Botan 3.10.0
Crypto and TLS for C&
kuznyechik.cpp
Go to the documentation of this file.
1/*
2* GOST R 34.12-2015: Block Cipher "Kuznyechik" (RFC 7801)
3* (C) 2023 Richard Huveneers
4* 2024 Jack Lloyd
5*
6* This code is written by kerukuro for cppcrypto library (http://cppcrypto.sourceforge.net/)
7* and released into public domain.
8*
9* Botan is released under the Simplified BSD License (see license.txt)
10*/
11
12#include <botan/internal/kuznyechik.h>
13
14#include <botan/internal/loadstor.h>
15#include <algorithm>
16
17namespace Botan {
18
19namespace {
20
21namespace Kuznyechik_F {
22
23alignas(256) const constexpr uint8_t S[256] = {
24 252, 238, 221, 17, 207, 110, 49, 22, 251, 196, 250, 218, 35, 197, 4, 77, 233, 119, 240, 219, 147, 46,
25 153, 186, 23, 54, 241, 187, 20, 205, 95, 193, 249, 24, 101, 90, 226, 92, 239, 33, 129, 28, 60, 66,
26 139, 1, 142, 79, 5, 132, 2, 174, 227, 106, 143, 160, 6, 11, 237, 152, 127, 212, 211, 31, 235, 52,
27 44, 81, 234, 200, 72, 171, 242, 42, 104, 162, 253, 58, 206, 204, 181, 112, 14, 86, 8, 12, 118, 18,
28 191, 114, 19, 71, 156, 183, 93, 135, 21, 161, 150, 41, 16, 123, 154, 199, 243, 145, 120, 111, 157, 158,
29 178, 177, 50, 117, 25, 61, 255, 53, 138, 126, 109, 84, 198, 128, 195, 189, 13, 87, 223, 245, 36, 169,
30 62, 168, 67, 201, 215, 121, 214, 246, 124, 34, 185, 3, 224, 15, 236, 222, 122, 148, 176, 188, 220, 232,
31 40, 80, 78, 51, 10, 74, 167, 151, 96, 115, 30, 0, 98, 68, 26, 184, 56, 130, 100, 159, 38, 65,
32 173, 69, 70, 146, 39, 94, 85, 47, 140, 163, 165, 125, 105, 213, 149, 59, 7, 88, 179, 64, 134, 172,
33 29, 247, 48, 55, 107, 228, 136, 217, 231, 137, 225, 27, 131, 73, 76, 63, 248, 254, 141, 83, 170, 144,
34 202, 216, 133, 97, 32, 113, 103, 164, 45, 43, 9, 91, 203, 155, 37, 208, 190, 229, 108, 82, 89, 166,
35 116, 210, 230, 244, 180, 192, 209, 102, 175, 194, 57, 75, 99, 182};
36
37alignas(256) const constexpr uint8_t IS[256] = {
38 165, 45, 50, 143, 14, 48, 56, 192, 84, 230, 158, 57, 85, 126, 82, 145, 100, 3, 87, 90, 28, 96,
39 7, 24, 33, 114, 168, 209, 41, 198, 164, 63, 224, 39, 141, 12, 130, 234, 174, 180, 154, 99, 73, 229,
40 66, 228, 21, 183, 200, 6, 112, 157, 65, 117, 25, 201, 170, 252, 77, 191, 42, 115, 132, 213, 195, 175,
41 43, 134, 167, 177, 178, 91, 70, 211, 159, 253, 212, 15, 156, 47, 155, 67, 239, 217, 121, 182, 83, 127,
42 193, 240, 35, 231, 37, 94, 181, 30, 162, 223, 166, 254, 172, 34, 249, 226, 74, 188, 53, 202, 238, 120,
43 5, 107, 81, 225, 89, 163, 242, 113, 86, 17, 106, 137, 148, 101, 140, 187, 119, 60, 123, 40, 171, 210,
44 49, 222, 196, 95, 204, 207, 118, 44, 184, 216, 46, 54, 219, 105, 179, 20, 149, 190, 98, 161, 59, 22,
45 102, 233, 92, 108, 109, 173, 55, 97, 75, 185, 227, 186, 241, 160, 133, 131, 218, 71, 197, 176, 51, 250,
