/src/botan/src/lib/block/idea/idea.cpp

Source
/*
* IDEA
* (C) 1999-2010,2015 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/internal/idea.h>

#include <botan/internal/ct_utils.h>
#include <botan/internal/loadstor.h>

#if defined(BOTAN_HAS_CPUID)
   #include <botan/internal/cpuid.h>
#endif

namespace Botan {

namespace {

/*
* Multiplication modulo 65537
*/
inline uint16_t mul(uint16_t x, uint16_t y) {
   const uint32_t P = static_cast<uint32_t>(x) * y;
   const auto P_mask = CT::Mask<uint16_t>(CT::Mask<uint32_t>::is_zero(P));

   const uint32_t P_hi = P >> 16;
   const uint32_t P_lo = P & 0xFFFF;

   const uint16_t carry = static_cast<uint16_t>(P_lo < P_hi);
   const uint16_t r_1 = static_cast<uint16_t>((P_lo - P_hi) + carry);
   const uint16_t r_2 = 1 - x - y;

   return P_mask.select(r_2, r_1);
}

/*
* Find multiplicative inverses modulo 65537
*
* 65537 is prime; thus Fermat's little theorem tells us that
* x^65537 == x modulo 65537, which means
* x^(65537-2) == x^-1 modulo 65537 since
* x^(65537-2) * x == 1 mod 65537
*
* Do the exponentiation with a basic square and multiply: all bits are
* of exponent are 1 so we always multiply
*/
uint16_t mul_inv(uint16_t x) {
   uint16_t y = x;

   for(size_t i = 0; i != 15; ++i) {
      y = mul(y, y);  // square
      y = mul(y, x);
   }

   return y;
}

/**
* IDEA is involutional, depending only on the key schedule
*/
void idea_op(const uint8_t in[], uint8_t out[], size_t blocks, const uint16_t K[52]) {
   const size_t BLOCK_SIZE = 8;

   CT::poison(in, blocks * 8);
   CT::poison(out, blocks * 8);
   CT::poison(K, 52);

   for(size_t i = 0; i < blocks; ++i) {
      uint16_t X1 = 0;
      uint16_t X2 = 0;
      uint16_t X3 = 0;
      uint16_t X4 = 0;
      load_be(in + BLOCK_SIZE * i, X1, X2, X3, X4);

      for(size_t j = 0; j != 8; ++j) {
         X1 = mul(X1, K[6 * j + 0]);
         X2 += K[6 * j + 1];
         X3 += K[6 * j + 2];
         X4 = mul(X4, K[6 * j + 3]);

         const uint16_t T0 = X3;
         X3 = mul(X3 ^ X1, K[6 * j + 4]);

         const uint16_t T1 = X2;
         X2 = mul((X2 ^ X4) + X3, K[6 * j + 5]);
         X3 += X2;

         X1 ^= X2;
         X4 ^= X3;
         X2 ^= T0;
         X3 ^= T1;
      }

      X1 = mul(X1, K[48]);
      X2 += K[50];
      X3 += K[49];
      X4 = mul(X4, K[51]);

      store_be(out + BLOCK_SIZE * i, X1, X3, X2, X4);
   }

   CT::unpoison(in, blocks * 8);
   CT::unpoison(out, blocks * 8);
   CT::unpoison(K, 52);
}

}  // namespace

size_t IDEA::parallelism() const {
#if defined(BOTAN_HAS_IDEA_SSE2)
   if(CPUID::has(CPUID::Feature::SSE2)) {
      return 8;
   }
#endif

   return 1;
}

std::string IDEA::provider() const {
#if defined(BOTAN_HAS_IDEA_SSE2)
   if(auto feat = CPUID::check(CPUID::Feature::SSE2)) {
      return *feat;
   }
#endif

   return "base";
}

/*
* IDEA Encryption
*/
void IDEA::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
   assert_key_material_set();

