K--);
236	0	D1 ^= F(D2, *K--);
237
238	0	for(size_t r = 1; r != rounds - 1; ++r)
239	0	{
240	0	if(r % 3 == 0)
241	0	{
242	0	D1 = FL (D1, *K--);
243	0	D2 = FLINV(D2, *K--);
244	0	}
245
246	0	D2 ^= F(D1, *K--);
247	0	D1 ^= F(D2, *K--);
248	0	}
249
250	0	D2 ^= F(D1, *K--);
251	0	D1 ^= F(D2, *K--);
252
253	0	D1 ^= *K--;
254	0	D2 ^= *K;
255
256	0	store_be(out + 16*i, D2, D1);
257	0	}
258	0	}
259
260		inline uint64_t left_rot_hi(uint64_t h, uint64_t l, size_t shift)
261	527	{
262	527	if(shift >= 64)
263	224	shift -= 64;
264	527	return (h << shift) \| (l >> (64-shift));
265	527	}
266
267		inline uint64_t left_rot_lo(uint64_t h, uint64_t l, size_t shift)
268	527	{
269	527	if(shift >= 64)
270	224	shift -= 64;
271	527	return (h >> (64-shift)) \| (l << shift);
272	527	}
273
274		/*
275		* Camellia Key Schedule
276		*/
277		void key_schedule(secure_vector<uint64_t>& SK, const uint8_t key[], size_t length)
278	41	{
279	41	const uint64_t Sigma1 = 0xA09E667F3BCC908B;
280	41	const uint64_t Sigma2 = 0xB67AE8584CAA73B2;
281	41	const uint64_t Sigma3 = 0xC6EF372FE94F82BE;
282	41	const uint64_t Sigma4 = 0x54FF53A5F1D36F1C;
283	41	const uint64_t Sigma5 = 0x10E527FADE682D1D;
284	41	const uint64_t Sigma6 = 0xB05688C2B3E6C1FD;
285
286	41	const uint64_t KL_H = load_be<uint64_t>(key, 0);
287	41	const uint64_t KL_L = load_be<uint64_t>(key, 1);
288
289	41	const uint64_t KR_H = (length >= 24) ? load_be<uint64_t>(key, 2) : 0;
290	41	const uint64_t KR_L =
291	41	(length == 32) ? load_be<uint64_t>(key, 3) : ((length == 24) ? ~KR_H : 0);
292
293	41	uint64_t D1 = KL_H ^ KR_H;
294	41	uint64_t D2 = KL_L ^ KR_L;
295	41	D2 ^= F(D1, Sigma1);
296	41	D1 ^= F(D2, Sigma2);
297	41	D1 ^= KL_H;
298	41	D2 ^= KL_L;
299	41	D2 ^= F(D1, Sigma3);
300	41	D1 ^= F(D2, Sigma4);
301
302	41	const uint64_t KA_H = D1;
303	41	const uint64_t KA_L = D2;
304
305	41	D1 = KA_H ^ KR_H;
306	41	D2 = KA_L ^ KR_L;
307	41	D2 ^= F(D1, Sigma5);
308	41	D1 ^= F(D2, Sigma6);
309
310	41	const uint64_t KB_H = D1;
311	41	const uint64_t KB_L = D2;
312
313	41	if(length == 16)
314	22	{
315	22	SK.resize(26);
316
317	22	SK[ 0] = KL_H;
318	22	SK[ 1] = KL_L;
319	22	SK[ 2] = KA_H;
320	22	SK[ 3] = KA_L;
321	22	SK[ 4] = left_rot_hi(KL_H, KL_L, 15);
322	22	SK[ 5] = left_rot_lo(KL_H, KL_L, 15);
323	22	SK[ 6] = left_rot_hi(KA_H, KA_L, 15);
324	22	SK[ 7] = left_rot_lo(KA_H, KA_L, 15);
325	22	SK[ 8] = left_rot_hi(KA_H, KA_L, 30);
326	22	SK[ 9] = left_rot_lo(KA_H, KA_L, 30);
327	22	SK[10] = left_rot_hi(KL_H, KL_L, 45);
328	22	SK[11] = left_rot_lo(KL_H, KL_L, 45);
329	22	SK[12] = left_rot_hi(KA_H, KA_L, 45);
330	22	SK[13] = left_rot_lo(KL_H, KL_L, 60);
331	22	SK[14] = left_rot_hi(KA_H, KA_L, 60);
332	22	SK[15] = left_rot_lo(KA_H, KA_L, 60);
333	22	SK[16] = left_rot_lo(KL_H, KL_L, 77);
334	22	SK[17] = left_rot_hi(KL_H, KL_L, 77);
335	22	SK[18] = left_rot_lo(KL_H, KL_L, 94);
336	22	SK[19] = left_rot_hi(KL_H, KL_L, 94);
337	22	SK[20] = left_rot_lo(KA_H, KA_L, 94);
338	22	SK[21] = left_rot_hi(KA_H, KA_L, 94);
339	22	SK[22] = left_rot_lo(KL_H, KL_L, 111);
340	22	SK[23] = left_rot_hi(KL_H, KL_L, 111);
341	22	SK[24] = left_rot_lo(KA_H, KA_L, 111);
342	22	SK[25] = left_rot_hi(KA_H, KA_L, 111);
343	22	}
344	19	else
345	19	{
346	19	SK.resize(34);
347
348	19	SK[ 0] = KL_H;
349	19	SK[ 1] = KL_L;
350	19	SK[ 2] = KB_H;
