/src/botan/src/lib/block/camellia/camellia.cpp

Source (jump to first uncovered line)
/*
* Camellia
* (C) 2012,2020 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/internal/camellia.h>
#include <botan/internal/loadstor.h>
#include <botan/internal/rotate.h>

namespace Botan {

namespace {

namespace Camellia_F {

alignas(256) static const uint8_t SBOX1[256] = {
   0x70, 0x82, 0x2C, 0xEC, 0xB3, 0x27, 0xC0, 0xE5, 0xE4, 0x85, 0x57,
   0x35, 0xEA, 0x0C, 0xAE, 0x41, 0x23, 0xEF, 0x6B, 0x93, 0x45, 0x19,
   0xA5, 0x21, 0xED, 0x0E, 0x4F, 0x4E, 0x1D, 0x65, 0x92, 0xBD, 0x86,
   0xB8, 0xAF, 0x8F, 0x7C, 0xEB, 0x1F, 0xCE, 0x3E, 0x30, 0xDC, 0x5F,
   0x5E, 0xC5, 0x0B, 0x1A, 0xA6, 0xE1, 0x39, 0xCA, 0xD5, 0x47, 0x5D,
   0x3D, 0xD9, 0x01, 0x5A, 0xD6, 0x51, 0x56, 0x6C, 0x4D, 0x8B, 0x0D,
   0x9A, 0x66, 0xFB, 0xCC, 0xB0, 0x2D, 0x74, 0x12, 0x2B, 0x20, 0xF0,
   0xB1, 0x84, 0x99, 0xDF, 0x4C, 0xCB, 0xC2, 0x34, 0x7E, 0x76, 0x05,
   0x6D, 0xB7, 0xA9, 0x31, 0xD1, 0x17, 0x04, 0xD7, 0x14, 0x58, 0x3A,
   0x61, 0xDE, 0x1B, 0x11, 0x1C, 0x32, 0x0F, 0x9C, 0x16, 0x53, 0x18,
   0xF2, 0x22, 0xFE, 0x44, 0xCF, 0xB2, 0xC3, 0xB5, 0x7A, 0x91, 0x24,
   0x08, 0xE8, 0xA8, 0x60, 0xFC, 0x69, 0x50, 0xAA, 0xD0, 0xA0, 0x7D,
   0xA1, 0x89, 0x62, 0x97, 0x54, 0x5B, 0x1E, 0x95, 0xE0, 0xFF, 0x64,
   0xD2, 0x10, 0xC4, 0x00, 0x48, 0xA3, 0xF7, 0x75, 0xDB, 0x8A, 0x03,
   0xE6, 0xDA, 0x09, 0x3F, 0xDD, 0x94, 0x87, 0x5C, 0x83, 0x02, 0xCD,
   0x4A, 0x90, 0x33, 0x73, 0x67, 0xF6, 0xF3, 0x9D, 0x7F, 0xBF, 0xE2,
   0x52, 0x9B, 0xD8, 0x26, 0xC8, 0x37, 0xC6, 0x3B, 0x81, 0x96, 0x6F,
   0x4B, 0x13, 0xBE, 0x63, 0x2E, 0xE9, 0x79, 0xA7, 0x8C, 0x9F, 0x6E,
   0xBC, 0x8E, 0x29, 0xF5, 0xF9, 0xB6, 0x2F, 0xFD, 0xB4, 0x59, 0x78,
   0x98, 0x06, 0x6A, 0xE7, 0x46, 0x71, 0xBA, 0xD4, 0x25, 0xAB, 0x42,
   0x88, 0xA2, 0x8D, 0xFA, 0x72, 0x07, 0xB9, 0x55, 0xF8, 0xEE, 0xAC,
   0x0A, 0x36, 0x49, 0x2A, 0x68, 0x3C, 0x38, 0xF1, 0xA4, 0x40, 0x28,
   0xD3, 0x7B, 0xBB, 0xC9, 0x43, 0xC1, 0x15, 0xE3, 0xAD, 0xF4, 0x77,
   0xC7, 0x80, 0x9E };

// SBOX2[x] = rotl<1>(SBOX1[x])
alignas(256) static const uint8_t SBOX2[256] = {
   0xE0, 0x05, 0x58, 0xD9, 0x67, 0x4E, 0x81, 0xCB, 0xC9, 0x0B, 0xAE,
   0x6A, 0xD5, 0x18, 0x5D, 0x82, 0x46, 0xDF, 0xD6, 0x27, 0x8A, 0x32,
   0x4B, 0x42, 0xDB, 0x1C, 0x9E, 0x9C, 0x3A, 0xCA, 0x25, 0x7B, 0x0D,
   0x71, 0x5F, 0x1F, 0xF8, 0xD7, 0x3E, 0x9D, 0x7C, 0x60, 0xB9, 0xBE,
   0xBC, 0x8B, 0x16, 0x34, 0x4D, 0xC3, 0x72, 0x95, 0xAB, 0x8E, 0xBA,
   0x7A, 0xB3, 0x02, 0xB4, 0xAD, 0xA2, 0xAC, 0xD8, 0x9A, 0x17, 0x1A,
   0x35, 0xCC, 0xF7, 0x99, 0x61, 0x5A, 0xE8, 0x24, 0x56, 0x40, 0xE1,
   0x63, 0x09, 0x33, 0xBF, 0x98, 0x97, 0x85, 0x68, 0xFC, 0xEC, 0x0A,
   0xDA, 0x6F, 0x53, 0x62, 0xA3, 0x2E, 0x08, 0xAF, 0x28, 0xB0, 0x74,
   0xC2, 0xBD, 0x36, 0x22, 0x38, 0x64, 0x1E, 0x39, 0x2C, 0xA6, 0x30,
   0xE5, 0x44, 0xFD, 0x88, 0x9F, 0x65, 0x87, 0x6B, 0xF4, 0x23, 0x48,
   0x10, 0xD1, 0x51, 0xC0, 0xF9, 0xD2, 0xA0, 0x55, 0xA1, 0x41, 0xFA,
   0x43, 0x13, 0xC4, 0x2F, 0xA8, 0xB6, 0x3C, 0x2B, 0xC1, 0xFF, 0xC8,
   0xA5, 0x20, 0x89, 0x00, 0x90, 0x47, 0xEF, 0xEA, 0xB7, 0x15, 0x06,
   0xCD, 0xB5, 0x12, 0x7E, 0xBB, 0x29, 0x0F, 0xB8, 0x07, 0x04, 0x9B,
   0x94, 0x21, 0x66, 0xE6, 0xCE, 0xED, 0xE7, 0x3B, 0xFE, 0x7F, 0xC5,
   0xA4, 0x37, 0xB1, 0x4C, 0x91, 0x6E, 0x8D, 0x76, 0x03, 0x2D, 0xDE,
   0x96, 0x26, 0x7D, 0xC6, 0x5C, 0xD3, 0xF2, 0x4F, 0x19, 0x3F, 0xDC,
   0x79, 0x1D, 0x52, 0xEB, 0xF3, 0x6D, 0x5E, 0xFB, 0x69, 0xB2, 0xF0,
   0x31, 0x0C, 0xD4, 0xCF, 0x8C, 0xE2, 0x75, 0xA9, 0x4A, 0x57, 0x84,
   0x11, 0x45, 0x1B, 0xF5, 0xE4, 0x0E, 0x73, 0xAA, 0xF1, 0xDD, 0x59,
   0x14, 0x6C, 0x92, 0x54, 0xD0, 0x78, 0x70, 0xE3, 0x49, 0x80, 0x50,
   0xA7, 0xF6, 0x77, 0x93, 0x86, 0x83, 0x2A, 0xC7, 0x5B, 0xE9, 0xEE,
   0x8F, 0x01, 0x3D };

