Botan 3.5.0
Crypto and TLS for C&
kuznyechik.cpp
Go to the documentation of this file.
1/*
2* GOST R 34.12-2015: Block Cipher "Kuznyechik" (RFC 7801)
3* (C) 2023 Richard Huveneers
4* 2024 Jack Lloyd
5*
6* This code is written by kerukuro for cppcrypto library (http://cppcrypto.sourceforge.net/)
7* and released into public domain.
8*
9* Botan is released under the Simplified BSD License (see license.txt)
10*/
11
12#include <botan/internal/kuznyechik.h>
13
14#include <botan/mem_ops.h>
15#include <botan/internal/loadstor.h>
16
17namespace Botan {
18
19namespace {
20
21namespace Kuznyechik_F {
22
23alignas(256) const constexpr uint8_t S[256] = {
24 252, 238, 221, 17, 207, 110, 49, 22, 251, 196, 250, 218, 35, 197, 4, 77, 233, 119, 240, 219, 147, 46,
25 153, 186, 23, 54, 241, 187, 20, 205, 95, 193, 249, 24, 101, 90, 226, 92, 239, 33, 129, 28, 60, 66,
26 139, 1, 142, 79, 5, 132, 2, 174, 227, 106, 143, 160, 6, 11, 237, 152, 127, 212, 211, 31, 235, 52,
27 44, 81, 234, 200, 72, 171, 242, 42, 104, 162, 253, 58, 206, 204, 181, 112, 14, 86, 8, 12, 118, 18,
28 191, 114, 19, 71, 156, 183, 93, 135, 21, 161, 150, 41, 16, 123, 154, 199, 243, 145, 120, 111, 157, 158,
29 178, 177, 50, 117, 25, 61, 255, 53, 138, 126, 109, 84, 198, 128, 195, 189, 13, 87, 223, 245, 36, 169,
30 62, 168, 67, 201, 215, 121, 214, 246, 124, 34, 185, 3, 224, 15, 236, 222, 122, 148, 176, 188, 220, 232,
31 40, 80, 78, 51, 10, 74, 167, 151, 96, 115, 30, 0, 98, 68, 26, 184, 56, 130, 100, 159, 38, 65,
32 173, 69, 70, 146, 39, 94, 85, 47, 140, 163, 165, 125, 105, 213, 149, 59, 7, 88, 179, 64, 134, 172,
33 29, 247, 48, 55, 107, 228, 136, 217, 231, 137, 225, 27, 131, 73, 76, 63, 248, 254, 141, 83, 170, 144,
34 202, 216, 133, 97, 32, 113, 103, 164, 45, 43, 9, 91, 203, 155, 37, 208, 190, 229, 108, 82, 89, 166,
35 116, 210, 230, 244, 180, 192, 209, 102, 175, 194, 57, 75, 99, 182};
36
37alignas(256) const constexpr uint8_t IS[256] = {
38 165, 45, 50, 143, 14, 48, 56, 192, 84, 230, 158, 57, 85, 126, 82, 145, 100, 3, 87, 90, 28, 96,
39 7, 24, 33, 114, 168, 209, 41, 198, 164, 63, 224, 39, 141, 12, 130, 234, 174, 180, 154, 99, 73, 229,
40 66, 228, 21, 183, 200, 6, 112, 157, 65, 117, 25, 201, 170, 252, 77, 191, 42, 115, 132, 213, 195, 175,
41 43, 134, 167, 177, 178, 91, 70, 211, 159, 253, 212, 15, 156, 47, 155, 67, 239, 217, 121, 182, 83, 127,
42 193, 240, 35, 231, 37, 94, 181, 30, 162, 223, 166, 254, 172, 34, 249, 226, 74, 188, 53, 202, 238, 120,
43 5, 107, 81, 225, 89, 163, 242, 113, 86, 17, 106, 137, 148, 101, 140, 187, 119, 60, 123, 40, 171, 210,
