Botan 3.5.0
Crypto and TLS for C&
aria.cpp
Go to the documentation of this file.
1/*
2* ARIA
3* Adapted for Botan by Jeffrey Walton, public domain
4*
5* Further changes
6* (C) 2017,2020 Jack Lloyd
7*
8* Botan is released under the Simplified BSD License (see license.txt)
9*
10* This ARIA implementation is based on the 32-bit implementation by Aaram Yun from the
11* National Security Research Institute, KOREA. Aaram Yun's implementation is based on
12* the 8-bit implementation by Jin Hong. The source files are available in ARIA.zip from
13* the Korea Internet & Security Agency website.
14* <A HREF="https://tools.ietf.org/html/rfc5794">RFC 5794, A Description of the ARIA Encryption Algorithm</A>,
15* <A HREF="http://seed.kisa.or.kr/iwt/ko/bbs/EgovReferenceList.do?bbsId=BBSMSTR_000000000002">Korea
16* Internet & Security Agency homepage</A>
17*/
18
19#include <botan/internal/aria.h>
20
21#include <botan/internal/bswap.h>
22#include <botan/internal/loadstor.h>
23#include <botan/internal/prefetch.h>
24#include <botan/internal/rotate.h>
25
26namespace Botan {
27
28namespace {
29
30namespace ARIA_F {
31
32alignas(256) const uint8_t S1[256] = {
33 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9,
34 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F,
35 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07,
36 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3,
37 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58,
38 0xCF, 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3,
39 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 0x5F,
40 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
41 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC,
42 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A,
43 0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70,
44 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
45 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42,
46 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16};
47
48alignas(256) const uint8_t S2[256] = {
49 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46, 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64,
50 0xCB, 0xB4, 0x97, 0xBE, 0x2B, 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B, 0x55, 0xF0,
51 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB, 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A,
52 0x09, 0x45, 0xAA, 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91, 0x8D, 0x78, 0xC8, 0x95,
53 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38, 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12,
54 0x53, 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74, 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB,
55 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26, 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD, 0xA0,
56 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC, 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65,
57 0x3B, 0x02, 0x8F, 0x3E, 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A, 0x7E, 0xC5, 0x39,
58 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5, 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79,
59 0x86, 0xA8, 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24, 0x16, 0x82, 0x5F, 0xDA, 0xE6,
60 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F, 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
61 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D, 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3,
62 0xF8, 0x89, 0xDE, 0x71, 0x1A, 0xAF, 0xBA, 0xB5, 0x81};
