Botan 3.11.0
Crypto and TLS for C&
camellia.cpp
Go to the documentation of this file.
1/*
2* Camellia
3* (C) 2012,2020 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/internal/camellia.h>
9
10#include <botan/internal/loadstor.h>
11#include <botan/internal/prefetch.h>
12#include <botan/internal/rotate.h>
13
14#if defined(BOTAN_HAS_CPUID) && (defined(BOTAN_HAS_CAMELLIA_AVX2_GFNI) || defined(BOTAN_HAS_CAMELLIA_AVX512_GFNI))
15 #include <botan/internal/cpuid.h>
16#endif
17
18namespace Botan {
19
20namespace {
21
22namespace Camellia_F {
23
24alignas(256) const uint8_t SBOX1[256] = {
25 0x70, 0x82, 0x2C, 0xEC, 0xB3, 0x27, 0xC0, 0xE5, 0xE4, 0x85, 0x57, 0x35, 0xEA, 0x0C, 0xAE, 0x41, 0x23, 0xEF, 0x6B,
26 0x93, 0x45, 0x19, 0xA5, 0x21, 0xED, 0x0E, 0x4F, 0x4E, 0x1D, 0x65, 0x92, 0xBD, 0x86, 0xB8, 0xAF, 0x8F, 0x7C, 0xEB,
27 0x1F, 0xCE, 0x3E, 0x30, 0xDC, 0x5F, 0x5E, 0xC5, 0x0B, 0x1A, 0xA6, 0xE1, 0x39, 0xCA, 0xD5, 0x47, 0x5D, 0x3D, 0xD9,
28 0x01, 0x5A, 0xD6, 0x51, 0x56, 0x6C, 0x4D, 0x8B, 0x0D, 0x9A, 0x66, 0xFB, 0xCC, 0xB0, 0x2D, 0x74, 0x12, 0x2B, 0x20,
29 0xF0, 0xB1, 0x84, 0x99, 0xDF, 0x4C, 0xCB, 0xC2, 0x34, 0x7E, 0x76, 0x05, 0x6D, 0xB7, 0xA9, 0x31, 0xD1, 0x17, 0x04,
30 0xD7, 0x14, 0x58, 0x3A, 0x61, 0xDE, 0x1B, 0x11, 0x1C, 0x32, 0x0F, 0x9C, 0x16, 0x53, 0x18, 0xF2, 0x22, 0xFE, 0x44,
31 0xCF, 0xB2, 0xC3, 0xB5, 0x7A, 0x91, 0x24, 0x08, 0xE8, 0xA8, 0x60, 0xFC, 0x69, 0x50, 0xAA, 0xD0, 0xA0, 0x7D, 0xA1,
32 0x89, 0x62, 0x97, 0x54, 0x5B, 0x1E, 0x95, 0xE0, 0xFF, 0x64, 0xD2, 0x10, 0xC4, 0x00, 0x48, 0xA3, 0xF7, 0x75, 0xDB,
33 0x8A, 0x03, 0xE6, 0xDA, 0x09, 0x3F, 0xDD, 0x94, 0x87, 0x5C, 0x83, 0x02, 0xCD, 0x4A, 0x90, 0x33, 0x73, 0x67, 0xF6,
34 0xF3, 0x9D, 0x7F, 0xBF, 0xE2, 0x52, 0x9B, 0xD8, 0x26, 0xC8, 0x37, 0xC6, 0x3B, 0x81, 0x96, 0x6F, 0x4B, 0x13, 0xBE,
35 0x63, 0x2E, 0xE9, 0x79, 0xA7, 0x8C, 0x9F, 0x6E, 0xBC, 0x8E, 0x29, 0xF5, 0xF9, 0xB6, 0x2F, 0xFD, 0xB4, 0x59, 0x78,
36 0x98, 0x06, 0x6A, 0xE7, 0x46, 0x71, 0xBA, 0xD4, 0x25, 0xAB, 0x42, 0x88, 0xA2, 0x8D, 0xFA, 0x72, 0x07, 0xB9, 0x55,
37 0xF8, 0xEE, 0xAC, 0x0A, 0x36, 0x49, 0x2A, 0x68, 0x3C, 0x38, 0xF1, 0xA4, 0x40, 0x28, 0xD3, 0x7B, 0xBB, 0xC9, 0x43,
38 0xC1, 0x15, 0xE3, 0xAD, 0xF4, 0x77, 0xC7, 0x80, 0x9E};
39
40// SBOX2[x] = rotl<1>(SBOX1[x])
41alignas(256) const uint8_t SBOX2[256] = {
42 0xE0, 0x05, 0x58, 0xD9, 0x67, 0x4E, 0x81, 0xCB, 0xC9, 0x0B, 0xAE, 0x6A, 0xD5, 0x18, 0x5D, 0x82, 0x46, 0xDF, 0xD6,
43 0x27, 0x8A, 0x32, 0x4B, 0x42, 0xDB, 0x1C, 0x9E, 0x9C, 0x3A, 0xCA, 0x25, 0x7B, 0x0D, 0x71, 0x5F, 0x1F, 0xF8, 0xD7,
44 0x3E, 0x9D, 0x7C, 0x60, 0xB9, 0xBE, 0xBC, 0x8B, 0x16, 0x34, 0x4D, 0xC3, 0x72, 0x95, 0xAB, 0x8E, 0xBA, 0x7A, 0xB3,
45 0x02, 0xB4, 0xAD, 0xA2, 0xAC, 0xD8, 0x9A, 0x17, 0x1A, 0x35, 0xCC, 0xF7, 0x99, 0x61, 0x5A, 0xE8, 0x24, 0x56, 0x40,
46 0xE1, 0x63, 0x09, 0x33, 0xBF, 0x98, 0x97, 0x85, 0x68, 0xFC, 0xEC, 0x0A, 0xDA, 0x6F, 0x53, 0x62, 0xA3, 0x2E, 0x08,