#if defined(BOTAN_HAS_IDEA_SSE2)
   if(CPUID::has(CPUID::Feature::SSE2)) {
      while(blocks >= 8) {
         sse2_idea_op_8(in, out, m_EK.data());
         in += 8 * BLOCK_SIZE;
         out += 8 * BLOCK_SIZE;
         blocks -= 8;
      }
   }
#endif

   idea_op(in, out, blocks, m_EK.data());
}

/*
* IDEA Decryption
*/
void IDEA::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
   assert_key_material_set();

#if defined(BOTAN_HAS_IDEA_SSE2)
   if(CPUID::has(CPUID::Feature::SSE2)) {
      while(blocks >= 8) {
         sse2_idea_op_8(in, out, m_DK.data());
         in += 8 * BLOCK_SIZE;
         out += 8 * BLOCK_SIZE;
         blocks -= 8;
      }
   }
#endif

   idea_op(in, out, blocks, m_DK.data());
}

bool IDEA::has_keying_material() const {
   return !m_EK.empty();
}

/*
* IDEA Key Schedule
*/
void IDEA::key_schedule(std::span<const uint8_t> key) {
   m_EK.resize(52);
   m_DK.resize(52);

   CT::poison(key.data(), 16);
   CT::poison(m_EK.data(), 52);
   CT::poison(m_DK.data(), 52);

   secure_vector<uint64_t> K(2);

   K[0] = load_be<uint64_t>(key.data(), 0);
   K[1] = load_be<uint64_t>(key.data(), 1);

   for(size_t off = 0; off != 48; off += 8) {
      for(size_t i = 0; i != 8; ++i) {
         m_EK[off + i] = static_cast<uint16_t>(K[i / 4] >> (48 - 16 * (i % 4)));
      }

      const uint64_t Kx = (K[0] >> 39);
      const uint64_t Ky = (K[1] >> 39);

      K[0] = (K[0] << 25) | Ky;
      K[1] = (K[1] << 25) | Kx;
   }

   for(size_t i = 0; i != 4; ++i) {
      m_EK[48 + i] = static_cast<uint16_t>(K[i / 4] >> (48 - 16 * (i % 4)));
   }

   m_DK[0] = mul_inv(m_EK[48]);
   m_DK[1] = -m_EK[49];
   m_DK[2] = -m_EK[50];
   m_DK[3] = mul_inv(m_EK[51]);

   for(size_t i = 0; i != 8 * 6; i += 6) {
      m_DK[i + 4] = m_EK[46 - i];
      m_DK[i + 5] = m_EK[47 - i];
      m_DK[i + 6] = mul_inv(m_EK[42 - i]);
      m_DK[i + 7] = -m_EK[44 - i];
      m_DK[i + 8] = -m_EK[43 - i];
      m_DK[i + 9] = mul_inv(m_EK[45 - i]);
   }

   std::swap(m_DK[49], m_DK[50]);

   CT::unpoison(key.data(), 16);
   CT::unpoison(m_EK.data(), 52);
   CT::unpoison(m_DK.data(), 52);
}