63
64alignas(256) const uint8_t X1[256] = {
65 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39,
66 0x82, 0x9B, 0x2F, 0xFF, 0x87, 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2,
67 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76,
68 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xD4, 0xA4, 0x5C, 0xCC,
69 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D,
70 0x84, 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C,
71 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41, 0x4F,
72 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
73 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7, 0x62,
74 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD,
75 0x5A, 0xF4, 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, 0x60,
76 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
77 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6,
78 0x26, 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D};
79
80alignas(256) const uint8_t X2[256] = {
81 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1, 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E,
82 0x8E, 0xF1, 0xA0, 0xCC, 0xA3, 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89, 0xCB, 0x9D,
83 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D, 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53,
84 0xAA, 0x38, 0x98, 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58, 0x67, 0x88, 0x06, 0xC3,
85 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F, 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10,
86 0xCE, 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23, 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA,
87 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19, 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55, 0x86,
88 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A, 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15,
89 0x79, 0x26, 0xA7, 0xDE, 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0, 0xBF, 0xA4, 0x3B,
90 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6, 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83,
91 0x16, 0xA5, 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13, 0x07, 0x4F, 0x4E, 0x45, 0xB2,
92 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73, 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
93 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3, 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7,
94 0xEA, 0xF7, 0x4C, 0x11, 0x33, 0x03, 0xA2, 0xAC, 0x60};
95
96inline uint32_t ARIA_F1(uint32_t X) {
97 const uint32_t M1 = 0x00010101;
98 const uint32_t M2 = 0x01000101;
99 const uint32_t M3 = 0x01010001;
100 const uint32_t M4 = 0x01010100;
101
102 return (S1[get_byte<0>(X)] * M1) ^ (S2[get_byte<1>(X)] * M2) ^ (X1[get_byte<2>(X)] * M3) ^ (X2[get_byte<3>(X)] * M4);
103}
104
105inline uint32_t ARIA_F2(uint32_t X) {
106 const uint32_t M1 = 0x00010101;
107 const uint32_t M2 = 0x01000101;
108 const uint32_t M3 = 0x01010001;
109 const uint32_t M4 = 0x01010100;
110
111 return (X1[get_byte<0>(X)] * M3) ^ (X2[get_byte<1>(X)] * M4) ^ (S1[get_byte<2>(X)] * M1) ^ (S2[get_byte<3>(X)] * M2);
112}
113
114inline void ARIA_FO(uint32_t& T0, uint32_t& T1, uint32_t& T2, uint32_t& T3) {
115 T0 = ARIA_F1(T0);
116 T1 = ARIA_F1(T1);
117 T2 = ARIA_F1(T2);
118 T3 = ARIA_F1(T3);
119
120 T1 ^= T2;
121 T2 ^= T3;
122 T0 ^= T1;
123 T3 ^= T1;
124 T2 ^= T0;
125 T1 ^= T2;
126
127 T1 = ((T1 << 8) & 0xFF00FF00) | ((T1 >> 8) & 0x00FF00FF);
128 T2 = rotr<16>(T2);