47 0xAF, 0x28, 0xB0, 0x74, 0xC2, 0xBD, 0x36, 0x22, 0x38, 0x64, 0x1E, 0x39, 0x2C, 0xA6, 0x30, 0xE5, 0x44, 0xFD, 0x88,
48 0x9F, 0x65, 0x87, 0x6B, 0xF4, 0x23, 0x48, 0x10, 0xD1, 0x51, 0xC0, 0xF9, 0xD2, 0xA0, 0x55, 0xA1, 0x41, 0xFA, 0x43,
49 0x13, 0xC4, 0x2F, 0xA8, 0xB6, 0x3C, 0x2B, 0xC1, 0xFF, 0xC8, 0xA5, 0x20, 0x89, 0x00, 0x90, 0x47, 0xEF, 0xEA, 0xB7,
50 0x15, 0x06, 0xCD, 0xB5, 0x12, 0x7E, 0xBB, 0x29, 0x0F, 0xB8, 0x07, 0x04, 0x9B, 0x94, 0x21, 0x66, 0xE6, 0xCE, 0xED,
51 0xE7, 0x3B, 0xFE, 0x7F, 0xC5, 0xA4, 0x37, 0xB1, 0x4C, 0x91, 0x6E, 0x8D, 0x76, 0x03, 0x2D, 0xDE, 0x96, 0x26, 0x7D,
52 0xC6, 0x5C, 0xD3, 0xF2, 0x4F, 0x19, 0x3F, 0xDC, 0x79, 0x1D, 0x52, 0xEB, 0xF3, 0x6D, 0x5E, 0xFB, 0x69, 0xB2, 0xF0,
53 0x31, 0x0C, 0xD4, 0xCF, 0x8C, 0xE2, 0x75, 0xA9, 0x4A, 0x57, 0x84, 0x11, 0x45, 0x1B, 0xF5, 0xE4, 0x0E, 0x73, 0xAA,
54 0xF1, 0xDD, 0x59, 0x14, 0x6C, 0x92, 0x54, 0xD0, 0x78, 0x70, 0xE3, 0x49, 0x80, 0x50, 0xA7, 0xF6, 0x77, 0x93, 0x86,
55 0x83, 0x2A, 0xC7, 0x5B, 0xE9, 0xEE, 0x8F, 0x01, 0x3D};
56
57// SBOX3[x] = rotl<7>(SBOX1[x])
58alignas(256) const uint8_t SBOX3[256] = {
59 0x38, 0x41, 0x16, 0x76, 0xD9, 0x93, 0x60, 0xF2, 0x72, 0xC2, 0xAB, 0x9A, 0x75, 0x06, 0x57, 0xA0, 0x91, 0xF7, 0xB5,
60 0xC9, 0xA2, 0x8C, 0xD2, 0x90, 0xF6, 0x07, 0xA7, 0x27, 0x8E, 0xB2, 0x49, 0xDE, 0x43, 0x5C, 0xD7, 0xC7, 0x3E, 0xF5,
61 0x8F, 0x67, 0x1F, 0x18, 0x6E, 0xAF, 0x2F, 0xE2, 0x85, 0x0D, 0x53, 0xF0, 0x9C, 0x65, 0xEA, 0xA3, 0xAE, 0x9E, 0xEC,
62 0x80, 0x2D, 0x6B, 0xA8, 0x2B, 0x36, 0xA6, 0xC5, 0x86, 0x4D, 0x33, 0xFD, 0x66, 0x58, 0x96, 0x3A, 0x09, 0x95, 0x10,
63 0x78, 0xD8, 0x42, 0xCC, 0xEF, 0x26, 0xE5, 0x61, 0x1A, 0x3F, 0x3B, 0x82, 0xB6, 0xDB, 0xD4, 0x98, 0xE8, 0x8B, 0x02,
64 0xEB, 0x0A, 0x2C, 0x1D, 0xB0, 0x6F, 0x8D, 0x88, 0x0E, 0x19, 0x87, 0x4E, 0x0B, 0xA9, 0x0C, 0x79, 0x11, 0x7F, 0x22,
65 0xE7, 0x59, 0xE1, 0xDA, 0x3D, 0xC8, 0x12, 0x04, 0x74, 0x54, 0x30, 0x7E, 0xB4, 0x28, 0x55, 0x68, 0x50, 0xBE, 0xD0,
66 0xC4, 0x31, 0xCB, 0x2A, 0xAD, 0x0F, 0xCA, 0x70, 0xFF, 0x32, 0x69, 0x08, 0x62, 0x00, 0x24, 0xD1, 0xFB, 0xBA, 0xED,
67 0x45, 0x81, 0x73, 0x6D, 0x84, 0x9F, 0xEE, 0x4A, 0xC3, 0x2E, 0xC1, 0x01, 0xE6, 0x25, 0x48, 0x99, 0xB9, 0xB3, 0x7B,
68 0xF9, 0xCE, 0xBF, 0xDF, 0x71, 0x29, 0xCD, 0x6C, 0x13, 0x64, 0x9B, 0x63, 0x9D, 0xC0, 0x4B, 0xB7, 0xA5, 0x89, 0x5F,
69 0xB1, 0x17, 0xF4, 0xBC, 0xD3, 0x46, 0xCF, 0x37, 0x5E, 0x47, 0x94, 0xFA, 0xFC, 0x5B, 0x97, 0xFE, 0x5A, 0xAC, 0x3C,
70 0x4C, 0x03, 0x35, 0xF3, 0x23, 0xB8, 0x5D, 0x6A, 0x92, 0xD5, 0x21, 0x44, 0x51, 0xC6, 0x7D, 0x39, 0x83, 0xDC, 0xAA,
71 0x7C, 0x77, 0x56, 0x05, 0x1B, 0xA4, 0x15, 0x34, 0x1E, 0x1C, 0xF8, 0x52, 0x20, 0x14, 0xE9, 0xBD, 0xDD, 0xE4, 0xA1,
72 0xE0, 0x8A, 0xF1, 0xD6, 0x7A, 0xBB, 0xE3, 0x40, 0x4F};
73
74// SBOX4[x] = SBOX1[rotl<1>(x)]
75alignas(256) const uint8_t SBOX4[256] = {