void IDEA::clear() {
   zap(m_EK);
   zap(m_DK);
}

}  // namespace Botan

Coverage Report

Created: 2026-01-16 06:20

Line	Count	Source
1		/*
2		* IDEA
3		* (C) 1999-2010,2015 Jack Lloyd
4		*
5		* Botan is released under the Simplified BSD License (see license.txt)
6		*/
7
8		#include <botan/internal/idea.h>
9
10		#include <botan/internal/ct_utils.h>
11		#include <botan/internal/loadstor.h>
12
13		#if defined(BOTAN_HAS_CPUID)
14		#include <botan/internal/cpuid.h>
15		#endif
16
17		namespace Botan {
18
19		namespace {
20
21		/*
22		* Multiplication modulo 65537
23		*/
24	0	inline uint16_t mul(uint16_t x, uint16_t y) {
25	0	const uint32_t P = static_cast<uint32_t>(x) * y;
26	0	const auto P_mask = CT::Mask<uint16_t>(CT::Mask<uint32_t>::is_zero(P));
27
28	0	const uint32_t P_hi = P >> 16;
29	0	const uint32_t P_lo = P & 0xFFFF;
30
31	0	const uint16_t carry = static_cast<uint16_t>(P_lo < P_hi);
32	0	const uint16_t r_1 = static_cast<uint16_t>((P_lo - P_hi) + carry);
33	0	const uint16_t r_2 = 1 - x - y;
34
35	0	return P_mask.select(r_2, r_1);
36	0	}
37
38		/*
39		* Find multiplicative inverses modulo 65537
40		*
41		* 65537 is prime; thus Fermat's little theorem tells us that
42		* x^65537 == x modulo 65537, which means
43		* x^(65537-2) == x^-1 modulo 65537 since
44		* x^(65537-2) * x == 1 mod 65537
45		*
46		* Do the exponentiation with a basic square and multiply: all bits are
47		* of exponent are 1 so we always multiply
48		*/
49	0	uint16_t mul_inv(uint16_t x) {
50	0	uint16_t y = x;
51
52	0	for(size_t i = 0; i != 15; ++i) {
53	0	y = mul(y, y); // square
54	0	y = mul(y, x);
55	0	}
56
57	0	return y;
58	0	}
59
60		/**
61		* IDEA is involutional, depending only on the key schedule
62		*/
63	0	void idea_op(const uint8_t in[], uint8_t out[], size_t blocks, const uint16_t K[52]) {
64	0	const size_t BLOCK_SIZE = 8;
65
66	0	CT::poison(in, blocks * 8);
67	0	CT::poison(out, blocks * 8);
68	0	CT::poison(K, 52);
69
70	0	for(size_t i = 0; i < blocks; ++i) {
71	0	uint16_t X1 = 0;
72	0	uint16_t X2 = 0;
73	0	uint16_t X3 = 0;
74	0	uint16_t X4 = 0;
75	0	load_be(in + BLOCK_SIZE * i, X1, X2, X3, X4);
76
77	0	for(size_t j = 0; j != 8; ++j) {
78	0	X1 = mul(X1, K[6 * j + 0]);
79	0	X2 += K[6 * j + 1];
80	0	X3 += K[6 * j + 2];
81	0	X4 = mul(X4, K[6 * j + 3]);
82
83	0	const uint16_t T0 = X3;
84	0	X3 = mul(X3 ^ X1, K[6 * j + 4]);
85
86	0	const uint16_t T1 = X2;
87	0	X2 = mul((X2 ^ X4) + X3, K[6 * j + 5]);
88	0	X3 += X2;
89
90	0	X1 ^= X2;
91	0	X4 ^= X3;
92	0	X2 ^= T0;
93	0	X3 ^= T1;
94	0	}
95
96	0	X1 = mul(X1, K[48]);
97	0	X2 += K[50];
98	0	X3 += K[49];
99	0	X4 = mul(X4, K[51]);
100
101	0	store_be(out + BLOCK_SIZE * i, X1, X3, X2, X4);
102	0	}
103
104	0	CT::unpoison(in, blocks * 8);
105	0	CT::unpoison(out, blocks * 8);
106	0	CT::unpoison(K, 52);
107	0	}
108
109		} // namespace
110
111	0	size_t IDEA::parallelism() const {
112	0	#if defined(BOTAN_HAS_IDEA_SSE2)