129 T3 = reverse_bytes(T3);
130
131 T1 ^= T2;
132 T2 ^= T3;
133 T0 ^= T1;
134 T3 ^= T1;
135 T2 ^= T0;
136 T1 ^= T2;
137}
138
139inline void ARIA_FE(uint32_t& T0, uint32_t& T1, uint32_t& T2, uint32_t& T3) {
140 T0 = ARIA_F2(T0);
141 T1 = ARIA_F2(T1);
142 T2 = ARIA_F2(T2);
143 T3 = ARIA_F2(T3);
144
145 T1 ^= T2;
146 T2 ^= T3;
147 T0 ^= T1;
148 T3 ^= T1;
149 T2 ^= T0;
150 T1 ^= T2;
151
152 T3 = ((T3 << 8) & 0xFF00FF00) | ((T3 >> 8) & 0x00FF00FF);
153 T0 = rotr<16>(T0);
154 T1 = reverse_bytes(T1);
155
156 T1 ^= T2;
157 T2 ^= T3;
158 T0 ^= T1;
159 T3 ^= T1;
160 T2 ^= T0;
161 T1 ^= T2;
162}
163
164/*
165* ARIA encryption and decryption
166*/
167void transform(const uint8_t in[], uint8_t out[], size_t blocks, const secure_vector<uint32_t>& KS) {
168 prefetch_arrays(S1, S2, X1, X2);
169
170 const size_t ROUNDS = (KS.size() / 4) - 1;
171
172 for(size_t i = 0; i != blocks; ++i) {
173 uint32_t t0, t1, t2, t3;
174 load_be(in + 16 * i, t0, t1, t2, t3);
175
176 for(size_t r = 0; r < ROUNDS; r += 2) {
177 t0 ^= KS[4 * r];
178 t1 ^= KS[4 * r + 1];
179 t2 ^= KS[4 * r + 2];
180 t3 ^= KS[4 * r + 3];
181 ARIA_FO(t0, t1, t2, t3);
182
183 t0 ^= KS[4 * r + 4];
184 t1 ^= KS[4 * r + 5];
185 t2 ^= KS[4 * r + 6];
186 t3 ^= KS[4 * r + 7];
187
188 if(r != ROUNDS - 2) {
189 ARIA_FE(t0, t1, t2, t3);
190 }
191 }
192
193 out[16 * i + 0] = X1[get_byte<0>(t0)] ^ get_byte<0>(KS[4 * ROUNDS]);
194 out[16 * i + 1] = X2[get_byte<1>(t0)] ^ get_byte<1>(KS[4 * ROUNDS]);
195 out[16 * i + 2] = S1[get_byte<2>(t0)] ^ get_byte<2>(KS[4 * ROUNDS]);
196 out[16 * i + 3] = S2[get_byte<3>(t0)] ^ get_byte<3>(KS[4 * ROUNDS]);
197 out[16 * i + 4] = X1[get_byte<0>(t1)] ^ get_byte<0>(KS[4 * ROUNDS + 1]);
198 out[16 * i + 5] = X2[get_byte<1>(t1)] ^ get_byte<1>(KS[4 * ROUNDS + 1]);
199 out[16 * i + 6] = S1[get_byte<2>(t1)] ^ get_byte<2>(KS[4 * ROUNDS + 1]);
200 out[16 * i + 7] = S2[get_byte<3>(t1)] ^ get_byte<3>(KS[4 * ROUNDS + 1]);
201 out[16 * i + 8] = X1[get_byte<0>(t2)] ^ get_byte<0>(KS[4 * ROUNDS + 2]);
202 out[16 * i + 9] = X2[get_byte<1>(t2)] ^ get_byte<1>(KS[4 * ROUNDS + 2]);
203 out[16 * i + 10] = S1[get_byte<2>(t2)] ^ get_byte<2>(KS[4 * ROUNDS + 2]);
204 out[16 * i + 11] = S2[get_byte<3>(t2)] ^ get_byte<3>(KS[4 * ROUNDS + 2]);
205 out[16 * i + 12] = X1[get_byte<0>(t3)] ^ get_byte<0>(KS[4 * ROUNDS + 3]);
206 out[16 * i + 13] = X2[get_byte<1>(t3)] ^ get_byte<1>(KS[4 * ROUNDS + 3]);
207 out[16 * i + 14] = S1[get_byte<2>(t3)] ^ get_byte<2>(KS[4 * ROUNDS + 3]);
208 out[16 * i + 15] = S2[get_byte<3>(t3)] ^ get_byte<3>(KS[4 * ROUNDS + 3]);
209 }
210}
211
212// n-bit right shift of Y XORed to X
213template <size_t N>
214inline void ARIA_ROL128(const uint32_t X[4], const uint32_t Y[4], uint32_t KS[4]) {
215 // MSVC is not generating a "rotate immediate". Constify to help it along.
216 static const size_t Q = 4 - (N / 32);
217 static const size_t R = N % 32;
218 static_assert(R > 0 && R < 32, "Rotation in range for type");
219 KS[0] = (X[0]) ^ ((Y[(Q) % 4]) >> R) ^ ((Y[(Q + 3) % 4]) << (32 - R));
220 KS[1] = (X[1]) ^ ((Y[(Q + 1) % 4]) >> R) ^ ((Y[(Q) % 4]) << (32 - R));
221 KS[2] = (X[2]) ^ ((Y[(Q + 2) % 4]) >> R) ^ ((Y[(Q + 1) % 4]) << (32 - R));
222 KS[3] = (X[3]) ^ ((Y[(Q + 3) % 4]) >> R) ^ ((Y[(Q + 2) % 4]) << (32 - R));
223}
224
225void aria_ks_dk_transform(uint32_t& K0, uint32_t& K1, uint32_t& K2, uint32_t& K3) {
226 K0 = rotr<8>(K0) ^ rotr<16>(K0) ^ rotr<24>(K0);
227 K1 = rotr<8>(K1) ^ rotr<16>(K1) ^ rotr<24>(K1);
228 K2 = rotr<8>(K2) ^ rotr<16>(K2) ^ rotr<24>(K2);
229 K3 = rotr<8>(K3) ^ rotr<16>(K3) ^ rotr<24>(K3);
230
231 K1 ^= K2;