46 150, 111, 110, 194, 246, 80, 255, 93, 169, 142, 23, 27, 151, 125, 236, 88, 247, 31, 251, 124, 9, 13,
47 122, 103, 69, 135, 220, 232, 79, 29, 78, 4, 235, 248, 243, 62, 61, 189, 138, 136, 221, 205, 11, 19,
48 152, 2, 147, 128, 144, 208, 36, 52, 203, 237, 244, 206, 153, 16, 68, 64, 146, 58, 1, 38, 18, 26,
49 72, 104, 245, 129, 139, 199, 214, 32, 10, 8, 0, 76, 215, 116};
50
51namespace Kuznyechik_T {
52
53const constexpr uint8_t LINEAR[16] = {
54 0x94, 0x20, 0x85, 0x10, 0xC2, 0xC0, 0x01, 0xFB, 0x01, 0xC0, 0xC2, 0x10, 0x85, 0x20, 0x94, 0x01};
55
56constexpr uint8_t poly_mul(uint8_t x, uint8_t y) {
57 const uint8_t poly = 0xC3;
58
59 uint8_t r = 0;
60 while(x > 0 && y > 0) {
61 if((y & 1) != 0) {
62 r ^= x;
63 }
64 x = (x << 1) ^ ((x >> 7) * poly);
65 y >>= 1;
66 }
67 return r;
68}
69
70constexpr uint64_t poly_mul(uint64_t x, uint8_t y) {
71 const uint64_t lo_bit = 0x0101010101010101;
72 const uint64_t mask = 0x7F7F7F7F7F7F7F7F;
73 const uint64_t poly = 0xC3;
74
75 uint64_t r = 0;
76 while(x > 0 && y > 0) {
77 if((y & 1) != 0) {
78 r ^= x;
79 }
80 x = ((x & mask) << 1) ^ (((x >> 7) & lo_bit) * poly);
81 y >>= 1;
82 }
83 return r;
84}
85
86consteval std::array<uint8_t, 256> L_table(bool forward) noexcept {
87 std::array<uint8_t, 256> L = {};
88
89 for(size_t i = 0; i != 16; ++i) {
90 L[i] = LINEAR[i];
91 if(i > 0) {
92 L[17 * i - 1] = 1;
93 }
94 }
95
96 if(!forward) {
97 std::reverse(L.begin(), L.end());
98 }
99
100 auto sqr_matrix = [](std::span<const uint8_t, 256> mat) {
101 std::array<uint8_t, 256> res = {};
102 for(size_t i = 0; i != 16; ++i) {
103 for(size_t j = 0; j != 16; ++j) {
104 for(size_t k = 0; k != 16; ++k) {
105 res[16 * i + j] ^= poly_mul(mat[16 * i + k], mat[16 * k + j]);
106 }
107 }
108 }
109 return res;
110 };
111
112 for(size_t i = 0; i != 4; ++i) {
113 L = sqr_matrix(L);
114 }
115
116 return L;
117}
118
119consteval std::array<uint64_t, 16 * 256 * 2> T_table(std::span<const uint8_t> L,
120 std::span<const uint8_t, 256> SB) noexcept {
121 std::array<uint64_t, 16 * 256 * 2> T = {};
122
123 for(size_t i = 0; i != 16; ++i) {
124 uint64_t L_stride_0 = 0;
125 uint64_t L_stride_1 = 0;
126 for(size_t j = 0; j != 8; ++j) {
127 L_stride_0 |= static_cast<uint64_t>(L[i + 16 * j]) << (8 * (j % 8));
128 L_stride_1 |= static_cast<uint64_t>(L[i + 16 * (j + 8)]) << (8 * (j % 8));
129 }
130
131 for(size_t j = 0; j != 256; ++j) {
132 const uint8_t Sj = SB[j];
133 T[512 * i + 2 * j] = poly_mul(L_stride_0, Sj);
134 T[512 * i + 2 * j + 1] = poly_mul(L_stride_1, Sj);
135 }
136 }
137
138 return T;
139}
140
141} // namespace Kuznyechik_T
142
143// TODO(Botan4) this indirection with L/IL is required to work around a problem
144// with Clang 19, where suddenly T_table became too much for it to handle as constexpr.