// SBOX3[x] = rotl<7>(SBOX1[x])
alignas(256) static const uint8_t SBOX3[256] = {
   0x38, 0x41, 0x16, 0x76, 0xD9, 0x93, 0x60, 0xF2, 0x72, 0xC2, 0xAB,
   0x9A, 0x75, 0x06, 0x57, 0xA0, 0x91, 0xF7, 0xB5, 0xC9, 0xA2, 0x8C,
   0xD2, 0x90, 0xF6, 0x07, 0xA7, 0x27, 0x8E, 0xB2, 0x49, 0xDE, 0x43,
   0x5C, 0xD7, 0xC7, 0x3E, 0xF5, 0x8F, 0x67, 0x1F, 0x18, 0x6E, 0xAF,
   0x2F, 0xE2, 0x85, 0x0D, 0x53, 0xF0, 0x9C, 0x65, 0xEA, 0xA3, 0xAE,
   0x9E, 0xEC, 0x80, 0x2D, 0x6B, 0xA8, 0x2B, 0x36, 0xA6, 0xC5, 0x86,
   0x4D, 0x33, 0xFD, 0x66, 0x58, 0x96, 0x3A, 0x09, 0x95, 0x10, 0x78,
   0xD8, 0x42, 0xCC, 0xEF, 0x26, 0xE5, 0x61, 0x1A, 0x3F, 0x3B, 0x82,
   0xB6, 0xDB, 0xD4, 0x98, 0xE8, 0x8B, 0x02, 0xEB, 0x0A, 0x2C, 0x1D,
   0xB0, 0x6F, 0x8D, 0x88, 0x0E, 0x19, 0x87, 0x4E, 0x0B, 0xA9, 0x0C,
   0x79, 0x11, 0x7F, 0x22, 0xE7, 0x59, 0xE1, 0xDA, 0x3D, 0xC8, 0x12,
   0x04, 0x74, 0x54, 0x30, 0x7E, 0xB4, 0x28, 0x55, 0x68, 0x50, 0xBE,
   0xD0, 0xC4, 0x31, 0xCB, 0x2A, 0xAD, 0x0F, 0xCA, 0x70, 0xFF, 0x32,
   0x69, 0x08, 0x62, 0x00, 0x24, 0xD1, 0xFB, 0xBA, 0xED, 0x45, 0x81,
   0x73, 0x6D, 0x84, 0x9F, 0xEE, 0x4A, 0xC3, 0x2E, 0xC1, 0x01, 0xE6,
   0x25, 0x48, 0x99, 0xB9, 0xB3, 0x7B, 0xF9, 0xCE, 0xBF, 0xDF, 0x71,
   0x29, 0xCD, 0x6C, 0x13, 0x64, 0x9B, 0x63, 0x9D, 0xC0, 0x4B, 0xB7,
   0xA5, 0x89, 0x5F, 0xB1, 0x17, 0xF4, 0xBC, 0xD3, 0x46, 0xCF, 0x37,
   0x5E, 0x47, 0x94, 0xFA, 0xFC, 0x5B, 0x97, 0xFE, 0x5A, 0xAC, 0x3C,
   0x4C, 0x03, 0x35, 0xF3, 0x23, 0xB8, 0x5D, 0x6A, 0x92, 0xD5, 0x21,
   0x44, 0x51, 0xC6, 0x7D, 0x39, 0x83, 0xDC, 0xAA, 0x7C, 0x77, 0x56,
   0x05, 0x1B, 0xA4, 0x15, 0x34, 0x1E, 0x1C, 0xF8, 0x52, 0x20, 0x14,
   0xE9, 0xBD, 0xDD, 0xE4, 0xA1, 0xE0, 0x8A, 0xF1, 0xD6, 0x7A, 0xBB,
   0xE3, 0x40, 0x4F };

// SBOX4[x] = SBOX1[rotl<1>(x)]
alignas(256) static const uint8_t SBOX4[256] = {
   0x70, 0x2C, 0xB3, 0xC0, 0xE4, 0x57, 0xEA, 0xAE, 0x23, 0x6B, 0x45,
   0xA5, 0xED, 0x4F, 0x1D, 0x92, 0x86, 0xAF, 0x7C, 0x1F, 0x3E, 0xDC,
   0x5E, 0x0B, 0xA6, 0x39, 0xD5, 0x5D, 0xD9, 0x5A, 0x51, 0x6C, 0x8B,
   0x9A, 0xFB, 0xB0, 0x74, 0x2B, 0xF0, 0x84, 0xDF, 0xCB, 0x34, 0x76,
   0x6D, 0xA9, 0xD1, 0x04, 0x14, 0x3A, 0xDE, 0x11, 0x32, 0x9C, 0x53,
   0xF2, 0xFE, 0xCF, 0xC3, 0x7A, 0x24, 0xE8, 0x60, 0x69, 0xAA, 0xA0,
   0xA1, 0x62, 0x54, 0x1E, 0xE0, 0x64, 0x10, 0x00, 0xA3, 0x75, 0x8A,
   0xE6, 0x09, 0xDD, 0x87, 0x83, 0xCD, 0x90, 0x73, 0xF6, 0x9D, 0xBF,
   0x52, 0xD8, 0xC8, 0xC6, 0x81, 0x6F, 0x13, 0x63, 0xE9, 0xA7, 0x9F,
   0xBC, 0x29, 0xF9, 0x2F, 0xB4, 0x78, 0x06, 0xE7, 0x71, 0xD4, 0xAB,
   0x88, 0x8D, 0x72, 0xB9, 0xF8, 0xAC, 0x36, 0x2A, 0x3C, 0xF1, 0x40,
   0xD3, 0xBB, 0x43, 0x15, 0xAD, 0x77, 0x80, 0x82, 0xEC, 0x27, 0xE5,
   0x85, 0x35, 0x0C, 0x41, 0xEF, 0x93, 0x19, 0x21, 0x0E, 0x4E, 0x65,
   0xBD, 0xB8, 0x8F, 0xEB, 0xCE, 0x30, 0x5F, 0xC5, 0x1A, 0xE1, 0xCA,
   0x47, 0x3D, 0x01, 0xD6, 0x56, 0x4D, 0x0D, 0x66, 0xCC, 0x2D, 0x12,
   0x20, 0xB1, 0x99, 0x4C, 0xC2, 0x7E, 0x05, 0xB7, 0x31, 0x17, 0xD7,
   0x58, 0x61, 0x1B, 0x1C, 0x0F, 0x16, 0x18, 0x22, 0x44, 0xB2, 0xB5,
   0x91, 0x08, 0xA8, 0xFC, 0x50, 0xD0, 0x7D, 0x89, 0x97, 0x5B, 0x95,
   0xFF, 0xD2, 0xC4, 0x48, 0xF7, 0xDB, 0x03, 0xDA, 0x3F, 0x94, 0x5C,
   0x02, 0x4A, 0x33, 0x67, 0xF3, 0x7F, 0xE2, 0x9B, 0x26, 0x37, 0x3B,
   0x96, 0x4B, 0xBE, 0x2E, 0x79, 0x8C, 0x6E, 0x8E, 0xF5, 0xB6, 0xFD,
   0x59, 0x98, 0x6A, 0x46, 0xBA, 0x25, 0x42, 0xA2, 0xFA, 0x07, 0x55,
   0xEE, 0x0A, 0x49, 0x68, 0x38, 0xA4, 0x28, 0x7B, 0xC9, 0xC1, 0xE3,
   0xF4, 0xC7, 0x9E };