232 K2 ^= K3;
233 K0 ^= K1;
234 K3 ^= K1;
235 K2 ^= K0;
236 K1 ^= K2;
237
238 K1 = ((K1 << 8) & 0xFF00FF00) | ((K1 >> 8) & 0x00FF00FF);
239 K2 = rotr<16>(K2);
240 K3 = reverse_bytes(K3);
241
242 K1 ^= K2;
243 K2 ^= K3;
244 K0 ^= K1;
245 K3 ^= K1;
246 K2 ^= K0;
247 K1 ^= K2;
248}
249
250/*
251* ARIA Key Schedule
252*/
253void key_schedule(secure_vector<uint32_t>& ERK, secure_vector<uint32_t>& DRK, std::span<const uint8_t> key) {
254 const uint32_t KRK[3][4] = {{0x517cc1b7, 0x27220a94, 0xfe13abe8, 0xfa9a6ee0},
255 {0x6db14acc, 0x9e21c820, 0xff28b1d5, 0xef5de2b0},
256 {0xdb92371d, 0x2126e970, 0x03249775, 0x04e8c90e}};
257
258 const size_t CK0 = (key.size() / 8) - 2;
259 const size_t CK1 = (CK0 + 1) % 3;
260 const size_t CK2 = (CK1 + 1) % 3;
261
262 uint32_t w0[4];
263 uint32_t w1[4];
264 uint32_t w2[4];
265 uint32_t w3[4];
266
267 w0[0] = load_be<uint32_t>(key.data(), 0);
268 w0[1] = load_be<uint32_t>(key.data(), 1);
269 w0[2] = load_be<uint32_t>(key.data(), 2);
270 w0[3] = load_be<uint32_t>(key.data(), 3);
271
272 w1[0] = w0[0] ^ KRK[CK0][0];
273 w1[1] = w0[1] ^ KRK[CK0][1];
274 w1[2] = w0[2] ^ KRK[CK0][2];
275 w1[3] = w0[3] ^ KRK[CK0][3];
276
277 ARIA_FO(w1[0], w1[1], w1[2], w1[3]);
278
279 if(key.size() == 24 || key.size() == 32) {
280 w1[0] ^= load_be<uint32_t>(key.data(), 4);
281 w1[1] ^= load_be<uint32_t>(key.data(), 5);
282 }
283 if(key.size() == 32) {
284 w1[2] ^= load_be<uint32_t>(key.data(), 6);
285 w1[3] ^= load_be<uint32_t>(key.data(), 7);
286 }
287
288 w2[0] = w1[0] ^ KRK[CK1][0];
289 w2[1] = w1[1] ^ KRK[CK1][1];
290 w2[2] = w1[2] ^ KRK[CK1][2];
291 w2[3] = w1[3] ^ KRK[CK1][3];
292
293 ARIA_FE(w2[0], w2[1], w2[2], w2[3]);
294
295 w2[0] ^= w0[0];
296 w2[1] ^= w0[1];
297 w2[2] ^= w0[2];
298 w2[3] ^= w0[3];
299
300 w3[0] = w2[0] ^ KRK[CK2][0];
301 w3[1] = w2[1] ^ KRK[CK2][1];
302 w3[2] = w2[2] ^ KRK[CK2][2];
303 w3[3] = w2[3] ^ KRK[CK2][3];
304
305 ARIA_FO(w3[0], w3[1], w3[2], w3[3]);
306
307 w3[0] ^= w1[0];
308 w3[1] ^= w1[1];
309 w3[2] ^= w1[2];
310 w3[3] ^= w1[3];
311
312 if(key.size() == 16) {
313 ERK.resize(4 * 13);
314 } else if(key.size() == 24) {
315 ERK.resize(4 * 15);
316 } else if(key.size() == 32) {
317 ERK.resize(4 * 17);
318 }
319
320 ARIA_ROL128<19>(w0, w1, &ERK[0]);
321 ARIA_ROL128<19>(w1, w2, &ERK[4]);
322 ARIA_ROL128<19>(w2, w3, &ERK[8]);
323 ARIA_ROL128<19>(w3, w0, &ERK[12]);
324 ARIA_ROL128<31>(w0, w1, &ERK[16]);
325 ARIA_ROL128<31>(w1, w2, &ERK[20]);
326 ARIA_ROL128<31>(w2, w3, &ERK[24]);
327 ARIA_ROL128<31>(w3, w0, &ERK[28]);
328 ARIA_ROL128<67>(w0, w1, &ERK[32]);
329 ARIA_ROL128<67>(w1, w2, &ERK[36]);
330 ARIA_ROL128<67>(w2, w3, &ERK[40]);
331 ARIA_ROL128<67>(w3, w0, &ERK[44]);
332 ARIA_ROL128<97>(w0, w1, &ERK[48]);
333
334 if(key.size() == 24 || key.size() == 32) {
335 ARIA_ROL128<97>(w1, w2, &ERK[52]);
336 ARIA_ROL128<97>(w2, w3, &ERK[56]);
337
338 if(key.size() == 32) {
339 ARIA_ROL128<97>(w3, w0, &ERK[60]);
340 ARIA_ROL128<109>(w0, w1, &ERK[64]);
341 }
342 }
343
344 // Now create the decryption key schedule
345 DRK.resize(ERK.size());
346
347 for(size_t i = 0; i != DRK.size(); i += 4) {
348 DRK[i] = ERK[ERK.size() - 4 - i];
349 DRK[i + 1] = ERK[ERK.size() - 3 - i];
350 DRK[i + 2] = ERK[ERK.size() - 2 - i];
351 DRK[i + 3] = ERK[ERK.size() - 1 - i];
352 }
353
354 for(size_t i = 4; i != DRK.size() - 4; i += 4) {
355 aria_ks_dk_transform(DRK[i + 0], DRK[i + 1], DRK[i + 2], DRK[i + 3]);
356 }
357}
358
359} // namespace ARIA_F
360
361} // namespace
362
363void ARIA_128::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
364 assert_key_material_set();