145// Check if it's possible to remove this.
146constexpr auto L = Kuznyechik_T::L_table(true);
147constexpr auto IL = Kuznyechik_T::L_table(false);
148const constinit auto T = Kuznyechik_T::T_table(L, S);
149const constinit auto IT = Kuznyechik_T::T_table(IL, IS);
150
151const uint64_t C[32][2] = {{0xb87a486c7276a26e, 0x019484dd10bd275d}, {0xb3f490d8e4ec87dc, 0x02ebcb7920b94eba},
152 {0x0b8ed8b4969a25b2, 0x037f4fa4300469e7}, {0xa52be3730b1bcd7b, 0x041555f240b19cb7},
153 {0x1d51ab1f796d6f15, 0x0581d12f500cbbea}, {0x16df73abeff74aa7, 0x06fe9e8b6008d20d},
154 {0xaea53bc79d81e8c9, 0x076a1a5670b5f550}, {0x895605e6163659f6, 0x082aaa2780a1fbad},
155 {0x312c4d8a6440fb98, 0x09be2efa901cdcf0}, {0x3aa2953ef2dade2a, 0x0ac1615ea018b517},
156 {0x82d8dd5280ac7c44, 0x0b55e583b0a5924a}, {0x2c7de6951d2d948d, 0x0c3fffd5c010671a},
157 {0x9407aef96f5b36e3, 0x0dab7b08d0ad4047}, {0x9f89764df9c11351, 0x0ed434ace0a929a0},
158 {0x27f33e218bb7b13f, 0x0f40b071f0140efd}, {0xd1ac0a0f2c6cb22f, 0x1054974ec3813599},
159 {0x69d642635e1a1041, 0x11c01393d33c12c4}, {0x62589ad7c88035f3, 0x12bf5c37e3387b23},
160 {0xda22d2bbbaf6979d, 0x132bd8eaf3855c7e}, {0x7487e97c27777f54, 0x1441c2bc8330a92e},
161 {0xccfda1105501dd3a, 0x15d54661938d8e73}, {0xc77379a4c39bf888, 0x16aa09c5a389e794},
162 {0x7f0931c8b1ed5ae6, 0x173e8d18b334c0c9}, {0x58fa0fe93a5aebd9, 0x187e3d694320ce34},
163 {0xe0804785482c49b7, 0x19eab9b4539de969}, {0xeb0e9f31deb66c05, 0x1a95f6106399808e},
164 {0x5374d75dacc0ce6b, 0x1b0172cd7324a7d3}, {0xfdd1ec9a314126a2, 0x1c6b689b03915283},
165 {0x45aba4f6433784cc, 0x1dffec46132c75de}, {0x4e257c42d5ada17e, 0x1e80a3e223281c39},
166 {0xf65f342ea7db0310, 0x1f14273f33953b64}, {0x619b141e58d8a75e, 0x20a8ed9c45c16af1}};
167
168inline void LS(uint64_t& x1, uint64_t& x2) {
169 uint64_t t1 = 0;
170 uint64_t t2 = 0;
171 for(size_t i = 0; i != 16; ++i) {
172 const uint8_t x = get_byte_var(7 - (i % 8), (i < 8) ? x1 : x2);
173 t1 ^= T[512 * i + 2 * x + 0];
174 t2 ^= T[512 * i + 2 * x + 1];
175 }
176
177 x1 = t1;
178 x2 = t2;
179}
180
181inline void ILS(uint64_t& x1, uint64_t& x2) {
182 uint64_t t1 = 0;
183 uint64_t t2 = 0;
184 for(size_t i = 0; i != 16; ++i) {
185 const uint8_t x = get_byte_var(7 - (i % 8), (i < 8) ? x1 : x2);
186 t1 ^= IT[512 * i + 2 * x + 0];
187 t2 ^= IT[512 * i + 2 * x + 1];
188 }
189 x1 = t1;
190 x2 = t2;
191}
192
193inline void ILSS(uint64_t& x1, uint64_t& x2) {
194 uint64_t t1 = 0;
195 uint64_t t2 = 0;
196 for(size_t i = 0; i != 16; ++i) {