uint64_t F(uint64_t v, uint64_t K)
   {
   const uint64_t M1 = 0x0101010001000001;
   const uint64_t M2 = 0x0001010101010000;
   const uint64_t M3 = 0x0100010100010100;
   const uint64_t M4 = 0x0101000100000101;
   const uint64_t M5 = 0x0001010100010101;
   const uint64_t M6 = 0x0100010101000101;
   const uint64_t M7 = 0x0101000101010001;
   const uint64_t M8 = 0x0101010001010100;

   const uint64_t x = v ^ K;

   const uint64_t Z1 = M1 * SBOX1[get_byte<0>(x)];
   const uint64_t Z2 = M2 * SBOX2[get_byte<1>(x)];
   const uint64_t Z3 = M3 * SBOX3[get_byte<2>(x)];
   const uint64_t Z4 = M4 * SBOX4[get_byte<3>(x)];
   const uint64_t Z5 = M5 * SBOX2[get_byte<4>(x)];
   const uint64_t Z6 = M6 * SBOX3[get_byte<5>(x)];
   const uint64_t Z7 = M7 * SBOX4[get_byte<6>(x)];
   const uint64_t Z8 = M8 * SBOX1[get_byte<7>(x)];

   return Z1 ^ Z2 ^ Z3 ^ Z4 ^ Z5 ^ Z6 ^ Z7 ^ Z8;
   }

inline uint64_t FL(uint64_t v, uint64_t K)
   {
   uint32_t x1 = static_cast<uint32_t>(v >> 32);
   uint32_t x2 = static_cast<uint32_t>(v & 0xFFFFFFFF);

   const uint32_t k1 = static_cast<uint32_t>(K >> 32);
   const uint32_t k2 = static_cast<uint32_t>(K & 0xFFFFFFFF);

   x2 ^= rotl<1>(x1 & k1);
   x1 ^= (x2 | k2);

   return ((static_cast<uint64_t>(x1) << 32) | x2);
   }

inline uint64_t FLINV(uint64_t v, uint64_t K)
   {
   uint32_t x1 = static_cast<uint32_t>(v >> 32);
   uint32_t x2 = static_cast<uint32_t>(v & 0xFFFFFFFF);

   const uint32_t k1 = static_cast<uint32_t>(K >> 32);
   const uint32_t k2 = static_cast<uint32_t>(K & 0xFFFFFFFF);

   x1 ^= (x2 | k2);
   x2 ^= rotl<1>(x1 & k1);

   return ((static_cast<uint64_t>(x1) << 32) | x2);
   }

/*
* Camellia Encryption
*/
void encrypt(const uint8_t in[], uint8_t out[], size_t blocks,
             const secure_vector<uint64_t>& SK, const size_t rounds)
   {
   for(size_t i = 0; i < blocks; ++i)
      {
      uint64_t D1, D2;
      load_be(in + 16*i, D1, D2);

      const uint64_t* K = SK.data();

      D1 ^= *K++;
      D2 ^= *K++;

      D2 ^= F(D1, *K++);
      D1 ^= F(D2, *K++);

      for(size_t r = 1; r != rounds - 1; ++r)
         {
         if(r % 3 == 0)
            {
            D1 = FL   (D1, *K++);
            D2 = FLINV(D2, *K++);
            }

         D2 ^= F(D1, *K++);
         D1 ^= F(D2, *K++);
         }

      D2 ^= F(D1, *K++);
      D1 ^= F(D2, *K++);

      D2 ^= *K++;
      D1 ^= *K++;

      store_be(out + 16*i, D2, D1);
      }
   }

/*
* Camellia Decryption
*/
void decrypt(const uint8_t in[], uint8_t out[], size_t blocks,
             const secure_vector<uint64_t>& SK, const size_t rounds)
   {
   for(size_t i = 0; i < blocks; ++i)
      {
      uint64_t D1, D2;
      load_be(in + 16*i, D1, D2);

      const uint64_t* K = &SK[SK.size()-1];

      D2 ^= *K--;
      D1 ^= *K--;

      D2 ^= F(D1, *K--);
      D1 ^= F(D2, *K--);

      for(size_t r = 1; r != rounds - 1; ++r)
         {
         if(r % 3 == 0)
            {
            D1 = FL   (D1, *K--);
            D2 = FLINV(D2, *K--);
            }

         D2 ^= F(D1, *K--);
         D1 ^= F(D2, *K--);
         }

      D2 ^= F(D1, *K--);
      D1 ^= F(D2, *K--);

      D1 ^= *K--;
      D2 ^= *K;

      store_be(out + 16*i, D2, D1);
      }
   }

inline uint64_t left_rot_hi(uint64_t h, uint64_t l, size_t shift)
   {
   if(shift >= 64)
      shift -= 64;
   return (h << shift) | (l >> (64-shift));
   }

inline uint64_t left_rot_lo(uint64_t h, uint64_t l, size_t shift)
   {
   if(shift >= 64)
      shift -= 64;
   return (h >> (64-shift)) | (l << shift);
   }

/*
* Camellia Key Schedule
*/
void key_schedule(secure_vector<uint64_t>& SK, const uint8_t key[], size_t length)
   {
   const uint64_t Sigma1 = 0xA09E667F3BCC908B;
   const uint64_t Sigma2 = 0xB67AE8584CAA73B2;
   const uint64_t Sigma3 = 0xC6EF372FE94F82BE;
   const uint64_t Sigma4 = 0x54FF53A5F1D36F1C;
   const uint64_t Sigma5 = 0x10E527FADE682D1D;
   const uint64_t Sigma6 = 0xB05688C2B3E6C1FD;

   const uint64_t KL_H = load_be<uint64_t>(key, 0);
   const uint64_t KL_L = load_be<uint64_t>(key, 1);

   const uint64_t KR_H = (length >= 24) ? load_be<uint64_t>(key, 2) : 0;
   const uint64_t KR_L =
      (length == 32) ? load_be<uint64_t>(key, 3) : ((length == 24) ? ~KR_H : 0);

   uint64_t D1 = KL_H ^ KR_H;
   uint64_t D2 = KL_L ^ KR_L;
   D2 ^= F(D1, Sigma1);
   D1 ^= F(D2, Sigma2);
   D1 ^= KL_H;
   D2 ^= KL_L;
   D2 ^= F(D1, Sigma3);
   D1 ^= F(D2, Sigma4);

   const uint64_t KA_H = D1;
   const uint64_t KA_L = D2;

   D1 = KA_H ^ KR_H;
   D2 = KA_L ^ KR_L;
   D2 ^= F(D1, Sigma5);
   D1 ^= F(D2, Sigma6);

   const uint64_t KB_H = D1;
   const uint64_t KB_L = D2;

   if(length == 16)
      {
      SK.resize(26);