44 49, 222, 196, 95, 204, 207, 118, 44, 184, 216, 46, 54, 219, 105, 179, 20, 149, 190, 98, 161, 59, 22,
45 102, 233, 92, 108, 109, 173, 55, 97, 75, 185, 227, 186, 241, 160, 133, 131, 218, 71, 197, 176, 51, 250,
46 150, 111, 110, 194, 246, 80, 255, 93, 169, 142, 23, 27, 151, 125, 236, 88, 247, 31, 251, 124, 9, 13,
47 122, 103, 69, 135, 220, 232, 79, 29, 78, 4, 235, 248, 243, 62, 61, 189, 138, 136, 221, 205, 11, 19,
48 152, 2, 147, 128, 144, 208, 36, 52, 203, 237, 244, 206, 153, 16, 68, 64, 146, 58, 1, 38, 18, 26,
49 72, 104, 245, 129, 139, 199, 214, 32, 10, 8, 0, 76, 215, 116};
50
51namespace Kuznyechik_T {
52
53const constexpr uint8_t LINEAR[16] = {
54 0x94, 0x20, 0x85, 0x10, 0xC2, 0xC0, 0x01, 0xFB, 0x01, 0xC0, 0xC2, 0x10, 0x85, 0x20, 0x94, 0x01};
55
56constexpr uint8_t poly_mul(uint8_t x, uint8_t y) {
57 const uint8_t poly = 0xC3;
58
59 uint8_t r = 0;
60 while(x > 0 && y > 0) {
61 if(y & 1) {
62 r ^= x;
63 }
64 x = (x << 1) ^ ((x >> 7) * poly);
65 y >>= 1;
66 }
67 return r;
68}
69
70constexpr uint64_t poly_mul(uint64_t x, uint8_t y) {
71 const uint64_t lo_bit = 0x0101010101010101;
72 const uint64_t mask = 0x7F7F7F7F7F7F7F7F;
73 const uint64_t poly = 0xC3;
74
75 uint64_t r = 0;
76 while(x > 0 && y > 0) {
77 if(y & 1) {
78 r ^= x;
79 }
80 x = ((x & mask) << 1) ^ (((x >> 7) & lo_bit) * poly);
81 y >>= 1;
82 }
83 return r;
84}
85
86consteval std::array<uint64_t, 16 * 256 * 2> T_table(bool forward) {
87 std::array<uint8_t, 256> L = {};
88
89 for(size_t i = 0; i != 16; ++i) {
90 L[i] = LINEAR[i];
91 if(i > 0) {
92 L[17 * i - 1] = 1;
93 }
94 }
95
96 if(!forward) {
97 std::reverse(L.begin(), L.end());
98 }
99
100 auto sqr_matrix = [](std::span<const uint8_t, 256> mat) {
101 std::array<uint8_t, 256> res = {};
102 for(size_t i = 0; i != 16; ++i) {
103 for(size_t j = 0; j != 16; ++j) {
104 for(size_t k = 0; k != 16; ++k) {
105 res[16 * i + j] ^= poly_mul(mat[16 * i + k], mat[16 * k + j]);
106 }
107 }
108 }
109 return res;
110 };
111
112 for(size_t i = 0; i != 4; ++i) {
113 L = sqr_matrix(L);
114 }
115
116 const auto SB = forward ? S : IS;
117
118 std::array<uint64_t, 16 * 256 * 2> T = {};
119
120 for(size_t i = 0; i != 16; ++i) {
121 uint64_t L_stride_0 = 0;
122 uint64_t L_stride_1 = 0;
123 for(size_t j = 0; j != 8; ++j) {
124 L_stride_0 |= static_cast<uint64_t>(L[i + 16 * j]) << (8 * (j % 8));
125 L_stride_1 |= static_cast<uint64_t>(L[i + 16 * (j + 8)]) << (8 * (j % 8));
126 }
127
128 for(size_t j = 0; j != 256; ++j) {
129 const uint8_t Sj = SB[j];
130 T[512 * i + 2 * j] = poly_mul(L_stride_0, Sj);
131 T[512 * i + 2 * j + 1] = poly_mul(L_stride_1, Sj);