197 const uint8_t x = S[get_byte_var(7 - (i % 8), (i < 8) ? x1 : x2)];
198 t1 ^= IT[512 * i + 2 * x + 0];
199 t2 ^= IT[512 * i + 2 * x + 1];
200 }
201 x1 = t1;
202 x2 = t2;
203}
204
205inline uint64_t ISI(uint64_t val) {
206 uint64_t out = 0;
207 for(size_t i = 0; i != 8; ++i) {
208 out <<= 8;
209 out |= IS[get_byte_var(i, val)];
210 }
211 return out;
212}
213
214} // namespace Kuznyechik_F
215
216} // namespace
217
218void Kuznyechik::clear() {
219 zap(m_rke);
220 zap(m_rkd);
221}
222
223bool Kuznyechik::has_keying_material() const {
224 return !m_rke.empty();
225}
226
227void Kuznyechik::key_schedule(std::span<const uint8_t> key) {
228 using namespace Kuznyechik_F;
229
230 BOTAN_ASSERT_NOMSG(key.size() == 32);
231
232 uint64_t k0 = load_le<uint64_t>(key.data(), 0);
233 uint64_t k1 = load_le<uint64_t>(key.data(), 1);
234 uint64_t k2 = load_le<uint64_t>(key.data(), 2);
235 uint64_t k3 = load_le<uint64_t>(key.data(), 3);
236
237 m_rke.resize(20);
238
239 m_rke[0] = k0;
240 m_rke[1] = k1;
241 m_rke[2] = k2;
242 m_rke[3] = k3;
243
244 for(size_t i = 0; i != 4; ++i) {
245 for(size_t r = 0; r != 8; r += 2) {
246 uint64_t t0 = k0 ^ C[8 * i + r][0];
247 uint64_t t1 = k1 ^ C[8 * i + r][1];
248 uint64_t t2 = k0;
249 uint64_t t3 = k1;
250 LS(t0, t1);
251 t0 ^= k2;
252 t1 ^= k3;
253
254 k0 = t0 ^ C[8 * i + r + 1][0];
255 k1 = t1 ^ C[8 * i + r + 1][1];
256 k2 = t0;
257 k3 = t1;
258 LS(k0, k1);
259 k0 ^= t2;
260 k1 ^= t3;
261 }
262
263 m_rke[4 * (i + 1) + 0] = k0;
264 m_rke[4 * (i + 1) + 1] = k1;
265 m_rke[4 * (i + 1) + 2] = k2;
266 m_rke[4 * (i + 1) + 3] = k3;
267 }
268
269 m_rkd.resize(20);
270
271 for(size_t i = 0; i != 10; i++) {
272 uint64_t t0 = m_rke[2 * i + 0];
273 uint64_t t1 = m_rke[2 * i + 1];
274
275 if(i > 0) {
276 Kuznyechik_F::ILSS(t0, t1);
277 }
278
279 const size_t dest = 9 - i;
280
281 m_rkd[2 * dest + 0] = t0;
282 m_rkd[2 * dest + 1] = t1;
283 }
284}
285
286void Kuznyechik::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
287 assert_key_material_set();
288 while(blocks > 0) {
289 uint64_t x1 = load_le<uint64_t>(in, 0);
290 uint64_t x2 = load_le<uint64_t>(in, 1);
291
292 x1 ^= m_rke[0];
293 x2 ^= m_rke[1];
294 Kuznyechik_F::LS(x1, x2);
295
296 x1 ^= m_rke[2];
297 x2 ^= m_rke[3];
298 Kuznyechik_F::LS(x1, x2);
299
300 x1 ^= m_rke[4];
301 x2 ^= m_rke[5];
302 Kuznyechik_F::LS(x1, x2);
303
304 x1 ^= m_rke[6];
305 x2 ^= m_rke[7];
306 Kuznyechik_F::LS(x1, x2);
307
308 x1 ^= m_rke[8];
309 x2 ^= m_rke[9];
310 Kuznyechik_F::LS(x1, x2);
311
312 x1 ^= m_rke[10];
313 x2 ^= m_rke[11];