      SK[ 0] = KL_H;
      SK[ 1] = KL_L;
      SK[ 2] = KA_H;
      SK[ 3] = KA_L;
      SK[ 4] = left_rot_hi(KL_H, KL_L, 15);
      SK[ 5] = left_rot_lo(KL_H, KL_L, 15);
      SK[ 6] = left_rot_hi(KA_H, KA_L, 15);
      SK[ 7] = left_rot_lo(KA_H, KA_L, 15);
      SK[ 8] = left_rot_hi(KA_H, KA_L, 30);
      SK[ 9] = left_rot_lo(KA_H, KA_L, 30);
      SK[10] = left_rot_hi(KL_H, KL_L, 45);
      SK[11] = left_rot_lo(KL_H, KL_L, 45);
      SK[12] = left_rot_hi(KA_H, KA_L,  45);
      SK[13] = left_rot_lo(KL_H, KL_L,  60);
      SK[14] = left_rot_hi(KA_H, KA_L,  60);
      SK[15] = left_rot_lo(KA_H, KA_L,  60);
      SK[16] = left_rot_lo(KL_H, KL_L,  77);
      SK[17] = left_rot_hi(KL_H, KL_L,  77);
      SK[18] = left_rot_lo(KL_H, KL_L,  94);
      SK[19] = left_rot_hi(KL_H, KL_L,  94);
      SK[20] = left_rot_lo(KA_H, KA_L,  94);
      SK[21] = left_rot_hi(KA_H, KA_L,  94);
      SK[22] = left_rot_lo(KL_H, KL_L, 111);
      SK[23] = left_rot_hi(KL_H, KL_L, 111);
      SK[24] = left_rot_lo(KA_H, KA_L, 111);
      SK[25] = left_rot_hi(KA_H, KA_L, 111);
      }
   else
      {
      SK.resize(34);

      SK[ 0] = KL_H;
      SK[ 1] = KL_L;
      SK[ 2] = KB_H;
      SK[ 3] = KB_L;

      SK[ 4] = left_rot_hi(KR_H, KR_L, 15);
      SK[ 5] = left_rot_lo(KR_H, KR_L, 15);
      SK[ 6] = left_rot_hi(KA_H, KA_L, 15);
      SK[ 7] = left_rot_lo(KA_H, KA_L, 15);

      SK[ 8] = left_rot_hi(KR_H, KR_L, 30);
      SK[ 9] = left_rot_lo(KR_H, KR_L, 30);
      SK[10] = left_rot_hi(KB_H, KB_L, 30);
      SK[11] = left_rot_lo(KB_H, KB_L, 30);

      SK[12] = left_rot_hi(KL_H, KL_L, 45);
      SK[13] = left_rot_lo(KL_H, KL_L, 45);
      SK[14] = left_rot_hi(KA_H, KA_L, 45);
      SK[15] = left_rot_lo(KA_H, KA_L, 45);

      SK[16] = left_rot_hi(KL_H, KL_L, 60);
      SK[17] = left_rot_lo(KL_H, KL_L, 60);
      SK[18] = left_rot_hi(KR_H, KR_L, 60);
      SK[19] = left_rot_lo(KR_H, KR_L, 60);
      SK[20] = left_rot_hi(KB_H, KB_L, 60);
      SK[21] = left_rot_lo(KB_H, KB_L, 60);

      SK[22] = left_rot_lo(KL_H, KL_L,  77);
      SK[23] = left_rot_hi(KL_H, KL_L,  77);
      SK[24] = left_rot_lo(KA_H, KA_L,  77);
      SK[25] = left_rot_hi(KA_H, KA_L,  77);

      SK[26] = left_rot_lo(KR_H, KR_L,  94);
      SK[27] = left_rot_hi(KR_H, KR_L,  94);
      SK[28] = left_rot_lo(KA_H, KA_L,  94);
      SK[29] = left_rot_hi(KA_H, KA_L,  94);
      SK[30] = left_rot_lo(KL_H, KL_L, 111);
      SK[31] = left_rot_hi(KL_H, KL_L, 111);
      SK[32] = left_rot_lo(KB_H, KB_L, 111);
      SK[33] = left_rot_hi(KB_H, KB_L, 111);
      }
   }

}

}

void Camellia_128::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
   {
   verify_key_set(m_SK.empty() == false);
   Camellia_F::encrypt(in, out, blocks, m_SK, 9);
   }

void Camellia_192::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
   {
   verify_key_set(m_SK.empty() == false);
   Camellia_F::encrypt(in, out, blocks, m_SK, 12);
   }

void Camellia_256::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
   {
   verify_key_set(m_SK.empty() == false);
   Camellia_F::encrypt(in, out, blocks, m_SK, 12);
   }

void Camellia_128::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
   {
   verify_key_set(m_SK.empty() == false);
   Camellia_F::decrypt(in, out, blocks, m_SK, 9);
   }

void Camellia_192::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
   {
   verify_key_set(m_SK.empty() == false);
   Camellia_F::decrypt(in, out, blocks, m_SK, 12);
   }

void Camellia_256::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
   {
   verify_key_set(m_SK.empty() == false);
   Camellia_F::decrypt(in, out, blocks, m_SK, 12);
   }

void Camellia_128::key_schedule(const uint8_t key[], size_t length)
   {
   Camellia_F::key_schedule(m_SK, key, length);
   }

void Camellia_192::key_schedule(const uint8_t key[], size_t length)
   {
   Camellia_F::key_schedule(m_SK, key, length);
   }

void Camellia_256::key_schedule(const uint8_t key[], size_t length)
   {
   Camellia_F::key_schedule(m_SK, key, length);
   }