76 0x70, 0x2C, 0xB3, 0xC0, 0xE4, 0x57, 0xEA, 0xAE, 0x23, 0x6B, 0x45, 0xA5, 0xED, 0x4F, 0x1D, 0x92, 0x86, 0xAF, 0x7C,
77 0x1F, 0x3E, 0xDC, 0x5E, 0x0B, 0xA6, 0x39, 0xD5, 0x5D, 0xD9, 0x5A, 0x51, 0x6C, 0x8B, 0x9A, 0xFB, 0xB0, 0x74, 0x2B,
78 0xF0, 0x84, 0xDF, 0xCB, 0x34, 0x76, 0x6D, 0xA9, 0xD1, 0x04, 0x14, 0x3A, 0xDE, 0x11, 0x32, 0x9C, 0x53, 0xF2, 0xFE,
79 0xCF, 0xC3, 0x7A, 0x24, 0xE8, 0x60, 0x69, 0xAA, 0xA0, 0xA1, 0x62, 0x54, 0x1E, 0xE0, 0x64, 0x10, 0x00, 0xA3, 0x75,
80 0x8A, 0xE6, 0x09, 0xDD, 0x87, 0x83, 0xCD, 0x90, 0x73, 0xF6, 0x9D, 0xBF, 0x52, 0xD8, 0xC8, 0xC6, 0x81, 0x6F, 0x13,
81 0x63, 0xE9, 0xA7, 0x9F, 0xBC, 0x29, 0xF9, 0x2F, 0xB4, 0x78, 0x06, 0xE7, 0x71, 0xD4, 0xAB, 0x88, 0x8D, 0x72, 0xB9,
82 0xF8, 0xAC, 0x36, 0x2A, 0x3C, 0xF1, 0x40, 0xD3, 0xBB, 0x43, 0x15, 0xAD, 0x77, 0x80, 0x82, 0xEC, 0x27, 0xE5, 0x85,
83 0x35, 0x0C, 0x41, 0xEF, 0x93, 0x19, 0x21, 0x0E, 0x4E, 0x65, 0xBD, 0xB8, 0x8F, 0xEB, 0xCE, 0x30, 0x5F, 0xC5, 0x1A,
84 0xE1, 0xCA, 0x47, 0x3D, 0x01, 0xD6, 0x56, 0x4D, 0x0D, 0x66, 0xCC, 0x2D, 0x12, 0x20, 0xB1, 0x99, 0x4C, 0xC2, 0x7E,
85 0x05, 0xB7, 0x31, 0x17, 0xD7, 0x58, 0x61, 0x1B, 0x1C, 0x0F, 0x16, 0x18, 0x22, 0x44, 0xB2, 0xB5, 0x91, 0x08, 0xA8,
86 0xFC, 0x50, 0xD0, 0x7D, 0x89, 0x97, 0x5B, 0x95, 0xFF, 0xD2, 0xC4, 0x48, 0xF7, 0xDB, 0x03, 0xDA, 0x3F, 0x94, 0x5C,
87 0x02, 0x4A, 0x33, 0x67, 0xF3, 0x7F, 0xE2, 0x9B, 0x26, 0x37, 0x3B, 0x96, 0x4B, 0xBE, 0x2E, 0x79, 0x8C, 0x6E, 0x8E,
88 0xF5, 0xB6, 0xFD, 0x59, 0x98, 0x6A, 0x46, 0xBA, 0x25, 0x42, 0xA2, 0xFA, 0x07, 0x55, 0xEE, 0x0A, 0x49, 0x68, 0x38,
89 0xA4, 0x28, 0x7B, 0xC9, 0xC1, 0xE3, 0xF4, 0xC7, 0x9E};
90
91uint64_t F(uint64_t v, uint64_t K) {
92 const uint64_t M1 = 0x0101010001000001;
93 const uint64_t M2 = 0x0001010101010000;
94 const uint64_t M3 = 0x0100010100010100;
95 const uint64_t M4 = 0x0101000100000101;
96 const uint64_t M5 = 0x0001010100010101;
97 const uint64_t M6 = 0x0100010101000101;
98 const uint64_t M7 = 0x0101000101010001;
99 const uint64_t M8 = 0x0101010001010100;
100
101 const uint64_t x = v ^ K;
102
103 const uint64_t Z1 = M1 * SBOX1[get_byte<0>(x)];
104 const uint64_t Z2 = M2 * SBOX2[get_byte<1>(x)];
105 const uint64_t Z3 = M3 * SBOX3[get_byte<2>(x)];
106 const uint64_t Z4 = M4 * SBOX4[get_byte<3>(x)];
107 const uint64_t Z5 = M5 * SBOX2[get_byte<4>(x)];
108 const uint64_t Z6 = M6 * SBOX3[get_byte<5>(x)];
109 const uint64_t Z7 = M7 * SBOX4[get_byte<6>(x)];
110 const uint64_t Z8 = M8 * SBOX1[get_byte<7>(x)];
111
112 return Z1 ^ Z2 ^ Z3 ^ Z4 ^ Z5 ^ Z6 ^ Z7 ^ Z8;
113}
114
115inline uint64_t FL(uint64_t v, uint64_t K) {
116 uint32_t x1 = static_cast<uint32_t>(v >> 32);
117 uint32_t x2 = static_cast<uint32_t>(v & 0xFFFFFFFF);
118
119 const uint32_t k1 = static_cast<uint32_t>(K >> 32);
120 const uint32_t k2 = static_cast<uint32_t>(K & 0xFFFFFFFF);
121
122 x2 ^= rotl<1>(x1 & k1);
123 x1 ^= (x2 | k2);
