Botan 3.9.0
Crypto and TLS for C&
aria.cpp
Go to the documentation of this file.
1/*
2* ARIA
3* Adapted for Botan by Jeffrey Walton, public domain
4*
5* Further changes
6* (C) 2017,2020 Jack Lloyd
7*
8* Botan is released under the Simplified BSD License (see license.txt)
9*
10* This ARIA implementation is based on the 32-bit implementation by Aaram Yun from the
11* National Security Research Institute, KOREA. Aaram Yun's implementation is based on
12* the 8-bit implementation by Jin Hong. The source files are available in ARIA.zip from
13* the Korea Internet & Security Agency website.
14* <A HREF="https://tools.ietf.org/html/rfc5794">RFC 5794, A Description of the ARIA Encryption Algorithm</A>,
15* <A HREF="http://seed.kisa.or.kr/iwt/ko/bbs/EgovReferenceList.do?bbsId=BBSMSTR_000000000002">Korea
16* Internet & Security Agency homepage</A>
17*/
18
19#include <botan/internal/aria.h>
20
21#include <botan/internal/bswap.h>
22#include <botan/internal/loadstor.h>
23#include <botan/internal/prefetch.h>
24#include <botan/internal/rotate.h>
25
26namespace Botan {
27
28namespace {
29
30namespace ARIA_F {
31
32alignas(256) const uint8_t S1[256] = {
33 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9,
34 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F,
35 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07,
36 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3,
37 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58,
38 0xCF, 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3,
39 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 0x5F,
40 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
41 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC,
42 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A,
43 0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70,
44 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
45 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42,
46 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16};
47
48alignas(256) const uint8_t S2[256] = {
49 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46, 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64,
50 0xCB, 0xB4, 0x97, 0xBE, 0x2B, 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B, 0x55, 0xF0,
51 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB, 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A,
52 0x09, 0x45, 0xAA, 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91, 0x8D, 0x78, 0xC8, 0x95,
53 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38, 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12,
54 0x53, 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74, 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB,
55 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26, 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD, 0xA0,
56 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC, 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65,
57 0x3B, 0x02, 0x8F, 0x3E, 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A, 0x7E, 0xC5, 0x39,
58 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5, 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79,
59 0x86, 0xA8, 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24, 0x16, 0x82, 0x5F, 0xDA, 0xE6,
60 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F, 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
61 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D, 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3,
62 0xF8, 0x89, 0xDE, 0x71, 0x1A, 0xAF, 0xBA, 0xB5, 0x81};