void Camellia_128::clear()
   {
   zap(m_SK);
   }

void Camellia_192::clear()
   {
   zap(m_SK);
   }

void Camellia_256::clear()
   {
   zap(m_SK);
   }

}

Coverage Report

Created: 2022-01-14 08:07

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Camellia
3		* (C) 2012,2020 Jack Lloyd
4		*
5		* Botan is released under the Simplified BSD License (see license.txt)
6		*/
7
8		#include <botan/internal/camellia.h>
9		#include <botan/internal/loadstor.h>
10		#include <botan/internal/rotate.h>
11
12		namespace Botan {
13
14		namespace {
15
16		namespace Camellia_F {
17
18		alignas(256) static const uint8_t SBOX1[256] = {
19		0x70, 0x82, 0x2C, 0xEC, 0xB3, 0x27, 0xC0, 0xE5, 0xE4, 0x85, 0x57,
20		0x35, 0xEA, 0x0C, 0xAE, 0x41, 0x23, 0xEF, 0x6B, 0x93, 0x45, 0x19,
21		0xA5, 0x21, 0xED, 0x0E, 0x4F, 0x4E, 0x1D, 0x65, 0x92, 0xBD, 0x86,
22		0xB8, 0xAF, 0x8F, 0x7C, 0xEB, 0x1F, 0xCE, 0x3E, 0x30, 0xDC, 0x5F,
23		0x5E, 0xC5, 0x0B, 0x1A, 0xA6, 0xE1, 0x39, 0xCA, 0xD5, 0x47, 0x5D,
24		0x3D, 0xD9, 0x01, 0x5A, 0xD6, 0x51, 0x56, 0x6C, 0x4D, 0x8B, 0x0D,
25		0x9A, 0x66, 0xFB, 0xCC, 0xB0, 0x2D, 0x74, 0x12, 0x2B, 0x20, 0xF0,
26		0xB1, 0x84, 0x99, 0xDF, 0x4C, 0xCB, 0xC2, 0x34, 0x7E, 0x76, 0x05,
27		0x6D, 0xB7, 0xA9, 0x31, 0xD1, 0x17, 0x04, 0xD7, 0x14, 0x58, 0x3A,
28		0x61, 0xDE, 0x1B, 0x11, 0x1C, 0x32, 0x0F, 0x9C, 0x16, 0x53, 0x18,
29		0xF2, 0x22, 0xFE, 0x44, 0xCF, 0xB2, 0xC3, 0xB5, 0x7A, 0x91, 0x24,
30		0x08, 0xE8, 0xA8, 0x60, 0xFC, 0x69, 0x50, 0xAA, 0xD0, 0xA0, 0x7D,
31		0xA1, 0x89, 0x62, 0x97, 0x54, 0x5B, 0x1E, 0x95, 0xE0, 0xFF, 0x64,
32		0xD2, 0x10, 0xC4, 0x00, 0x48, 0xA3, 0xF7, 0x75, 0xDB, 0x8A, 0x03,
33		0xE6, 0xDA, 0x09, 0x3F, 0xDD, 0x94, 0x87, 0x5C, 0x83, 0x02, 0xCD,
34		0x4A, 0x90, 0x33, 0x73, 0x67, 0xF6, 0xF3, 0x9D, 0x7F, 0xBF, 0xE2,
35		0x52, 0x9B, 0xD8, 0x26, 0xC8, 0x37, 0xC6, 0x3B, 0x81, 0x96, 0x6F,
36		0x4B, 0x13, 0xBE, 0x63, 0x2E, 0xE9, 0x79, 0xA7, 0x8C, 0x9F, 0x6E,
37		0xBC, 0x8E, 0x29, 0xF5, 0xF9, 0xB6, 0x2F, 0xFD, 0xB4, 0x59, 0x78,
38		0x98, 0x06, 0x6A, 0xE7, 0x46, 0x71, 0xBA, 0xD4, 0x25, 0xAB, 0x42,
39		0x88, 0xA2, 0x8D, 0xFA, 0x72, 0x07, 0xB9, 0x55, 0xF8, 0xEE, 0xAC,
40		0x0A, 0x36, 0x49, 0x2A, 0x68, 0x3C, 0x38, 0xF1, 0xA4, 0x40, 0x28,
41		0xD3, 0x7B, 0xBB, 0xC9, 0x43, 0xC1, 0x15, 0xE3, 0xAD, 0xF4, 0x77,
42		0xC7, 0x80, 0x9E };
43
44		// SBOX2[x] = rotl<1>(SBOX1[x])
45		alignas(256) static const uint8_t SBOX2[256] = {
46		0xE0, 0x05, 0x58, 0xD9, 0x67, 0x4E, 0x81, 0xCB, 0xC9, 0x0B, 0xAE,
47		0x6A, 0xD5, 0x18, 0x5D, 0x82, 0x46, 0xDF, 0xD6, 0x27, 0x8A, 0x32,
48		0x4B, 0x42, 0xDB, 0x1C, 0x9E, 0x9C, 0x3A, 0xCA, 0x25, 0x7B, 0x0D,
49		0x71, 0x5F, 0x1F, 0xF8, 0xD7, 0x3E, 0x9D, 0x7C, 0x60, 0xB9, 0xBE,
50		0xBC, 0x8B, 0x16, 0x34, 0x4D, 0xC3, 0x72, 0x95, 0xAB, 0x8E, 0xBA,
51		0x7A, 0xB3, 0x02, 0xB4, 0xAD, 0xA2, 0xAC, 0xD8, 0x9A, 0x17, 0x1A,
52		0x35, 0xCC, 0xF7, 0x99, 0x61, 0x5A, 0xE8, 0x24, 0x56, 0x40, 0xE1,
53		0x63, 0x09, 0x33, 0xBF, 0x98, 0x97, 0x85, 0x68, 0xFC, 0xEC, 0x0A,
54		0xDA, 0x6F, 0x53, 0x62, 0xA3, 0x2E, 0x08, 0xAF, 0x28, 0xB0, 0x74,
55		0xC2, 0xBD, 0x36, 0x22, 0x38, 0x64, 0x1E, 0x39, 0x2C, 0xA6, 0x30,
56		0xE5, 0x44, 0xFD, 0x88, 0x9F, 0x65, 0x87, 0x6B, 0xF4, 0x23, 0x48,
57		0x10, 0xD1, 0x51, 0xC0, 0xF9, 0xD2, 0xA0, 0x55, 0xA1, 0x41, 0xFA,
58		0x43, 0x13, 0xC4, 0x2F, 0xA8, 0xB6, 0x3C, 0x2B, 0xC1, 0xFF, 0xC8,
59		0xA5, 0x20, 0x89, 0x00, 0x90, 0x47, 0xEF, 0xEA, 0xB7, 0x15, 0x06,
60		0xCD, 0xB5, 0x12, 0x7E, 0xBB, 0x29, 0x0F, 0xB8, 0x07, 0x04, 0x9B,
61		0x94, 0x21, 0x66, 0xE6, 0xCE, 0xED, 0xE7, 0x3B, 0xFE, 0x7F, 0xC5,
62		0xA4, 0x37, 0xB1, 0x4C, 0x91, 0x6E, 0x8D, 0x76, 0x03, 0x2D, 0xDE,
63		0x96, 0x26, 0x7D, 0xC6, 0x5C, 0xD3, 0xF2, 0x4F, 0x19, 0x3F, 0xDC,
64		0x79, 0x1D, 0x52, 0xEB, 0xF3, 0x6D, 0x5E, 0xFB, 0x69, 0xB2, 0xF0,
65		0x31, 0x0C, 0xD4, 0xCF, 0x8C, 0xE2, 0x75, 0xA9, 0x4A, 0x57, 0x84,
66		0x11, 0x45, 0x1B, 0xF5, 0xE4, 0x0E, 0x73, 0xAA, 0xF1, 0xDD, 0x59,
67		0x14, 0x6C, 0x92, 0x54, 0xD0, 0x78, 0x70, 0xE3, 0x49, 0x80, 0x50,
68		0xA7, 0xF6, 0x77, 0x93, 0x86, 0x83, 0x2A, 0xC7, 0x5B, 0xE9, 0xEE,
69		0x8F, 0x01, 0x3D };
70
71		// SBOX3[x] = rotl<7>(SBOX1[x])
72		alignas(256) static const uint8_t SBOX3[256] = {
73		0x38, 0x41, 0x16, 0x76, 0xD9, 0x93, 0x60, 0xF2, 0x72, 0xC2, 0xAB,
74		0x9A, 0x75, 0x06, 0x57, 0xA0, 0x91, 0xF7, 0xB5, 0xC9, 0xA2, 0x8C,
75		0xD2, 0x90, 0xF6, 0x07, 0xA7, 0x27, 0x8E, 0xB2, 0x49, 0xDE, 0x43,