124
125 return ((static_cast<uint64_t>(x1) << 32) | x2);
126}
127
128inline uint64_t FLINV(uint64_t v, uint64_t K) {
129 uint32_t x1 = static_cast<uint32_t>(v >> 32);
130 uint32_t x2 = static_cast<uint32_t>(v & 0xFFFFFFFF);
131
132 const uint32_t k1 = static_cast<uint32_t>(K >> 32);
133 const uint32_t k2 = static_cast<uint32_t>(K & 0xFFFFFFFF);
134
135 x1 ^= (x2 | k2);
136 x2 ^= rotl<1>(x1 & k1);
137
138 return ((static_cast<uint64_t>(x1) << 32) | x2);
139}
140
141/*
142* Camellia Encryption
143*/
144void encrypt(const uint8_t in[], uint8_t out[], size_t blocks, const secure_vector<uint64_t>& SK, size_t rounds) {
145 prefetch_arrays(SBOX1, SBOX2, SBOX3, SBOX4);
146
147 for(size_t i = 0; i < blocks; ++i) {
148 uint64_t D1 = load_be<uint64_t>(in, 2 * i + 0);
149 uint64_t D2 = load_be<uint64_t>(in, 2 * i + 1);
150
151 const uint64_t* K = SK.data();
152
153 D1 ^= *K++;
154 D2 ^= *K++;
155
156 D2 ^= F(D1, *K++);
157 D1 ^= F(D2, *K++);
158
159 for(size_t r = 1; r != rounds - 1; ++r) {
160 if(r % 3 == 0) {
161 D1 = FL(D1, *K++);
162 D2 = FLINV(D2, *K++);
163 }
164
165 D2 ^= F(D1, *K++);
166 D1 ^= F(D2, *K++);
167 }
168
169 D2 ^= F(D1, *K++);
170 D1 ^= F(D2, *K++);
171
172 D2 ^= *K++;
173 D1 ^= *K++;
174
175 store_be(out + 16 * i, D2, D1);
176 }
177}
178
179/*
180* Camellia Decryption
181*/
182void decrypt(const uint8_t in[], uint8_t out[], size_t blocks, const secure_vector<uint64_t>& SK, size_t rounds) {
183 prefetch_arrays(SBOX1, SBOX2, SBOX3, SBOX4);
184
185 for(size_t i = 0; i < blocks; ++i) {
186 uint64_t D1 = load_be<uint64_t>(in, 2 * i + 0);
187 uint64_t D2 = load_be<uint64_t>(in, 2 * i + 1);
188
189 const uint64_t* K = &SK[SK.size() - 1];
190
191 D2 ^= *K--;
192 D1 ^= *K--;
193
194 D2 ^= F(D1, *K--);
195 D1 ^= F(D2, *K--);
196
197 for(size_t r = 1; r != rounds - 1; ++r) {
198 if(r % 3 == 0) {
199 D1 = FL(D1, *K--);
200 D2 = FLINV(D2, *K--);
201 }
202
203 D2 ^= F(D1, *K--);
204 D1 ^= F(D2, *K--);
205 }
206
207 D2 ^= F(D1, *K--);
208 D1 ^= F(D2, *K--);
209
210 D1 ^= *K--;
211 D2 ^= *K;
212
213 store_be(out + 16 * i, D2, D1);
214 }
215}
216
217inline uint64_t left_rot_hi(uint64_t h, uint64_t l, size_t shift) {
218 if(shift >= 64) {
219 shift -= 64;
220 }
221 return (h << shift) | (l >> (64 - shift));
222}
223
224inline uint64_t left_rot_lo(uint64_t h, uint64_t l, size_t shift) {
225 if(shift >= 64) {
226 shift -= 64;
227 }
228 return (h >> (64 - shift)) | (l << shift);
229}
230
231/*
232* Camellia Key Schedule
233*/
234void key_schedule(secure_vector<uint64_t>& SK, std::span<const uint8_t> key) {
235 const uint64_t Sigma1 = 0xA09E667F3BCC908B;
236 const uint64_t Sigma2 = 0xB67AE8584CAA73B2;
237 const uint64_t Sigma3 = 0xC6EF372FE94F82BE;
238 const uint64_t Sigma4 = 0x54FF53A5F1D36F1C;
239 const uint64_t Sigma5 = 0x10E527FADE682D1D;
