Botan 3.11.1
Crypto and TLS for C&
idea.cpp
Go to the documentation of this file.
1/*
2* IDEA
3* (C) 1999-2010,2015 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/internal/idea.h>
9
10#include <botan/internal/ct_utils.h>
11#include <botan/internal/loadstor.h>
12
13#if defined(BOTAN_HAS_CPUID)
14 #include <botan/internal/cpuid.h>
15#endif
16
17namespace Botan {
18
19namespace {
20
21/*
22* Multiplication modulo 65537
23*/
24inline uint16_t mul(uint16_t x, uint16_t y) {
25 uint32_t P = static_cast<uint32_t>(x) * y;
26 const uint16_t P_is_zero = static_cast<uint16_t>(ct_is_zero(P));
27
28 P = (P & 0xFFFF) - (P >> 16);
29 const uint16_t R1 = static_cast<uint16_t>(P - (P >> 16));
30 const uint16_t R0 = 1 - x - y;
31
32 return choose(P_is_zero, R0, R1);
33}
34
35/*
36* Find multiplicative inverses modulo 65537
37*
38* 65537 is prime; thus Fermat's little theorem tells us that
39* x^65537 == x modulo 65537, which means
40* x^(65537-2) == x^-1 modulo 65537 since
41* x^(65537-2) * x == 1 mod 65537
42*
43* Do the exponentiation with a basic square and multiply: all bits are
44* of exponent are 1 so we always multiply
45*/
46uint16_t mul_inv(uint16_t x) {
47 uint16_t y = x;
48
49 for(size_t i = 0; i != 15; ++i) {
50 y = mul(y, y); // square
51 y = mul(y, x);
52 }
53
54 return y;
55}
56
57/**
58* IDEA is involutional, depending only on the key schedule
59*/
60void idea_op(const uint8_t in[], uint8_t out[], size_t blocks, const uint16_t K[52]) {
61 const size_t BLOCK_SIZE = 8;
62
63 CT::poison(in, blocks * 8);
64 CT::poison(out, blocks * 8);
65 CT::poison(K, 52);
66
67 for(size_t i = 0; i < blocks; ++i) {
68 uint16_t X1 = 0;
69 uint16_t X2 = 0;
70 uint16_t X3 = 0;
71 uint16_t X4 = 0;
72 load_be(in + BLOCK_SIZE * i, X1, X2, X3, X4);
73
74 for(size_t j = 0; j != 8; ++j) {
75 X1 = mul(X1, K[6 * j + 0]);
76 X2 += K[6 * j + 1];
77 X3 += K[6 * j + 2];
78 X4 = mul(X4, K[6 * j + 3]);
79
80 const uint16_t T0 = X3;
81 X3 = mul(X3 ^ X1, K[6 * j + 4]);
82
83 const uint16_t T1 = X2;
84 X2 = mul((X2 ^ X4) + X3, K[6 * j + 5]);
85 X3 += X2;
86
87 X1 ^= X2;
88 X4 ^= X3;
89 X2 ^= T0;
90 X3 ^= T1;
91 }
92
93 X1 = mul(X1, K[48]);
94 X2 += K[50];
95 X3 += K[49];
96 X4 = mul(X4, K[51]);
97
98 store_be(out + BLOCK_SIZE * i, X1, X3, X2, X4);
99 }
100
101 CT::unpoison(in, blocks * 8);
102 CT::unpoison(out, blocks * 8);
103 CT::unpoison(K, 52);
104}
105
106} // namespace
107
108size_t IDEA::parallelism() const {
109#if defined(BOTAN_HAS_IDEA_AVX2)
110 if(CPUID::has(CPUID::Feature::AVX2)) {
111 return 16;
112 }
113#endif
114
115#if defined(BOTAN_HAS_IDEA_SSE2)
116 if(CPUID::has(CPUID::Feature::SSE2)) {
117 return 8;
118 }
119#endif
120
121 return 1;
122}
123
124std::string IDEA::provider() const {
125#if defined(BOTAN_HAS_IDEA_AVX2)
126 if(auto feat = CPUID::check(CPUID::Feature::AVX2)) {
127 return *feat;
128 }
129#endif
130
131#if defined(BOTAN_HAS_IDEA_SSE2)
132 if(auto feat = CPUID::check(CPUID::Feature::SSE2)) {
133 return *feat;
134 }
135#endif
136
137 return "base";
138}
139
140/*
141* IDEA Encryption
142*/
143void IDEA::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
144 assert_key_material_set();
145
146#if defined(BOTAN_HAS_IDEA_AVX2)
147 if(CPUID::has(CPUID::Feature::AVX2)) {
148 while(blocks >= 16) {
149 avx2_idea_op_16(in, out, m_EK.data());
150 in += 16 * BLOCK_SIZE;
151 out += 16 * BLOCK_SIZE;
152 blocks -= 16;
153 }
154 }
155#endif
156
157#if defined(BOTAN_HAS_IDEA_SSE2)
158 if(CPUID::has(CPUID::Feature::SSE2)) {
159 while(blocks >= 8) {
160 sse2_idea_op_8(in, out, m_EK.data());
161 in += 8 * BLOCK_SIZE;
162 out += 8 * BLOCK_SIZE;
163 blocks -= 8;
164 }
165 }
166#endif
167
168 idea_op(in, out, blocks, m_EK.data());
169}
170
171/*
172* IDEA Decryption
173*/
174void IDEA::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