76		0x5C, 0xD7, 0xC7, 0x3E, 0xF5, 0x8F, 0x67, 0x1F, 0x18, 0x6E, 0xAF,
77		0x2F, 0xE2, 0x85, 0x0D, 0x53, 0xF0, 0x9C, 0x65, 0xEA, 0xA3, 0xAE,
78		0x9E, 0xEC, 0x80, 0x2D, 0x6B, 0xA8, 0x2B, 0x36, 0xA6, 0xC5, 0x86,
79		0x4D, 0x33, 0xFD, 0x66, 0x58, 0x96, 0x3A, 0x09, 0x95, 0x10, 0x78,
80		0xD8, 0x42, 0xCC, 0xEF, 0x26, 0xE5, 0x61, 0x1A, 0x3F, 0x3B, 0x82,
81		0xB6, 0xDB, 0xD4, 0x98, 0xE8, 0x8B, 0x02, 0xEB, 0x0A, 0x2C, 0x1D,
82		0xB0, 0x6F, 0x8D, 0x88, 0x0E, 0x19, 0x87, 0x4E, 0x0B, 0xA9, 0x0C,
83		0x79, 0x11, 0x7F, 0x22, 0xE7, 0x59, 0xE1, 0xDA, 0x3D, 0xC8, 0x12,
84		0x04, 0x74, 0x54, 0x30, 0x7E, 0xB4, 0x28, 0x55, 0x68, 0x50, 0xBE,
85		0xD0, 0xC4, 0x31, 0xCB, 0x2A, 0xAD, 0x0F, 0xCA, 0x70, 0xFF, 0x32,
86		0x69, 0x08, 0x62, 0x00, 0x24, 0xD1, 0xFB, 0xBA, 0xED, 0x45, 0x81,
87		0x73, 0x6D, 0x84, 0x9F, 0xEE, 0x4A, 0xC3, 0x2E, 0xC1, 0x01, 0xE6,
88		0x25, 0x48, 0x99, 0xB9, 0xB3, 0x7B, 0xF9, 0xCE, 0xBF, 0xDF, 0x71,
89		0x29, 0xCD, 0x6C, 0x13, 0x64, 0x9B, 0x63, 0x9D, 0xC0, 0x4B, 0xB7,
90		0xA5, 0x89, 0x5F, 0xB1, 0x17, 0xF4, 0xBC, 0xD3, 0x46, 0xCF, 0x37,
91		0x5E, 0x47, 0x94, 0xFA, 0xFC, 0x5B, 0x97, 0xFE, 0x5A, 0xAC, 0x3C,
92		0x4C, 0x03, 0x35, 0xF3, 0x23, 0xB8, 0x5D, 0x6A, 0x92, 0xD5, 0x21,
93		0x44, 0x51, 0xC6, 0x7D, 0x39, 0x83, 0xDC, 0xAA, 0x7C, 0x77, 0x56,
94		0x05, 0x1B, 0xA4, 0x15, 0x34, 0x1E, 0x1C, 0xF8, 0x52, 0x20, 0x14,
95		0xE9, 0xBD, 0xDD, 0xE4, 0xA1, 0xE0, 0x8A, 0xF1, 0xD6, 0x7A, 0xBB,
96		0xE3, 0x40, 0x4F };
97
98		// SBOX4[x] = SBOX1[rotl<1>(x)]
99		alignas(256) static const uint8_t SBOX4[256] = {
100		0x70, 0x2C, 0xB3, 0xC0, 0xE4, 0x57, 0xEA, 0xAE, 0x23, 0x6B, 0x45,
101		0xA5, 0xED, 0x4F, 0x1D, 0x92, 0x86, 0xAF, 0x7C, 0x1F, 0x3E, 0xDC,
102		0x5E, 0x0B, 0xA6, 0x39, 0xD5, 0x5D, 0xD9, 0x5A, 0x51, 0x6C, 0x8B,
103		0x9A, 0xFB, 0xB0, 0x74, 0x2B, 0xF0, 0x84, 0xDF, 0xCB, 0x34, 0x76,
104		0x6D, 0xA9, 0xD1, 0x04, 0x14, 0x3A, 0xDE, 0x11, 0x32, 0x9C, 0x53,
105		0xF2, 0xFE, 0xCF, 0xC3, 0x7A, 0x24, 0xE8, 0x60, 0x69, 0xAA, 0xA0,
106		0xA1, 0x62, 0x54, 0x1E, 0xE0, 0x64, 0x10, 0x00, 0xA3, 0x75, 0x8A,
107		0xE6, 0x09, 0xDD, 0x87, 0x83, 0xCD, 0x90, 0x73, 0xF6, 0x9D, 0xBF,
108		0x52, 0xD8, 0xC8, 0xC6, 0x81, 0x6F, 0x13, 0x63, 0xE9, 0xA7, 0x9F,
109		0xBC, 0x29, 0xF9, 0x2F, 0xB4, 0x78, 0x06, 0xE7, 0x71, 0xD4, 0xAB,
110		0x88, 0x8D, 0x72, 0xB9, 0xF8, 0xAC, 0x36, 0x2A, 0x3C, 0xF1, 0x40,
111		0xD3, 0xBB, 0x43, 0x15, 0xAD, 0x77, 0x80, 0x82, 0xEC, 0x27, 0xE5,
112		0x85, 0x35, 0x0C, 0x41, 0xEF, 0x93, 0x19, 0x21, 0x0E, 0x4E, 0x65,
113		0xBD, 0xB8, 0x8F, 0xEB, 0xCE, 0x30, 0x5F, 0xC5, 0x1A, 0xE1, 0xCA,
114		0x47, 0x3D, 0x01, 0xD6, 0x56, 0x4D, 0x0D, 0x66, 0xCC, 0x2D, 0x12,
115		0x20, 0xB1, 0x99, 0x4C, 0xC2, 0x7E, 0x05, 0xB7, 0x31, 0x17, 0xD7,
116		0x58, 0x61, 0x1B, 0x1C, 0x0F, 0x16, 0x18, 0x22, 0x44, 0xB2, 0xB5,
117		0x91, 0x08, 0xA8, 0xFC, 0x50, 0xD0, 0x7D, 0x89, 0x97, 0x5B, 0x95,
118		0xFF, 0xD2, 0xC4, 0x48, 0xF7, 0xDB, 0x03, 0xDA, 0x3F, 0x94, 0x5C,
119		0x02, 0x4A, 0x33, 0x67, 0xF3, 0x7F, 0xE2, 0x9B, 0x26, 0x37, 0x3B,
120		0x96, 0x4B, 0xBE, 0x2E, 0x79, 0x8C, 0x6E, 0x8E, 0xF5, 0xB6, 0xFD,
121		0x59, 0x98, 0x6A, 0x46, 0xBA, 0x25, 0x42, 0xA2, 0xFA, 0x07, 0x55,
122		0xEE, 0x0A, 0x49, 0x68, 0x38, 0xA4, 0x28, 0x7B, 0xC9, 0xC1, 0xE3,
123		0xF4, 0xC7, 0x9E };
124
125		uint64_t F(uint64_t v, uint64_t K)
126	49.7k	{
127	49.7k	const uint64_t M1 = 0x0101010001000001;
128	49.7k	const uint64_t M2 = 0x0001010101010000;
129	49.7k	const uint64_t M3 = 0x0100010100010100;
130	49.7k	const uint64_t M4 = 0x0101000100000101;
131	49.7k	const uint64_t M5 = 0x0001010100010101;
132	49.7k	const uint64_t M6 = 0x0100010101000101;
133	49.7k	const uint64_t M7 = 0x0101000101010001;
134	49.7k	const uint64_t M8 = 0x0101010001010100;
135
136	49.7k	const uint64_t x = v ^ K;
137
138	49.7k	const uint64_t Z1 = M1 * SBOX1[get_byte<0>(x)];
139	49.7k	const uint64_t Z2 = M2 * SBOX2[get_byte<1>(x)];
140	49.7k	const uint64_t Z3 = M3 * SBOX3[get_byte<2>(x)];
141	49.7k	const uint64_t Z4 = M4 * SBOX4[get_byte<3>(x)];
142	49.7k	const uint64_t Z5 = M5 * SBOX2[get_byte<4>(x)];
143	49.7k	const uint64_t Z6 = M6 * SBOX3[get_byte<5>(x)];
144	49.7k	const uint64_t Z7 = M7 * SBOX4[get_byte<6>(x)];
145	49.7k	const uint64_t Z8 = M8 * SBOX1[get_byte<7>(x)];
146
147	49.7k	return Z1 ^ Z2 ^ Z3 ^ Z4 ^ Z5 ^ Z6 ^ Z7 ^ Z8;
148	49.7k	}
149
150		inline uint64_t FL(uint64_t v, uint64_t K)
151	5.84k	{
152	5.84k	uint32_t x1 = static_cast<uint32_t>(v >> 32);