240 const uint64_t Sigma6 = 0xB05688C2B3E6C1FD;
241
242 const uint64_t KL_H = load_be<uint64_t>(key.data(), 0);
243 const uint64_t KL_L = load_be<uint64_t>(key.data(), 1);
244
245 const uint64_t KR_H = (key.size() >= 24) ? load_be<uint64_t>(key.data(), 2) : 0;
246
247 const uint64_t KR_L = [&]() -> uint64_t {
248 if(key.size() == 32) {
249 return load_be<uint64_t>(key.data(), 3);
250 } else if(key.size() == 24) {
251 return ~KR_H;
252 } else {
253 return 0;
254 }
255 }();
256
257 uint64_t D1 = KL_H ^ KR_H;
258 uint64_t D2 = KL_L ^ KR_L;
259 D2 ^= F(D1, Sigma1);
260 D1 ^= F(D2, Sigma2);
261 D1 ^= KL_H;
262 D2 ^= KL_L;
263 D2 ^= F(D1, Sigma3);
264 D1 ^= F(D2, Sigma4);
265
266 const uint64_t KA_H = D1;
267 const uint64_t KA_L = D2;
268
269 D1 = KA_H ^ KR_H;
270 D2 = KA_L ^ KR_L;
271 D2 ^= F(D1, Sigma5);
272 D1 ^= F(D2, Sigma6);
273
274 const uint64_t KB_H = D1;
275 const uint64_t KB_L = D2;
276
277 if(key.size() == 16) {
278 SK.resize(26);
279
280 SK[0] = KL_H;
281 SK[1] = KL_L;
282 SK[2] = KA_H;
283 SK[3] = KA_L;
284 SK[4] = left_rot_hi(KL_H, KL_L, 15);
285 SK[5] = left_rot_lo(KL_H, KL_L, 15);
286 SK[6] = left_rot_hi(KA_H, KA_L, 15);
287 SK[7] = left_rot_lo(KA_H, KA_L, 15);
288 SK[8] = left_rot_hi(KA_H, KA_L, 30);
289 SK[9] = left_rot_lo(KA_H, KA_L, 30);
290 SK[10] = left_rot_hi(KL_H, KL_L, 45);
291 SK[11] = left_rot_lo(KL_H, KL_L, 45);
292 SK[12] = left_rot_hi(KA_H, KA_L, 45);
293 SK[13] = left_rot_lo(KL_H, KL_L, 60);
294 SK[14] = left_rot_hi(KA_H, KA_L, 60);
295 SK[15] = left_rot_lo(KA_H, KA_L, 60);
296 SK[16] = left_rot_lo(KL_H, KL_L, 77);
297 SK[17] = left_rot_hi(KL_H, KL_L, 77);
298 SK[18] = left_rot_lo(KL_H, KL_L, 94);
299 SK[19] = left_rot_hi(KL_H, KL_L, 94);
300 SK[20] = left_rot_lo(KA_H, KA_L, 94);
301 SK[21] = left_rot_hi(KA_H, KA_L, 94);
302 SK[22] = left_rot_lo(KL_H, KL_L, 111);
303 SK[23] = left_rot_hi(KL_H, KL_L, 111);
304 SK[24] = left_rot_lo(KA_H, KA_L, 111);
305 SK[25] = left_rot_hi(KA_H, KA_L, 111);
306 } else {
307 SK.resize(34);
308
309 SK[0] = KL_H;
310 SK[1] = KL_L;
311 SK[2] = KB_H;
312 SK[3] = KB_L;
313
314 SK[4] = left_rot_hi(KR_H, KR_L, 15);
315 SK[5] = left_rot_lo(KR_H, KR_L, 15);
316 SK[6] = left_rot_hi(KA_H, KA_L, 15);
317 SK[7] = left_rot_lo(KA_H, KA_L, 15);
318
319 SK[8] = left_rot_hi(KR_H, KR_L, 30);
320 SK[9] = left_rot_lo(KR_H, KR_L, 30);
321 SK[10] = left_rot_hi(KB_H, KB_L, 30);
322 SK[11] = left_rot_lo(KB_H, KB_L, 30);
323
324 SK[12] = left_rot_hi(KL_H, KL_L, 45);
325 SK[13] = left_rot_lo(KL_H, KL_L, 45);
326 SK[14] = left_rot_hi(KA_H, KA_L, 45);
327 SK[15] = left_rot_lo(KA_H, KA_L, 45);
328
329 SK[16] = left_rot_hi(KL_H, KL_L, 60);
330 SK[17] = left_rot_lo(KL_H, KL_L, 60);
331 SK[18] = left_rot_hi(KR_H, KR_L, 60);
332 SK[19] = left_rot_lo(KR_H, KR_L, 60);
333 SK[20] = left_rot_hi(KB_H, KB_L, 60);