365 ARIA_F::transform(in, out, blocks, m_ERK);
366}
367
368void ARIA_192::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
369 assert_key_material_set();
370 ARIA_F::transform(in, out, blocks, m_ERK);
371}
372
373void ARIA_256::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
374 assert_key_material_set();
375 ARIA_F::transform(in, out, blocks, m_ERK);
376}
377
378void ARIA_128::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
379 assert_key_material_set();
380 ARIA_F::transform(in, out, blocks, m_DRK);
381}
382
383void ARIA_192::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
384 assert_key_material_set();
385 ARIA_F::transform(in, out, blocks, m_DRK);
386}
387
388void ARIA_256::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
389 assert_key_material_set();
390 ARIA_F::transform(in, out, blocks, m_DRK);
391}
392
393bool ARIA_128::has_keying_material() const {
394 return !m_ERK.empty();
395}
396
397bool ARIA_192::has_keying_material() const {
398 return !m_ERK.empty();
399}
400
401bool ARIA_256::has_keying_material() const {
402 return !m_ERK.empty();
403}
404
405void ARIA_128::key_schedule(std::span<const uint8_t> key) {
406 ARIA_F::key_schedule(m_ERK, m_DRK, key);
407}
408
409void ARIA_192::key_schedule(std::span<const uint8_t> key) {
410 ARIA_F::key_schedule(m_ERK, m_DRK, key);
411}
412
413void ARIA_256::key_schedule(std::span<const uint8_t> key) {
414 ARIA_F::key_schedule(m_ERK, m_DRK, key);
415}
416
417void ARIA_128::clear() {
418 zap(m_ERK);
419 zap(m_DRK);
420}
421
422void ARIA_192::clear() {
423 zap(m_ERK);
424 zap(m_DRK);
425}
426
427void ARIA_256::clear() {
428 zap(m_ERK);
429 zap(m_DRK);
430}
431
432} // namespace Botan
Botan::ARIA_128::encrypt_n
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition aria.cpp:363
Botan::ARIA_128::decrypt_n
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition aria.cpp:378
Botan::ARIA_128::clear
void clear() override
Definition aria.cpp:417
Botan::ARIA_128::has_keying_material
bool has_keying_material() const override
Definition aria.cpp:393
Botan::ARIA_192::encrypt_n
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition aria.cpp:368
Botan::ARIA_192::clear
void clear() override
Definition aria.cpp:422
Botan::ARIA_192::decrypt_n
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition aria.cpp:383
Botan::ARIA_192::has_keying_material
bool has_keying_material() const override
Definition aria.cpp:397
Botan::ARIA_256::clear
void clear() override
Definition aria.cpp:427
Botan::ARIA_256::has_keying_material
bool has_keying_material() const override
Definition aria.cpp:401
Botan::ARIA_256::encrypt_n
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition aria.cpp:373
Botan::ARIA_256::decrypt_n
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition aria.cpp:388
Botan::SymmetricAlgorithm::assert_key_material_set
void assert_key_material_set() const
Definition sym_algo.h:139
Y
FE_25519 Y
Definition ge.cpp:26
X
FE_25519 X
Definition ge.cpp:25
Botan::get_byte
constexpr uint8_t get_byte(T input)
Definition loadstor.h:75
Botan::zap
void zap(std::vector< T, Alloc > &vec)
Definition secmem.h:117
Botan::rotr
constexpr T rotr(T input)
Definition rotate.h:33
Botan::reverse_bytes
constexpr T reverse_bytes(T x)
Definition bswap.h:24
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
Botan::prefetch_arrays
T prefetch_arrays(T(&... arr)[Ns]) noexcept
Definition prefetch.h:34
Botan::load_be
constexpr auto load_be(ParamTs &&... params)
Definition loadstor.h:467
Generated by doxygen 1.11.0