63
64alignas(256) const uint8_t X1[256] = {
65 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39,
66 0x82, 0x9B, 0x2F, 0xFF, 0x87, 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2,
67 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76,
68 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xD4, 0xA4, 0x5C, 0xCC,
69 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D,
70 0x84, 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C,
71 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41, 0x4F,
72 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
73 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7, 0x62,
74 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD,
75 0x5A, 0xF4, 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, 0x60,
76 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
77 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6,
78 0x26, 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D};
79
80alignas(256) const uint8_t X2[256] = {
81 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1, 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E,
82 0x8E, 0xF1, 0xA0, 0xCC, 0xA3, 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89, 0xCB, 0x9D,
83 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D, 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53,
84 0xAA, 0x38, 0x98, 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58, 0x67, 0x88, 0x06, 0xC3,
85 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F, 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10,
86 0xCE, 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23, 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA,
87 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19, 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55, 0x86,
88 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A, 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15,
89 0x79, 0x26, 0xA7, 0xDE, 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0, 0xBF, 0xA4, 0x3B,
90 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6, 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83,
91 0x16, 0xA5, 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13, 0x07, 0x4F, 0x4E, 0x45, 0xB2,
92 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73, 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
93 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3, 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7,
94 0xEA, 0xF7, 0x4C, 0x11, 0x33, 0x03, 0xA2, 0xAC, 0x60};
95
96inline uint32_t ARIA_F1(uint32_t X) {
97 const uint32_t M1 = 0x00010101;
98 const uint32_t M2 = 0x01000101;
99 const uint32_t M3 = 0x01010001;
100 const uint32_t M4 = 0x01010100;
101
102 return (S1[get_byte<0>(X)] * M1) ^ (S2[get_byte<1>(X)] * M2) ^ (X1[get_byte<2>(X)] * M3) ^ (X2[get_byte<3>(X)] * M4);
103}
104
105inline uint32_t ARIA_F2(uint32_t X) {
106 const uint32_t M1 = 0x00010101;
107 const uint32_t M2 = 0x01000101;
108 const uint32_t M3 = 0x01010001;
109 const uint32_t M4 = 0x01010100;
110
111 return (X1[get_byte<0>(X)] * M3) ^ (X2[get_byte<1>(X)] * M4) ^ (S1[get_byte<2>(X)] * M1) ^ (S2[get_byte<3>(X)] * M2);
112}
113
114inline void ARIA_FO(uint32_t& T0, uint32_t& T1, uint32_t& T2, uint32_t& T3) {
115 T0 = ARIA_F1(T0);
116 T1 = ARIA_F1(T1);
117 T2 = ARIA_F1(T2);
118 T3 = ARIA_F1(T3);
119
120 T1 ^= T2;
121 T2 ^= T3;
122 T0 ^= T1;
123 T3 ^= T1;
124 T2 ^= T0;
125 T1 ^= T2;
126
127 T1 = ((T1 << 8) & 0xFF00FF00) | ((T1 >> 8) & 0x00FF00FF);
128 T2 = rotr<16>(T2);