334 SK[21] = left_rot_lo(KB_H, KB_L, 60);
335
336 SK[22] = left_rot_lo(KL_H, KL_L, 77);
337 SK[23] = left_rot_hi(KL_H, KL_L, 77);
338 SK[24] = left_rot_lo(KA_H, KA_L, 77);
339 SK[25] = left_rot_hi(KA_H, KA_L, 77);
340
341 SK[26] = left_rot_lo(KR_H, KR_L, 94);
342 SK[27] = left_rot_hi(KR_H, KR_L, 94);
343 SK[28] = left_rot_lo(KA_H, KA_L, 94);
344 SK[29] = left_rot_hi(KA_H, KA_L, 94);
345 SK[30] = left_rot_lo(KL_H, KL_L, 111);
346 SK[31] = left_rot_hi(KL_H, KL_L, 111);
347 SK[32] = left_rot_lo(KB_H, KB_L, 111);
348 SK[33] = left_rot_hi(KB_H, KB_L, 111);
349 }
350}
351
352std::string provider() {
353#if defined(BOTAN_HAS_CAMELLIA_AVX512_GFNI)
354 if(auto feat = CPUID::check(CPUID::Feature::AVX512, CPUID::Feature::GFNI)) {
355 return *feat;
356 }
357#endif
358
359#if defined(BOTAN_HAS_CAMELLIA_AVX2_GFNI)
360 if(auto feat = CPUID::check(CPUID::Feature::GFNI)) {
361 return *feat;
362 }
363#endif
364
365 return "base";
366}
367
368size_t parallelism() {
369#if defined(BOTAN_HAS_CAMELLIA_AVX512_GFNI)
370 if(CPUID::has(CPUID::Feature::AVX512, CPUID::Feature::GFNI)) {
371 return 16;
372 }
373#endif
374
375#if defined(BOTAN_HAS_CAMELLIA_AVX2_GFNI)
376 if(CPUID::has(CPUID::Feature::GFNI)) {
377 return 4;
378 }
379#endif
380
381 return 1;
382}
383
384} // namespace Camellia_F
385
386} // namespace
387
388void Camellia_128::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
389 assert_key_material_set();
390
391#if defined(BOTAN_HAS_CAMELLIA_AVX512_GFNI)
392 if(CPUID::has(CPUID::Feature::AVX512, CPUID::Feature::GFNI)) {
393 return avx512_gfni_encrypt(in, out, blocks, m_SK);
394 }
395#endif
396
397#if defined(BOTAN_HAS_CAMELLIA_AVX2_GFNI)
398 if(CPUID::has(CPUID::Feature::GFNI)) {
399 return avx2_gfni_encrypt(in, out, blocks, m_SK);
400 }
401#endif
402
403 Camellia_F::encrypt(in, out, blocks, m_SK, 9);
404}
405
406void Camellia_192::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
407 assert_key_material_set();
408
409#if defined(BOTAN_HAS_CAMELLIA_AVX512_GFNI)
410 if(CPUID::has(CPUID::Feature::AVX512, CPUID::Feature::GFNI)) {
411 return avx512_gfni_encrypt(in, out, blocks, m_SK);
412 }
413#endif
414
415#if defined(BOTAN_HAS_CAMELLIA_AVX2_GFNI)
416 if(CPUID::has(CPUID::Feature::GFNI)) {
417 return avx2_gfni_encrypt(in, out, blocks, m_SK);
418 }
419#endif
420
421 Camellia_F::encrypt(in, out, blocks, m_SK, 12);
422}
423
424void Camellia_256::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
425 assert_key_material_set();
426
427#if defined(BOTAN_HAS_CAMELLIA_AVX512_GFNI)
428 if(CPUID::has(CPUID::Feature::AVX512, CPUID::Feature::GFNI)) {
429 return avx512_gfni_encrypt(in, out, blocks, m_SK);
430 }
431#endif
432
433#if defined(BOTAN_HAS_CAMELLIA_AVX2_GFNI)
434 if(CPUID::has(CPUID::Feature::GFNI)) {
435 return avx2_gfni_encrypt(in, out, blocks, m_SK);
436 }
437#endif