314 Kuznyechik_F::LS(x1, x2);
315
316 x1 ^= m_rke[12];
317 x2 ^= m_rke[13];
318 Kuznyechik_F::LS(x1, x2);
319
320 x1 ^= m_rke[14];
321 x2 ^= m_rke[15];
322 Kuznyechik_F::LS(x1, x2);
323
324 x1 ^= m_rke[16];
325 x2 ^= m_rke[17];
326 Kuznyechik_F::LS(x1, x2);
327
328 x1 ^= m_rke[18];
329 x2 ^= m_rke[19];
330
331 store_le(out, x1, x2);
332
333 in += 16;
334 out += 16;
335 blocks--;
336 }
337}
338
339void Kuznyechik::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
340 assert_key_material_set();
341 while(blocks > 0) {
342 uint64_t x1 = load_le<uint64_t>(in, 0);
343 uint64_t x2 = load_le<uint64_t>(in, 1);
344
345 Kuznyechik_F::ILSS(x1, x2);
346
347 x1 ^= m_rkd[0];
348 x2 ^= m_rkd[1];
349 Kuznyechik_F::ILS(x1, x2);
350
351 x1 ^= m_rkd[2];
352 x2 ^= m_rkd[3];
353 Kuznyechik_F::ILS(x1, x2);
354
355 x1 ^= m_rkd[4];
356 x2 ^= m_rkd[5];
357 Kuznyechik_F::ILS(x1, x2);
358
359 x1 ^= m_rkd[6];
360 x2 ^= m_rkd[7];
361 Kuznyechik_F::ILS(x1, x2);
362
363 x1 ^= m_rkd[8];
364 x2 ^= m_rkd[9];
365 Kuznyechik_F::ILS(x1, x2);
366
367 x1 ^= m_rkd[10];
368 x2 ^= m_rkd[11];
369 Kuznyechik_F::ILS(x1, x2);
370
371 x1 ^= m_rkd[12];
372 x2 ^= m_rkd[13];
373 Kuznyechik_F::ILS(x1, x2);
374
375 x1 ^= m_rkd[14];
376 x2 ^= m_rkd[15];
377 Kuznyechik_F::ILS(x1, x2);
378
379 x1 ^= m_rkd[16];
380 x2 ^= m_rkd[17];
381 x1 = Kuznyechik_F::ISI(x1);
382 x2 = Kuznyechik_F::ISI(x2);
383
384 x1 ^= m_rkd[18];
385 x2 ^= m_rkd[19];
386
387 store_le(out, x1, x2);
388
389 in += 16;
390 out += 16;
391 blocks--;
392 }
393}
394
395} // namespace Botan
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75
Botan::Kuznyechik::encrypt_n
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition kuznyechik.cpp:286
Botan::Kuznyechik::clear
void clear() override
Definition kuznyechik.cpp:218
Botan::Kuznyechik::decrypt_n
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition kuznyechik.cpp:339
Botan::Kuznyechik::has_keying_material
bool has_keying_material() const override
Definition kuznyechik.cpp:223
Botan::Kuznyechik_F::Kuznyechik_T
Definition kuznyechik.cpp:51
Botan::Kuznyechik_F
Definition kuznyechik.cpp:21
Botan::zap
void zap(std::vector< T, Alloc > &vec)
Definition secmem.h:134
Botan::store_le
constexpr auto store_le(ParamTs &&... params)
Definition loadstor.h:736
Botan::load_le
constexpr auto load_le(ParamTs &&... params)
Definition loadstor.h:495
Botan::get_byte_var
constexpr uint8_t get_byte_var(size_t byte_num, T input)
Definition loadstor.h:69
Generated by doxygen 1.15.0