129 T3 = reverse_bytes(T3);
130
131 T1 ^= T2;
132 T2 ^= T3;
133 T0 ^= T1;
134 T3 ^= T1;
135 T2 ^= T0;
136 T1 ^= T2;
137}
138
139inline void ARIA_FE(uint32_t& T0, uint32_t& T1, uint32_t& T2, uint32_t& T3) {
140 T0 = ARIA_F2(T0);
141 T1 = ARIA_F2(T1);
142 T2 = ARIA_F2(T2);
143 T3 = ARIA_F2(T3);
144
145 T1 ^= T2;
146 T2 ^= T3;
147 T0 ^= T1;
148 T3 ^= T1;
149 T2 ^= T0;
150 T1 ^= T2;
151
152 T3 = ((T3 << 8) & 0xFF00FF00) | ((T3 >> 8) & 0x00FF00FF);
153 T0 = rotr<16>(T0);
154 T1 = reverse_bytes(T1);
155
156 T1 ^= T2;
157 T2 ^= T3;
158 T0 ^= T1;
159 T3 ^= T1;
160 T2 ^= T0;
161 T1 ^= T2;
162}
163
164/*
165* ARIA encryption and decryption
166*/
167void transform(const uint8_t in[], uint8_t out[], size_t blocks, const secure_vector<uint32_t>& KS) {
168 prefetch_arrays(S1, S2, X1, X2);
169
170 const size_t ROUNDS = (KS.size() / 4) - 1;
171
172 for(size_t i = 0; i != blocks; ++i) {
173 uint32_t t0 = 0;
174 uint32_t t1 = 0;
175 uint32_t t2 = 0;
176 uint32_t t3 = 0;
177 load_be(in + 16 * i, t0, t1, t2, t3);
178
179 for(size_t r = 0; r < ROUNDS; r += 2) {
180 t0 ^= KS[4 * r];
181 t1 ^= KS[4 * r + 1];
182 t2 ^= KS[4 * r + 2];
183 t3 ^= KS[4 * r + 3];
184 ARIA_FO(t0, t1, t2, t3);
185
186 t0 ^= KS[4 * r + 4];
187 t1 ^= KS[4 * r + 5];
188 t2 ^= KS[4 * r + 6];
189 t3 ^= KS[4 * r + 7];
190
191 if(r != ROUNDS - 2) {
192 ARIA_FE(t0, t1, t2, t3);
193 }
194 }
195
196 out[16 * i + 0] = X1[get_byte<0>(t0)] ^ get_byte<0>(KS[4 * ROUNDS]);
197 out[16 * i + 1] = X2[get_byte<1>(t0)] ^ get_byte<1>(KS[4 * ROUNDS]);
198 out[16 * i + 2] = S1[get_byte<2>(t0)] ^ get_byte<2>(KS[4 * ROUNDS]);
199 out[16 * i + 3] = S2[get_byte<3>(t0)] ^ get_byte<3>(KS[4 * ROUNDS]);
200 out[16 * i + 4] = X1[get_byte<0>(t1)] ^ get_byte<0>(KS[4 * ROUNDS + 1]);
201 out[16 * i + 5] = X2[get_byte<1>(t1)] ^ get_byte<1>(KS[4 * ROUNDS + 1]);
202 out[16 * i + 6] = S1[get_byte<2>(t1)] ^ get_byte<2>(KS[4 * ROUNDS + 1]);
203 out[16 * i + 7] = S2[get_byte<3>(t1)] ^ get_byte<3>(KS[4 * ROUNDS + 1]);
204 out[16 * i + 8] = X1[get_byte<0>(t2)] ^ get_byte<0>(KS[4 * ROUNDS + 2]);
205 out[16 * i + 9] = X2[get_byte<1>(t2)] ^ get_byte<1>(KS[4 * ROUNDS + 2]);
206 out[16 * i + 10] = S1[get_byte<2>(t2)] ^ get_byte<2>(KS[4 * ROUNDS + 2]);
207 out[16 * i + 11] = S2[get_byte<3>(t2)] ^ get_byte<3>(KS[4 * ROUNDS + 2]);
208 out[16 * i + 12] = X1[get_byte<0>(t3)] ^ get_byte<0>(KS[4 * ROUNDS + 3]);
209 out[16 * i + 13] = X2[get_byte<1>(t3)] ^ get_byte<1>(KS[4 * ROUNDS + 3]);
210 out[16 * i + 14] = S1[get_byte<2>(t3)] ^ get_byte<2>(KS[4 * ROUNDS + 3]);
211 out[16 * i + 15] = S2[get_byte<3>(t3)] ^ get_byte<3>(KS[4 * ROUNDS + 3]);
212 }
213}
214
215// n-bit right shift of Y XORed to X
216template <size_t N>
217inline void ARIA_ROL128(const uint32_t X[4], const uint32_t Y[4], uint32_t KS[4]) {
218 // MSVC is not generating a "rotate immediate". Constify to help it along.
219 static const size_t Q = 4 - (N / 32);
220 static const size_t R = N % 32;
221 static_assert(R > 0 && R < 32, "Rotation in range for type");
222 KS[0] = (X[0]) ^ ((Y[(Q) % 4]) >> R) ^ ((Y[(Q + 3) % 4]) << (32 - R));
223 KS[1] = (X[1]) ^ ((Y[(Q + 1) % 4]) >> R) ^ ((Y[(Q) % 4]) << (32 - R));
224 KS[2] = (X[2]) ^ ((Y[(Q + 2) % 4]) >> R) ^ ((Y[(Q + 1) % 4]) << (32 - R));
225 KS[3] = (X[3]) ^ ((Y[(Q + 3) % 4]) >> R) ^ ((Y[(Q + 2) % 4]) << (32 - R));
226}
227
228void aria_ks_dk_transform(uint32_t& K0, uint32_t& K1, uint32_t& K2, uint32_t& K3) {
229 K0 = rotr<8>(K0) ^ rotr<16>(K0) ^ rotr<24>(K0);
230 K1 = rotr<8>(K1) ^ rotr<16>(K1) ^ rotr<24>(K1);
231 K2 = rotr<8>(K2) ^ rotr<16>(K2) ^ rotr<24>(K2);