438
439 Camellia_F::encrypt(in, out, blocks, m_SK, 12);
440}
441
442void Camellia_128::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
443 assert_key_material_set();
444
445#if defined(BOTAN_HAS_CAMELLIA_AVX512_GFNI)
446 if(CPUID::has(CPUID::Feature::AVX512, CPUID::Feature::GFNI)) {
447 return avx512_gfni_decrypt(in, out, blocks, m_SK);
448 }
449#endif
450
451#if defined(BOTAN_HAS_CAMELLIA_AVX2_GFNI)
452 if(CPUID::has(CPUID::Feature::GFNI)) {
453 return avx2_gfni_decrypt(in, out, blocks, m_SK);
454 }
455#endif
456
457 Camellia_F::decrypt(in, out, blocks, m_SK, 9);
458}
459
460void Camellia_192::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
461 assert_key_material_set();
462
463#if defined(BOTAN_HAS_CAMELLIA_AVX512_GFNI)
464 if(CPUID::has(CPUID::Feature::AVX512, CPUID::Feature::GFNI)) {
465 return avx512_gfni_decrypt(in, out, blocks, m_SK);
466 }
467#endif
468
469#if defined(BOTAN_HAS_CAMELLIA_AVX2_GFNI)
470 if(CPUID::has(CPUID::Feature::GFNI)) {
471 return avx2_gfni_decrypt(in, out, blocks, m_SK);
472 }
473#endif
474
475 Camellia_F::decrypt(in, out, blocks, m_SK, 12);
476}
477
478void Camellia_256::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
479 assert_key_material_set();
480
481#if defined(BOTAN_HAS_CAMELLIA_AVX512_GFNI)
482 if(CPUID::has(CPUID::Feature::AVX512, CPUID::Feature::GFNI)) {
483 return avx512_gfni_decrypt(in, out, blocks, m_SK);
484 }
485#endif
486
487#if defined(BOTAN_HAS_CAMELLIA_AVX2_GFNI)
488 if(CPUID::has(CPUID::Feature::GFNI)) {
489 return avx2_gfni_decrypt(in, out, blocks, m_SK);
490 }
491#endif
492
493 Camellia_F::decrypt(in, out, blocks, m_SK, 12);
494}
495
496bool Camellia_128::has_keying_material() const {
497 return !m_SK.empty();
498}
499
500bool Camellia_192::has_keying_material() const {
501 return !m_SK.empty();
502}
503
504bool Camellia_256::has_keying_material() const {
505 return !m_SK.empty();
506}
507
508void Camellia_128::key_schedule(std::span<const uint8_t> key) {
509 Camellia_F::key_schedule(m_SK, key);
510}
511
512void Camellia_192::key_schedule(std::span<const uint8_t> key) {
513 Camellia_F::key_schedule(m_SK, key);
514}
515
516void Camellia_256::key_schedule(std::span<const uint8_t> key) {
517 Camellia_F::key_schedule(m_SK, key);
518}
519
520void Camellia_128::clear() {
521 zap(m_SK);
522}
523
524void Camellia_192::clear() {
525 zap(m_SK);
526}
527
528void Camellia_256::clear() {
529 zap(m_SK);
530}
531
532std::string Camellia_128::provider() const {
533 return Camellia_F::provider();
534}
535
536std::string Camellia_192::provider() const {
537 return Camellia_F::provider();
538}
539
540std::string Camellia_256::provider() const {
541 return Camellia_F::provider();
542}
543
544size_t Camellia_128::parallelism() const {
545 return Camellia_F::parallelism();
546}
547