175 assert_key_material_set();
176
177#if defined(BOTAN_HAS_IDEA_AVX2)
178 if(CPUID::has(CPUID::Feature::AVX2)) {
179 while(blocks >= 16) {
180 avx2_idea_op_16(in, out, m_DK.data());
181 in += 16 * BLOCK_SIZE;
182 out += 16 * BLOCK_SIZE;
183 blocks -= 16;
184 }
185 }
186#endif
187
188#if defined(BOTAN_HAS_IDEA_SSE2)
189 if(CPUID::has(CPUID::Feature::SSE2)) {
190 while(blocks >= 8) {
191 sse2_idea_op_8(in, out, m_DK.data());
192 in += 8 * BLOCK_SIZE;
193 out += 8 * BLOCK_SIZE;
194 blocks -= 8;
195 }
196 }
197#endif
198
199 idea_op(in, out, blocks, m_DK.data());
200}
201
202bool IDEA::has_keying_material() const {
203 return !m_EK.empty();
204}
205
206/*
207* IDEA Key Schedule
208*/
209void IDEA::key_schedule(std::span<const uint8_t> key) {
210 m_EK.resize(52);
211 m_DK.resize(52);
212
213 CT::poison(key.data(), 16);
214 CT::poison(m_EK.data(), 52);
215 CT::poison(m_DK.data(), 52);
216
217 secure_vector<uint64_t> K(2);
218
219 K[0] = load_be<uint64_t>(key.data(), 0);
220 K[1] = load_be<uint64_t>(key.data(), 1);
221
222 for(size_t off = 0; off != 48; off += 8) {
223 for(size_t i = 0; i != 8; ++i) {
224 m_EK[off + i] = static_cast<uint16_t>(K[i / 4] >> (48 - 16 * (i % 4)));
225 }
226
227 const uint64_t Kx = (K[0] >> 39);
228 const uint64_t Ky = (K[1] >> 39);
229
230 K[0] = (K[0] << 25) | Ky;
231 K[1] = (K[1] << 25) | Kx;
232 }
233
234 for(size_t i = 0; i != 4; ++i) {
235 m_EK[48 + i] = static_cast<uint16_t>(K[i / 4] >> (48 - 16 * (i % 4)));
236 }
237
238 m_DK[0] = mul_inv(m_EK[48]);
239 m_DK[1] = -m_EK[49];
240 m_DK[2] = -m_EK[50];
241 m_DK[3] = mul_inv(m_EK[51]);
242
243 for(size_t i = 0; i != 8 * 6; i += 6) {
244 m_DK[i + 4] = m_EK[46 - i];
245 m_DK[i + 5] = m_EK[47 - i];
246 m_DK[i + 6] = mul_inv(m_EK[42 - i]);
247 m_DK[i + 7] = -m_EK[44 - i];
248 m_DK[i + 8] = -m_EK[43 - i];
249 m_DK[i + 9] = mul_inv(m_EK[45 - i]);
250 }
251
252 std::swap(m_DK[49], m_DK[50]);
253
254 CT::unpoison(key.data(), 16);
255 CT::unpoison(m_EK.data(), 52);
256 CT::unpoison(m_DK.data(), 52);
257}
258
259void IDEA::clear() {
260 zap(m_EK);
261 zap(m_DK);
262}
263
264} // namespace Botan
Botan::Block_Cipher_Fixed_Params< 8, 16 >::BLOCK_SIZE
@ BLOCK_SIZE
Definition block_cipher.h:212
Botan::CPUID::check
static std::optional< std::string > check(CPUID::Feature feat)
Definition cpuid.h:67
Botan::CPUID::has
static bool has(CPUID::Feature feat)
Definition cpuid.h:94
Botan::IDEA::decrypt_n
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition idea.cpp:174
Botan::IDEA::provider
std::string provider() const override
Definition idea.cpp:124
Botan::IDEA::clear
void clear() override
Definition idea.cpp:259
Botan::IDEA::has_keying_material
bool has_keying_material() const override
Definition idea.cpp:202
Botan::IDEA::encrypt_n
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition idea.cpp:143
Botan::IDEA::parallelism
size_t parallelism() const override
Definition idea.cpp:108
Botan::CT::unpoison
constexpr void unpoison(const T *p, size_t n)
Definition ct_utils.h:67
Botan::CT::poison
constexpr void poison(const T *p, size_t n)
Definition ct_utils.h:56
Botan::zap
void zap(std::vector< T, Alloc > &vec)
Definition secmem.h:133
Botan::R1
void R1(uint32_t A, uint32_t &B, uint32_t C, uint32_t &D, uint32_t E, uint32_t &F, uint32_t G, uint32_t &H, uint32_t TJ, uint32_t Wi, uint32_t Wj)
Definition sm3_fn.h:21
Botan::choose
BOTAN_FORCE_INLINE constexpr T choose(T mask, T a, T b)
Definition bit_ops.h:216
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:68
Botan::store_be
constexpr auto store_be(ParamTs &&... params)
Definition loadstor.h:745
Botan::load_be
constexpr auto load_be(ParamTs &&... params)
Definition loadstor.h:504
Botan::ct_is_zero
BOTAN_FORCE_INLINE constexpr T ct_is_zero(T x)
Definition bit_ops.h:37
Generated by doxygen 1.15.0