232 K3 = rotr<8>(K3) ^ rotr<16>(K3) ^ rotr<24>(K3);
233
234 K1 ^= K2;
235 K2 ^= K3;
236 K0 ^= K1;
237 K3 ^= K1;
238 K2 ^= K0;
239 K1 ^= K2;
240
241 K1 = ((K1 << 8) & 0xFF00FF00) | ((K1 >> 8) & 0x00FF00FF);
242 K2 = rotr<16>(K2);
243 K3 = reverse_bytes(K3);
244
245 K1 ^= K2;
246 K2 ^= K3;
247 K0 ^= K1;
248 K3 ^= K1;
249 K2 ^= K0;
250 K1 ^= K2;
251}
252
253/*
254* ARIA Key Schedule
255*/
256void key_schedule(secure_vector<uint32_t>& ERK, secure_vector<uint32_t>& DRK, std::span<const uint8_t> key) {
257 const uint32_t KRK[3][4] = {{0x517cc1b7, 0x27220a94, 0xfe13abe8, 0xfa9a6ee0},
258 {0x6db14acc, 0x9e21c820, 0xff28b1d5, 0xef5de2b0},
259 {0xdb92371d, 0x2126e970, 0x03249775, 0x04e8c90e}};
260
261 const size_t CK0 = (key.size() / 8) - 2;
262 const size_t CK1 = (CK0 + 1) % 3;
263 const size_t CK2 = (CK1 + 1) % 3;
264
265 uint32_t w0[4];
266 uint32_t w1[4];
267 uint32_t w2[4];
268 uint32_t w3[4];
269
270 w0[0] = load_be<uint32_t>(key.data(), 0);
271 w0[1] = load_be<uint32_t>(key.data(), 1);
272 w0[2] = load_be<uint32_t>(key.data(), 2);
273 w0[3] = load_be<uint32_t>(key.data(), 3);
274
275 w1[0] = w0[0] ^ KRK[CK0][0];
276 w1[1] = w0[1] ^ KRK[CK0][1];
277 w1[2] = w0[2] ^ KRK[CK0][2];
278 w1[3] = w0[3] ^ KRK[CK0][3];
279
280 ARIA_FO(w1[0], w1[1], w1[2], w1[3]);
281
282 if(key.size() == 24 || key.size() == 32) {
283 w1[0] ^= load_be<uint32_t>(key.data(), 4);
284 w1[1] ^= load_be<uint32_t>(key.data(), 5);
285 }
286 if(key.size() == 32) {
287 w1[2] ^= load_be<uint32_t>(key.data(), 6);
288 w1[3] ^= load_be<uint32_t>(key.data(), 7);
289 }
290
291 w2[0] = w1[0] ^ KRK[CK1][0];
292 w2[1] = w1[1] ^ KRK[CK1][1];
293 w2[2] = w1[2] ^ KRK[CK1][2];
294 w2[3] = w1[3] ^ KRK[CK1][3];
295
296 ARIA_FE(w2[0], w2[1], w2[2], w2[3]);
297
298 w2[0] ^= w0[0];
299 w2[1] ^= w0[1];
300 w2[2] ^= w0[2];
301 w2[3] ^= w0[3];
302
303 w3[0] = w2[0] ^ KRK[CK2][0];
304 w3[1] = w2[1] ^ KRK[CK2][1];
305 w3[2] = w2[2] ^ KRK[CK2][2];
306 w3[3] = w2[3] ^ KRK[CK2][3];
307
308 ARIA_FO(w3[0], w3[1], w3[2], w3[3]);
309
310 w3[0] ^= w1[0];
311 w3[1] ^= w1[1];
312 w3[2] ^= w1[2];
313 w3[3] ^= w1[3];
314
315 if(key.size() == 16) {
316 ERK.resize(4 * 13);
317 } else if(key.size() == 24) {
318 ERK.resize(4 * 15);
319 } else if(key.size() == 32) {
320 ERK.resize(4 * 17);
321 }
322
323 ARIA_ROL128<19>(w0, w1, &ERK[0]); // NOLINT(*-container-data-pointer)
324 ARIA_ROL128<19>(w1, w2, &ERK[4]);
325 ARIA_ROL128<19>(w2, w3, &ERK[8]);
326 ARIA_ROL128<19>(w3, w0, &ERK[12]);
327 ARIA_ROL128<31>(w0, w1, &ERK[16]);
328 ARIA_ROL128<31>(w1, w2, &ERK[20]);
329 ARIA_ROL128<31>(w2, w3, &ERK[24]);
330 ARIA_ROL128<31>(w3, w0, &ERK[28]);
331 ARIA_ROL128<67>(w0, w1, &ERK[32]);
332 ARIA_ROL128<67>(w1, w2, &ERK[36]);
333 ARIA_ROL128<67>(w2, w3, &ERK[40]);
334 ARIA_ROL128<67>(w3, w0, &ERK[44]);
335 ARIA_ROL128<97>(w0, w1, &ERK[48]);
336
337 if(key.size() == 24 || key.size() == 32) {
338 ARIA_ROL128<97>(w1, w2, &ERK[52]);
339 ARIA_ROL128<97>(w2, w3, &ERK[56]);
340
341 if(key.size() == 32) {
342 ARIA_ROL128<97>(w3, w0, &ERK[60]);
343 ARIA_ROL128<109>(w0, w1, &ERK[64]);
344 }
345 }
346
347 // Now create the decryption key schedule
348 DRK.resize(ERK.size());
349
350 for(size_t i = 0; i != DRK.size(); i += 4) {
351 DRK[i] = ERK[ERK.size() - 4 - i];
352 DRK[i + 1] = ERK[ERK.size() - 3 - i];
353 DRK[i + 2] = ERK[ERK.size() - 2 - i];
354 DRK[i + 3] = ERK[ERK.size() - 1 - i];
355 }
356
357 for(size_t i = 4; i != DRK.size() - 4; i += 4) {
358 aria_ks_dk_transform(DRK[i + 0], DRK[i + 1], DRK[i + 2], DRK[i + 3]);
359 }
360}
361
362} // namespace ARIA_F