548size_t Camellia_192::parallelism() const {
549 return Camellia_F::parallelism();
550}
551
552size_t Camellia_256::parallelism() const {
553 return Camellia_F::parallelism();
554}
555
556} // namespace Botan
Botan::CPUID::check
static std::optional< std::string > check(CPUID::Feature feat)
Definition cpuid.h:67
Botan::CPUID::has
static bool has(CPUID::Feature feat)
Definition cpuid.h:94
Botan::Camellia_128::decrypt_n
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition camellia.cpp:442
Botan::Camellia_128::clear
void clear() override
Definition camellia.cpp:520
Botan::Camellia_128::has_keying_material
bool has_keying_material() const override
Definition camellia.cpp:496
Botan::Camellia_128::parallelism
size_t parallelism() const override
Definition camellia.cpp:544
Botan::Camellia_128::encrypt_n
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition camellia.cpp:388
Botan::Camellia_128::provider
std::string provider() const override
Definition camellia.cpp:532
Botan::Camellia_192::encrypt_n
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition camellia.cpp:406
Botan::Camellia_192::has_keying_material
bool has_keying_material() const override
Definition camellia.cpp:500
Botan::Camellia_192::provider
std::string provider() const override
Definition camellia.cpp:536
Botan::Camellia_192::decrypt_n
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition camellia.cpp:460
Botan::Camellia_192::parallelism
size_t parallelism() const override
Definition camellia.cpp:548
Botan::Camellia_192::clear
void clear() override
Definition camellia.cpp:524
Botan::Camellia_256::decrypt_n
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition camellia.cpp:478
Botan::Camellia_256::has_keying_material
bool has_keying_material() const override
Definition camellia.cpp:504
Botan::Camellia_256::provider
std::string provider() const override
Definition camellia.cpp:540
Botan::Camellia_256::parallelism
size_t parallelism() const override
Definition camellia.cpp:552
Botan::Camellia_256::encrypt_n
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition camellia.cpp:424
Botan::Camellia_256::clear
void clear() override
Definition camellia.cpp:528
Botan::Camellia_F
Definition camellia.cpp:22
Botan::get_byte
constexpr uint8_t get_byte(T input)
Definition loadstor.h:79
Botan::zap
void zap(std::vector< T, Alloc > &vec)
Definition secmem.h:133
Botan::prefetch_arrays
T prefetch_arrays(T(&... arr)[Ns]) noexcept
Definition prefetch.h:34
Botan::rotl
BOTAN_FORCE_INLINE constexpr T rotl(T input)
Definition rotate.h:23
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:68
Botan::store_be
constexpr auto store_be(ParamTs &&... params)
Definition loadstor.h:745
Botan::load_be
constexpr auto load_be(ParamTs &&... params)
Definition loadstor.h:504
Generated by doxygen 1.15.0