132 }
133 }
134
135 return T;
136}
137
138} // namespace Kuznyechik_T
139
140const constinit auto T = Kuznyechik_T::T_table(true);
141const constinit auto IT = Kuznyechik_T::T_table(false);
142
143const uint64_t C[32][2] = {{0xb87a486c7276a26e, 0x019484dd10bd275d}, {0xb3f490d8e4ec87dc, 0x02ebcb7920b94eba},
144 {0x0b8ed8b4969a25b2, 0x037f4fa4300469e7}, {0xa52be3730b1bcd7b, 0x041555f240b19cb7},
145 {0x1d51ab1f796d6f15, 0x0581d12f500cbbea}, {0x16df73abeff74aa7, 0x06fe9e8b6008d20d},
146 {0xaea53bc79d81e8c9, 0x076a1a5670b5f550}, {0x895605e6163659f6, 0x082aaa2780a1fbad},
147 {0x312c4d8a6440fb98, 0x09be2efa901cdcf0}, {0x3aa2953ef2dade2a, 0x0ac1615ea018b517},
148 {0x82d8dd5280ac7c44, 0x0b55e583b0a5924a}, {0x2c7de6951d2d948d, 0x0c3fffd5c010671a},
149 {0x9407aef96f5b36e3, 0x0dab7b08d0ad4047}, {0x9f89764df9c11351, 0x0ed434ace0a929a0},
150 {0x27f33e218bb7b13f, 0x0f40b071f0140efd}, {0xd1ac0a0f2c6cb22f, 0x1054974ec3813599},
151 {0x69d642635e1a1041, 0x11c01393d33c12c4}, {0x62589ad7c88035f3, 0x12bf5c37e3387b23},
152 {0xda22d2bbbaf6979d, 0x132bd8eaf3855c7e}, {0x7487e97c27777f54, 0x1441c2bc8330a92e},
153 {0xccfda1105501dd3a, 0x15d54661938d8e73}, {0xc77379a4c39bf888, 0x16aa09c5a389e794},
154 {0x7f0931c8b1ed5ae6, 0x173e8d18b334c0c9}, {0x58fa0fe93a5aebd9, 0x187e3d694320ce34},
155 {0xe0804785482c49b7, 0x19eab9b4539de969}, {0xeb0e9f31deb66c05, 0x1a95f6106399808e},
156 {0x5374d75dacc0ce6b, 0x1b0172cd7324a7d3}, {0xfdd1ec9a314126a2, 0x1c6b689b03915283},
157 {0x45aba4f6433784cc, 0x1dffec46132c75de}, {0x4e257c42d5ada17e, 0x1e80a3e223281c39},
158 {0xf65f342ea7db0310, 0x1f14273f33953b64}, {0x619b141e58d8a75e, 0x20a8ed9c45c16af1}};
159
160inline void LS(uint64_t& x1, uint64_t& x2) {
161 uint64_t t1 = 0;
162 uint64_t t2 = 0;
163 for(size_t i = 0; i != 16; ++i) {
164 const uint8_t x = get_byte_var(7 - (i % 8), (i < 8) ? x1 : x2);
165 t1 ^= T[512 * i + 2 * x + 0];
166 t2 ^= T[512 * i + 2 * x + 1];
167 }
168
169 x1 = t1;
170 x2 = t2;
171}
172
173inline void ILS(uint64_t& x1, uint64_t& x2) {
174 uint64_t t1 = 0;
175 uint64_t t2 = 0;
176 for(size_t i = 0; i != 16; ++i) {
177 const uint8_t x = get_byte_var(7 - (i % 8), (i < 8) ? x1 : x2);
178 t1 ^= IT[512 * i + 2 * x + 0];
179 t2 ^= IT[512 * i + 2 * x + 1];
180 }
181 x1 = t1;
182 x2 = t2;
183}
184
185inline void ILSS(uint64_t& x1, uint64_t& x2) {
186 uint64_t t1 = 0;
187 uint64_t t2 = 0;
188 for(size_t i = 0; i != 16; ++i) {
189 const uint8_t x = S[get_byte_var(7 - (i % 8), (i < 8) ? x1 : x2)];
190 t1 ^= IT[512 * i + 2 * x + 0];
191 t2 ^= IT[512 * i + 2 * x + 1];
192 }
193 x1 = t1;
194 x2 = t2;
195}
196