351	19	SK[ 3] = KB_L;
352
353	19	SK[ 4] = left_rot_hi(KR_H, KR_L, 15);
354	19	SK[ 5] = left_rot_lo(KR_H, KR_L, 15);
355	19	SK[ 6] = left_rot_hi(KA_H, KA_L, 15);
356	19	SK[ 7] = left_rot_lo(KA_H, KA_L, 15);
357
358	19	SK[ 8] = left_rot_hi(KR_H, KR_L, 30);
359	19	SK[ 9] = left_rot_lo(KR_H, KR_L, 30);
360	19	SK[10] = left_rot_hi(KB_H, KB_L, 30);
361	19	SK[11] = left_rot_lo(KB_H, KB_L, 30);
362
363	19	SK[12] = left_rot_hi(KL_H, KL_L, 45);
364	19	SK[13] = left_rot_lo(KL_H, KL_L, 45);
365	19	SK[14] = left_rot_hi(KA_H, KA_L, 45);
366	19	SK[15] = left_rot_lo(KA_H, KA_L, 45);
367
368	19	SK[16] = left_rot_hi(KL_H, KL_L, 60);
369	19	SK[17] = left_rot_lo(KL_H, KL_L, 60);
370	19	SK[18] = left_rot_hi(KR_H, KR_L, 60);
371	19	SK[19] = left_rot_lo(KR_H, KR_L, 60);
372	19	SK[20] = left_rot_hi(KB_H, KB_L, 60);
373	19	SK[21] = left_rot_lo(KB_H, KB_L, 60);
374
375	19	SK[22] = left_rot_lo(KL_H, KL_L, 77);
376	19	SK[23] = left_rot_hi(KL_H, KL_L, 77);
377	19	SK[24] = left_rot_lo(KA_H, KA_L, 77);
378	19	SK[25] = left_rot_hi(KA_H, KA_L, 77);
379
380	19	SK[26] = left_rot_lo(KR_H, KR_L, 94);
381	19	SK[27] = left_rot_hi(KR_H, KR_L, 94);
382	19	SK[28] = left_rot_lo(KA_H, KA_L, 94);
383	19	SK[29] = left_rot_hi(KA_H, KA_L, 94);
384	19	SK[30] = left_rot_lo(KL_H, KL_L, 111);
385	19	SK[31] = left_rot_hi(KL_H, KL_L, 111);
386	19	SK[32] = left_rot_lo(KB_H, KB_L, 111);
387	19	SK[33] = left_rot_hi(KB_H, KB_L, 111);
388	19	}
389	41	}
390
391		}
392
393		}
394
395		void Camellia_128::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
396	230	{
397	230	verify_key_set(m_SK.empty() == false);
398	230	Camellia_F::encrypt(in, out, blocks, m_SK, 9);
399	230	}
400
401		void Camellia_192::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
402	0	{
403	0	verify_key_set(m_SK.empty() == false);
404	0	Camellia_F::encrypt(in, out, blocks, m_SK, 12);
405	0	}
406
407		void Camellia_256::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
408	252	{
409	252	verify_key_set(m_SK.empty() == false);
410	252	Camellia_F::encrypt(in, out, blocks, m_SK, 12);
411	252	}
412
413		void Camellia_128::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
414	0	{
415	0	verify_key_set(m_SK.empty() == false);
416	0	Camellia_F::decrypt(in, out, blocks, m_SK, 9);
417	0	}
418
419		void Camellia_192::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
420	0	{
421	0	verify_key_set(m_SK.empty() == false);
422	0	Camellia_F::decrypt(in, out, blocks, m_SK, 12);
423	0	}
424
425		void Camellia_256::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
426	0	{
427	0	verify_key_set(m_SK.empty() == false);
428	0	Camellia_F::decrypt(in, out, blocks, m_SK, 12);
429	0	}
430
431		void Camellia_128::key_schedule(const uint8_t key[], size_t length)
432	22	{
433	22	Camellia_F::key_schedule(m_SK, key, length);
434	22	}
435
436		void Camellia_192::key_schedule(const uint8_t key[], size_t length)
437	0	{
438	0	Camellia_F::key_schedule(m_SK, key, length);
439	0	}
440
441		void Camellia_256::key_schedule(const uint8_t key[], size_t length)
442	19	{
443	19	Camellia_F::key_schedule(m_SK, key, length);
444	19	}
445
446		void Camellia_128::clear()
447	0	{
448	0	zap(m_SK);
449	0	}
450
451		void Camellia_192::clear()
452	0	{
453	0	zap(m_SK);
454	0	}
455
456		void Camellia_256::clear()
457	0	{
458	0	zap(m_SK);
459	0	}
460
461		}