153	5.84k	uint32_t x2 = static_cast<uint32_t>(v & 0xFFFFFFFF);
154
155	5.84k	const uint32_t k1 = static_cast<uint32_t>(K >> 32);
156	5.84k	const uint32_t k2 = static_cast<uint32_t>(K & 0xFFFFFFFF);
157
158	5.84k	x2 ^= rotl<1>(x1 & k1);
159	5.84k	x1 ^= (x2 \| k2);
160
161	5.84k	return ((static_cast<uint64_t>(x1) << 32) \| x2);
162	5.84k	}
163
164		inline uint64_t FLINV(uint64_t v, uint64_t K)
165	5.84k	{
166	5.84k	uint32_t x1 = static_cast<uint32_t>(v >> 32);
167	5.84k	uint32_t x2 = static_cast<uint32_t>(v & 0xFFFFFFFF);
168
169	5.84k	const uint32_t k1 = static_cast<uint32_t>(K >> 32);
170	5.84k	const uint32_t k2 = static_cast<uint32_t>(K & 0xFFFFFFFF);
171
172	5.84k	x1 ^= (x2 \| k2);
173	5.84k	x2 ^= rotl<1>(x1 & k1);
174
175	5.84k	return ((static_cast<uint64_t>(x1) << 32) \| x2);
176	5.84k	}
177
178		/*
179		* Camellia Encryption
180		*/
181		void encrypt(const uint8_t in[], uint8_t out[], size_t blocks,
182		const secure_vector<uint64_t>& SK, const size_t rounds)
183	598	{
184	2.99k	for(size_t i = 0; i < blocks; ++i)
185	2.39k	{
186	2.39k	uint64_t D1, D2;
187	2.39k	load_be(in + 16*i, D1, D2);
188
189	2.39k	const uint64_t* K = SK.data();
190
191	2.39k	D1 ^= *K++;
192	2.39k	D2 ^= *K++;
193
194	2.39k	D2 ^= F(D1, *K++);
195	2.39k	D1 ^= F(D2, *K++);
196
197	22.3k	for(size_t r = 1; r != rounds - 1; ++r)
198	19.9k	{
199	19.9k	if(r % 3 == 0)
200	5.84k	{
201	5.84k	D1 = FL (D1, *K++);
202	5.84k	D2 = FLINV(D2, *K++);
203	5.84k	}
204
205	19.9k	D2 ^= F(D1, *K++);
206	19.9k	D1 ^= F(D2, *K++);
207	19.9k	}
208
209	2.39k	D2 ^= F(D1, *K++);
210	2.39k	D1 ^= F(D2, *K++);
211
212	2.39k	D2 ^= *K++;
213	2.39k	D1 ^= *K++;
214
215	2.39k	store_be(out + 16*i, D2, D1);
216	2.39k	}
217	598	}
218
219		/*
220		* Camellia Decryption
221		*/
222		void decrypt(const uint8_t in[], uint8_t out[], size_t blocks,
223		const secure_vector<uint64_t>& SK, const size_t rounds)
224	0	{
225	0	for(size_t i = 0; i < blocks; ++i)
226	0	{
227	0	uint64_t D1, D2;
228	0	load_be(in + 16*i, D1, D2);
229
230	0	const uint64_t* K = &SK[SK.size()-1];
231
232	0	D2 ^= *K--;
233	0	D1 ^= *K--;
234
235	0	D2 ^= F(D1, *K--);
236	0	D1 ^= F(D2, *K--);
237
238	0	for(size_t r = 1; r != rounds - 1; ++r)
239	0	{
240	0	if(r % 3 == 0)
241	0	{
242	0	D1 = FL (D1, *K--);
243	0	D2 = FLINV(D2, *K--);
244	0	}
245
246	0	D2 ^= F(D1, *K--);
247	0	D1 ^= F(D2, *K--);
248	0	}
249
250	0	D2 ^= F(D1, *K--);
251	0	D1 ^= F(D2, *K--);
252
253	0	D1 ^= *K--;
254	0	D2 ^= *K;
255
256	0	store_be(out + 16*i, D2, D1);
257	0	}
258	0	}
259
260		inline uint64_t left_rot_hi(uint64_t h, uint64_t l, size_t shift)
261	720	{
262	720	if(shift >= 64)
263	306	shift -= 64;
264	720	return (h << shift) \| (l >> (64-shift));
265	720	}
266
267		inline uint64_t left_rot_lo(uint64_t h, uint64_t l, size_t shift)
268	720	{
269	720	if(shift >= 64)
270	306	shift -= 64;
271	720	return (h >> (64-shift)) \| (l << shift);
272	720	}
273
274		/*
275		* Camellia Key Schedule
276		*/
277		void key_schedule(secure_vector<uint64_t>& SK, const uint8_t key[], size_t length)
278	56	{
279	56	const uint64_t Sigma1 = 0xA09E667F3BCC908B;
280	56	const uint64_t Sigma2 = 0xB67AE8584CAA73B2;
281	56	const uint64_t Sigma3 = 0xC6EF372FE94F82BE;
282	56	const uint64_t Sigma4 = 0x54FF53A5F1D36F1C;
283	56	const uint64_t Sigma5 = 0x10E527FADE682D1D;
284	56	const uint64_t Sigma6 = 0xB05688C2B3E6C1FD;
285
286	56	const uint64_t KL_H = load_be<uint64_t>(key, 0);
287	56	const uint64_t KL_L = load_be<uint64_t>(key, 1);
288
289	56	const uint64_t KR_H = (length >= 24) ? load_be<uint64_t>(key, 2) : 0;
290	56	const uint64_t KR_L =
291	56	(length == 32) ? load_be<uint64_t>(key, 3) : ((length == 24) ? ~KR_H : 0);
292
293	56	uint64_t D1 = KL_H ^ KR_H;
294	56	uint64_t D2 = KL_L ^ KR_L;
295	56	D2 ^= F(D1, Sigma1);
296	56	D1 ^= F(D2, Sigma2);
297	56	D1 ^= KL_H;
298	56	D2 ^= KL_L;
299	56	D2 ^= F(D1, Sigma3);
300	56	D1 ^= F(D2, Sigma4);
301
302	56	const uint64_t KA_H = D1;
303	56	const uint64_t KA_L = D2;
304
305	56	D1 = KA_H ^ KR_H;
306	56	D2 = KA_L ^ KR_L;
307	56	D2 ^= F(D1, Sigma5);
308	56	D1 ^= F(D2, Sigma6);
309
310	56	const uint64_t KB_H = D1;
311	56	const uint64_t KB_L = D2;
312
313	56	if(length == 16)
314	30	{
315	30	SK.resize(26);
316
317	30	SK[ 0] = KL_H;
318	30	SK[ 1] = KL_L;
319	30	SK[ 2] = KA_H;
320	30	SK[ 3] = KA_L;
321	30	SK[ 4] = left_rot_hi(KL_H, KL_L, 15);
322	30	SK[ 5] = left_rot_lo(KL_H, KL_L, 15);