197inline uint64_t ISI(uint64_t val) {
198 uint64_t out = 0;
199 for(size_t i = 0; i != 8; ++i) {
200 out <<= 8;
201 out |= IS[get_byte_var(i, val)];
202 }
203 return out;
204}
205
206} // namespace Kuznyechik_F
207
208} // namespace
209
213
214void Kuznyechik::clear() {
215 secure_scrub_memory(m_rke, sizeof(m_rke));
216 secure_scrub_memory(m_rkd, sizeof(m_rkd));
217 m_has_keying_material = false;
218}
219
220bool Kuznyechik::has_keying_material() const {
221 return m_has_keying_material;
222}
223
224void Kuznyechik::key_schedule(std::span<const uint8_t> key) {
225 using namespace Kuznyechik_F;
226
227 BOTAN_ASSERT_NOMSG(key.size() == 32);
228
229 uint64_t k0 = load_le<uint64_t>(key.data(), 0);
230 uint64_t k1 = load_le<uint64_t>(key.data(), 1);
231 uint64_t k2 = load_le<uint64_t>(key.data(), 2);
232 uint64_t k3 = load_le<uint64_t>(key.data(), 3);
233
234 m_rke[0][0] = k0;
235 m_rke[0][1] = k1;
236 m_rke[1][0] = k2;
237 m_rke[1][1] = k3;
238
239 for(size_t i = 0; i != 4; ++i) {
240 for(size_t r = 0; r != 8; r += 2) {
241 uint64_t t0, t1, t2, t3;
242
243 t0 = k0 ^ C[8 * i + r][0];
244 t1 = k1 ^ C[8 * i + r][1];
245 t2 = k0;
246 t3 = k1;
247 LS(t0, t1);
248 t0 ^= k2;
249 t1 ^= k3;
250
251 k0 = t0 ^ C[8 * i + r + 1][0];
252 k1 = t1 ^ C[8 * i + r + 1][1];
253 k2 = t0;
254 k3 = t1;
255 LS(k0, k1);
256 k0 ^= t2;
257 k1 ^= t3;
258 }
259
260 m_rke[2 * i + 2][0] = k0;
261 m_rke[2 * i + 2][1] = k1;
262 m_rke[2 * i + 3][0] = k2;
263 m_rke[2 * i + 3][1] = k3;
264 }
265
266 for(size_t i = 0; i != 10; i++) {
267 uint64_t t0 = m_rke[i][0];
268 uint64_t t1 = m_rke[i][1];
269
270 if(i > 0) {
271 Kuznyechik_F::ILSS(t0, t1);
272 }
273
274 const size_t dest = 9 - i;
275
276 m_rkd[dest][0] = t0;
277 m_rkd[dest][1] = t1;
278 }
279
280 m_has_keying_material = true;
281}
282
283void Kuznyechik::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
284 assert_key_material_set();
285 while(blocks) {
286 uint64_t x1 = load_le<uint64_t>(in, 0);
287 uint64_t x2 = load_le<uint64_t>(in, 1);
288
289 x1 ^= m_rke[0][0];
290 x2 ^= m_rke[0][1];
291 Kuznyechik_F::LS(x1, x2);
292
293 x1 ^= m_rke[1][0];
294 x2 ^= m_rke[1][1];
295 Kuznyechik_F::LS(x1, x2);
296
297 x1 ^= m_rke[2][0];
298 x2 ^= m_rke[2][1];
299 Kuznyechik_F::LS(x1, x2);
300
301 x1 ^= m_rke[3][0];
302 x2 ^= m_rke[3][1];
303 Kuznyechik_F::LS(x1, x2);
304
305 x1 ^= m_rke[4][0];
306 x2 ^= m_rke[4][1];
307 Kuznyechik_F::LS(x1, x2);
308
309 x1 ^= m_rke[5][0];
310 x2 ^= m_rke[5][1];
311 Kuznyechik_F::LS(x1, x2);
312
313 x1 ^= m_rke[6][0];
314 x2 ^= m_rke[6][1];
315 Kuznyechik_F::LS(x1, x2);
316