363
364} // namespace
365
366void ARIA_128::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
367 assert_key_material_set();
368 ARIA_F::transform(in, out, blocks, m_ERK);
369}
370
371void ARIA_192::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
372 assert_key_material_set();
373 ARIA_F::transform(in, out, blocks, m_ERK);
374}
375
376void ARIA_256::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
377 assert_key_material_set();
378 ARIA_F::transform(in, out, blocks, m_ERK);
379}
380
381void ARIA_128::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
382 assert_key_material_set();
383 ARIA_F::transform(in, out, blocks, m_DRK);
384}
385
386void ARIA_192::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
387 assert_key_material_set();
388 ARIA_F::transform(in, out, blocks, m_DRK);
389}
390
391void ARIA_256::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
392 assert_key_material_set();
393 ARIA_F::transform(in, out, blocks, m_DRK);
394}
395
396bool ARIA_128::has_keying_material() const {
397 return !m_ERK.empty();
398}
399
400bool ARIA_192::has_keying_material() const {
401 return !m_ERK.empty();
402}
403
404bool ARIA_256::has_keying_material() const {
405 return !m_ERK.empty();
406}
407
408void ARIA_128::key_schedule(std::span<const uint8_t> key) {
409 ARIA_F::key_schedule(m_ERK, m_DRK, key);
410}
411
412void ARIA_192::key_schedule(std::span<const uint8_t> key) {
413 ARIA_F::key_schedule(m_ERK, m_DRK, key);
414}
415
416void ARIA_256::key_schedule(std::span<const uint8_t> key) {
417 ARIA_F::key_schedule(m_ERK, m_DRK, key);
418}
419
420void ARIA_128::clear() {
421 zap(m_ERK);
422 zap(m_DRK);
423}
424
425void ARIA_192::clear() {
426 zap(m_ERK);
427 zap(m_DRK);
428}
429
430void ARIA_256::clear() {
431 zap(m_ERK);
432 zap(m_DRK);
433}
434
435} // namespace Botan
Botan::ARIA_128::encrypt_n
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition aria.cpp:366
Botan::ARIA_128::decrypt_n
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition aria.cpp:381
Botan::ARIA_128::clear
void clear() override
Definition aria.cpp:420
Botan::ARIA_128::has_keying_material
bool has_keying_material() const override
Definition aria.cpp:396
Botan::ARIA_192::encrypt_n
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition aria.cpp:371
Botan::ARIA_192::clear
void clear() override
Definition aria.cpp:425
Botan::ARIA_192::decrypt_n
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition aria.cpp:386
Botan::ARIA_192::has_keying_material
bool has_keying_material() const override
Definition aria.cpp:400
Botan::ARIA_256::clear
void clear() override
Definition aria.cpp:430
Botan::ARIA_256::has_keying_material
bool has_keying_material() const override
Definition aria.cpp:404
Botan::ARIA_256::encrypt_n
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition aria.cpp:376
Botan::ARIA_256::decrypt_n
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition aria.cpp:391
Botan::ARIA_F
Definition aria.cpp:30
Botan::get_byte
constexpr uint8_t get_byte(T input)
Definition loadstor.h:79
Botan::zap
void zap(std::vector< T, Alloc > &vec)
Definition secmem.h:134
Botan::rotr
BOTAN_FORCE_INLINE constexpr T rotr(T input)
Definition rotate.h:35
Botan::reverse_bytes
constexpr T reverse_bytes(T x)
Definition bswap.h:27
Botan::prefetch_arrays
T prefetch_arrays(T(&... arr)[Ns]) noexcept
Definition prefetch.h:35
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69
Botan::load_be
constexpr auto load_be(ParamTs &&... params)
Definition loadstor.h:504
Generated by doxygen 1.14.0