323	30	SK[ 6] = left_rot_hi(KA_H, KA_L, 15);
324	30	SK[ 7] = left_rot_lo(KA_H, KA_L, 15);
325	30	SK[ 8] = left_rot_hi(KA_H, KA_L, 30);
326	30	SK[ 9] = left_rot_lo(KA_H, KA_L, 30);
327	30	SK[10] = left_rot_hi(KL_H, KL_L, 45);
328	30	SK[11] = left_rot_lo(KL_H, KL_L, 45);
329	30	SK[12] = left_rot_hi(KA_H, KA_L, 45);
330	30	SK[13] = left_rot_lo(KL_H, KL_L, 60);
331	30	SK[14] = left_rot_hi(KA_H, KA_L, 60);
332	30	SK[15] = left_rot_lo(KA_H, KA_L, 60);
333	30	SK[16] = left_rot_lo(KL_H, KL_L, 77);
334	30	SK[17] = left_rot_hi(KL_H, KL_L, 77);
335	30	SK[18] = left_rot_lo(KL_H, KL_L, 94);
336	30	SK[19] = left_rot_hi(KL_H, KL_L, 94);
337	30	SK[20] = left_rot_lo(KA_H, KA_L, 94);
338	30	SK[21] = left_rot_hi(KA_H, KA_L, 94);
339	30	SK[22] = left_rot_lo(KL_H, KL_L, 111);
340	30	SK[23] = left_rot_hi(KL_H, KL_L, 111);
341	30	SK[24] = left_rot_lo(KA_H, KA_L, 111);
342	30	SK[25] = left_rot_hi(KA_H, KA_L, 111);
343	30	}
344	26	else
345	26	{
346	26	SK.resize(34);
347
348	26	SK[ 0] = KL_H;
349	26	SK[ 1] = KL_L;
350	26	SK[ 2] = KB_H;
351	26	SK[ 3] = KB_L;
352
353	26	SK[ 4] = left_rot_hi(KR_H, KR_L, 15);
354	26	SK[ 5] = left_rot_lo(KR_H, KR_L, 15);
355	26	SK[ 6] = left_rot_hi(KA_H, KA_L, 15);
356	26	SK[ 7] = left_rot_lo(KA_H, KA_L, 15);
357
358	26	SK[ 8] = left_rot_hi(KR_H, KR_L, 30);
359	26	SK[ 9] = left_rot_lo(KR_H, KR_L, 30);
360	26	SK[10] = left_rot_hi(KB_H, KB_L, 30);
361	26	SK[11] = left_rot_lo(KB_H, KB_L, 30);
362
363	26	SK[12] = left_rot_hi(KL_H, KL_L, 45);
364	26	SK[13] = left_rot_lo(KL_H, KL_L, 45);
365	26	SK[14] = left_rot_hi(KA_H, KA_L, 45);
366	26	SK[15] = left_rot_lo(KA_H, KA_L, 45);
367
368	26	SK[16] = left_rot_hi(KL_H, KL_L, 60);
369	26	SK[17] = left_rot_lo(KL_H, KL_L, 60);
370	26	SK[18] = left_rot_hi(KR_H, KR_L, 60);
371	26	SK[19] = left_rot_lo(KR_H, KR_L, 60);
372	26	SK[20] = left_rot_hi(KB_H, KB_L, 60);
373	26	SK[21] = left_rot_lo(KB_H, KB_L, 60);
374
375	26	SK[22] = left_rot_lo(KL_H, KL_L, 77);
376	26	SK[23] = left_rot_hi(KL_H, KL_L, 77);
377	26	SK[24] = left_rot_lo(KA_H, KA_L, 77);
378	26	SK[25] = left_rot_hi(KA_H, KA_L, 77);
379
380	26	SK[26] = left_rot_lo(KR_H, KR_L, 94);
381	26	SK[27] = left_rot_hi(KR_H, KR_L, 94);
382	26	SK[28] = left_rot_lo(KA_H, KA_L, 94);
383	26	SK[29] = left_rot_hi(KA_H, KA_L, 94);
384	26	SK[30] = left_rot_lo(KL_H, KL_L, 111);
385	26	SK[31] = left_rot_hi(KL_H, KL_L, 111);
386	26	SK[32] = left_rot_lo(KB_H, KB_L, 111);
387	26	SK[33] = left_rot_hi(KB_H, KB_L, 111);
388	26	}
389	56	}
390
391		}
392
393		}
394
395		void Camellia_128::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
396	333	{
397	333	verify_key_set(m_SK.empty() == false);
398	333	Camellia_F::encrypt(in, out, blocks, m_SK, 9);
399	333	}
400
401		void Camellia_192::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
402	0	{
403	0	verify_key_set(m_SK.empty() == false);
404	0	Camellia_F::encrypt(in, out, blocks, m_SK, 12);
405	0	}
406
407		void Camellia_256::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
408	265	{
409	265	verify_key_set(m_SK.empty() == false);
410	265	Camellia_F::encrypt(in, out, blocks, m_SK, 12);
411	265	}
412
413		void Camellia_128::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
414	0	{
415	0	verify_key_set(m_SK.empty() == false);
416	0	Camellia_F::decrypt(in, out, blocks, m_SK, 9);
417	0	}
418
419		void Camellia_192::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
420	0	{
421	0	verify_key_set(m_SK.empty() == false);
422	0	Camellia_F::decrypt(in, out, blocks, m_SK, 12);
423	0	}
424
425		void Camellia_256::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
426	0	{
427	0	verify_key_set(m_SK.empty() == false);
428	0	Camellia_F::decrypt(in, out, blocks, m_SK, 12);
429	0	}
430
431		void Camellia_128::key_schedule(const uint8_t key[], size_t length)
432	30	{
433	30	Camellia_F::key_schedule(m_SK, key, length);
434	30	}
435
436		void Camellia_192::key_schedule(const uint8_t key[], size_t length)
437	0	{
438	0	Camellia_F::key_schedule(m_SK, key, length);
439	0	}
440
441		void Camellia_256::key_schedule(const uint8_t key[], size_t length)
442	26	{
443	26	Camellia_F::key_schedule(m_SK, key, length);
444	26	}
445
446		void Camellia_128::clear()
447	0	{
448	0	zap(m_SK);
449	0	}
450
451		void Camellia_192::clear()
452	0	{
453	0	zap(m_SK);
454	0	}
455
456		void Camellia_256::clear()
457	0	{
458	0	zap(m_SK);
459	0	}
460
461		}