317 x1 ^= m_rke[7][0];
318 x2 ^= m_rke[7][1];
319 Kuznyechik_F::LS(x1, x2);
320
321 x1 ^= m_rke[8][0];
322 x2 ^= m_rke[8][1];
323 Kuznyechik_F::LS(x1, x2);
324
325 x1 ^= m_rke[9][0];
326 x2 ^= m_rke[9][1];
327
328 store_le(out, x1, x2);
329
330 in += 16;
331 out += 16;
332 blocks--;
333 }
334}
335
336void Kuznyechik::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
337 assert_key_material_set();
338 while(blocks) {
339 uint64_t x1 = load_le<uint64_t>(in, 0);
340 uint64_t x2 = load_le<uint64_t>(in, 1);
341
342 Kuznyechik_F::ILSS(x1, x2);
343
344 x1 ^= m_rkd[0][0];
345 x2 ^= m_rkd[0][1];
346 Kuznyechik_F::ILS(x1, x2);
347
348 x1 ^= m_rkd[1][0];
349 x2 ^= m_rkd[1][1];
350 Kuznyechik_F::ILS(x1, x2);
351
352 x1 ^= m_rkd[2][0];
353 x2 ^= m_rkd[2][1];
354 Kuznyechik_F::ILS(x1, x2);
355
356 x1 ^= m_rkd[3][0];
357 x2 ^= m_rkd[3][1];
358 Kuznyechik_F::ILS(x1, x2);
359
360 x1 ^= m_rkd[4][0];
361 x2 ^= m_rkd[4][1];
362 Kuznyechik_F::ILS(x1, x2);
363
364 x1 ^= m_rkd[5][0];
365 x2 ^= m_rkd[5][1];
366 Kuznyechik_F::ILS(x1, x2);
367
368 x1 ^= m_rkd[6][0];
369 x2 ^= m_rkd[6][1];
370 Kuznyechik_F::ILS(x1, x2);
371
372 x1 ^= m_rkd[7][0];
373 x2 ^= m_rkd[7][1];
374 Kuznyechik_F::ILS(x1, x2);
375
376 x1 ^= m_rkd[8][0];
377 x2 ^= m_rkd[8][1];
378 x1 = Kuznyechik_F::ISI(x1);
379 x2 = Kuznyechik_F::ISI(x2);
380
381 x1 ^= m_rkd[9][0];
382 x2 ^= m_rkd[9][1];
383
384 store_le(out, x1, x2);
385
386 in += 16;
387 out += 16;
388 blocks--;
389 }
390}
391
392} // namespace Botan
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59
Botan::Kuznyechik::encrypt_n
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition kuznyechik.cpp:283
Botan::Kuznyechik::~Kuznyechik
~Kuznyechik() override
Definition kuznyechik.cpp:210
Botan::Kuznyechik::clear
void clear() override
Definition kuznyechik.cpp:214
Botan::Kuznyechik::decrypt_n
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition kuznyechik.cpp:336
Botan::Kuznyechik::has_keying_material
bool has_keying_material() const override
Definition kuznyechik.cpp:220
Botan::SymmetricAlgorithm::assert_key_material_set
void assert_key_material_set() const
Definition sym_algo.h:139
T
FE_25519 T
Definition ge.cpp:34
Botan::secure_scrub_memory
void secure_scrub_memory(void *ptr, size_t n)
Definition os_utils.cpp:89
Botan::store_le
constexpr auto store_le(ParamTs &&... params)
Definition loadstor.h:698
Botan::load_le
constexpr auto load_le(ParamTs &&... params)
Definition loadstor.h:458
Botan::get_byte_var
constexpr uint8_t get_byte_var(size_t byte_num, T input)
Definition loadstor.h:65
Generated by doxygen 1.11.0