113	0	if(CPUID::has(CPUID::Feature::SSE2)) {
114	0	return 8;
115	0	}
116	0	#endif
117
118	0	return 1;
119	0	}
120
121	0	std::string IDEA::provider() const {
122	0	#if defined(BOTAN_HAS_IDEA_SSE2)
123	0	if(auto feat = CPUID::check(CPUID::Feature::SSE2)) {
124	0	return *feat;
125	0	}
126	0	#endif
127
128	0	return "base";
129	0	}
130
131		/*
132		* IDEA Encryption
133		*/
134	0	void IDEA::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
135	0	assert_key_material_set();
136
137	0	#if defined(BOTAN_HAS_IDEA_SSE2)
138	0	if(CPUID::has(CPUID::Feature::SSE2)) {
139	0	while(blocks >= 8) {
140	0	sse2_idea_op_8(in, out, m_EK.data());
141	0	in += 8 * BLOCK_SIZE;
142	0	out += 8 * BLOCK_SIZE;
143	0	blocks -= 8;
144	0	}
145	0	}
146	0	#endif
147
148	0	idea_op(in, out, blocks, m_EK.data());
149	0	}
150
151		/*
152		* IDEA Decryption
153		*/
154	0	void IDEA::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
155	0	assert_key_material_set();
156
157	0	#if defined(BOTAN_HAS_IDEA_SSE2)
158	0	if(CPUID::has(CPUID::Feature::SSE2)) {
159	0	while(blocks >= 8) {
160	0	sse2_idea_op_8(in, out, m_DK.data());
161	0	in += 8 * BLOCK_SIZE;
162	0	out += 8 * BLOCK_SIZE;
163	0	blocks -= 8;
164	0	}
165	0	}
166	0	#endif
167
168	0	idea_op(in, out, blocks, m_DK.data());
169	0	}
170
171	0	bool IDEA::has_keying_material() const {
172	0	return !m_EK.empty();
173	0	}
174
175		/*
176		* IDEA Key Schedule
177		*/
178	0	void IDEA::key_schedule(std::span<const uint8_t> key) {
179	0	m_EK.resize(52);
180	0	m_DK.resize(52);
181
182	0	CT::poison(key.data(), 16);
183	0	CT::poison(m_EK.data(), 52);
184	0	CT::poison(m_DK.data(), 52);
185
186	0	secure_vector<uint64_t> K(2);
187
188	0	K[0] = load_be<uint64_t>(key.data(), 0);
189	0	K[1] = load_be<uint64_t>(key.data(), 1);
190
191	0	for(size_t off = 0; off != 48; off += 8) {
192	0	for(size_t i = 0; i != 8; ++i) {
193	0	m_EK[off + i] = static_cast<uint16_t>(K[i / 4] >> (48 - 16 * (i % 4)));
194	0	}
195
196	0	const uint64_t Kx = (K[0] >> 39);
197	0	const uint64_t Ky = (K[1] >> 39);
198
199	0	K[0] = (K[0] << 25) \| Ky;
200	0	K[1] = (K[1] << 25) \| Kx;
201	0	}
202
203	0	for(size_t i = 0; i != 4; ++i) {
204	0	m_EK[48 + i] = static_cast<uint16_t>(K[i / 4] >> (48 - 16 * (i % 4)));
205	0	}
206
207	0	m_DK[0] = mul_inv(m_EK[48]);
208	0	m_DK[1] = -m_EK[49];
209	0	m_DK[2] = -m_EK[50];
210	0	m_DK[3] = mul_inv(m_EK[51]);
211
212	0	for(size_t i = 0; i != 8 * 6; i += 6) {
213	0	m_DK[i + 4] = m_EK[46 - i];
214	0	m_DK[i + 5] = m_EK[47 - i];
215	0	m_DK[i + 6] = mul_inv(m_EK[42 - i]);
216	0	m_DK[i + 7] = -m_EK[44 - i];
217	0	m_DK[i + 8] = -m_EK[43 - i];
218	0	m_DK[i + 9] = mul_inv(m_EK[45 - i]);
219	0	}
220
221	0	std::swap(m_DK[49], m_DK[50]);
222
223	0	CT::unpoison(key.data(), 16);
224	0	CT::unpoison(m_EK.data(), 52);
225	0	CT::unpoison(m_DK.data(), 52);
226	0	}
227
228	0	void IDEA::clear() {
229	0	zap(m_EK);
230	0	zap(m_DK);
231	0	}
232
233		} // namespace Botan