seed_hwaes.cpp

Go to the documentation of this file.

/*
* (C) 2026 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/
 
#include <botan/internal/seed.h>
 
#include <botan/mem_ops.h>
#include <botan/internal/isa_extn.h>
#include <botan/internal/simd_4x32.h>
#include <botan/internal/simd_hwaes.h>
 
namespace Botan {
 
namespace SEED_HWAES {
 
namespace {
 
BOTAN_FORCE_INLINE BOTAN_FN_ISA_HWAES SIMD_4x32 seed_g(SIMD_4x32 X) {
   // Field isomorphism from SEED's field (0x163) to AES field (0x11B)
   constexpr uint64_t pre_a = gfni_matrix(R"(
      1 1 0 1 0 0 0 0
      0 0 1 1 0 0 1 1
      0 0 0 0 1 1 0 1
      0 1 1 1 0 1 0 0
      0 1 1 0 1 0 0 0
      0 0 0 1 1 0 0 0
      0 0 1 1 1 1 0 0
      0 0 0 0 1 1 1 0)");
 
   // AES->SEED field isomorphism composed with S0's affine
   constexpr uint64_t s0_post_a = gfni_matrix(R"(
      0 1 0 1 1 0 0 1
      0 0 1 1 1 0 1 0
      1 0 0 0 1 1 1 0
      1 1 0 0 1 0 0 1
      0 1 0 1 1 0 1 1
      1 1 1 1 1 0 1 1
      0 0 1 1 0 1 0 1
      0 0 0 1 0 1 1 1)");
   constexpr uint8_t s0_post_c = 0xA9;
 
   // AES->SEED field isomorphism composed with S1's affine
   constexpr uint64_t s1_post_a = gfni_matrix(R"(
      0 0 1 1 0 1 1 0
      0 1 1 0 0 0 1 0
      0 1 0 1 1 0 1 1
      0 0 0 0 0 0 1 1
      1 1 0 1 0 0 0 0
      0 1 0 0 1 0 1 1
      1 1 1 0 1 0 1 1
      1 1 1 1 0 0 0 1)");
   constexpr uint8_t s1_post_c = 0x38;
 
   constexpr auto pre = Gf2AffineTransformation(pre_a, 0x00);
   constexpr auto post_s0 = Gf2AffineTransformation::post_sbox(s0_post_a, s0_post_c);
   constexpr auto post_s1 = Gf2AffineTransformation::post_sbox(s1_post_a, s1_post_c);
 
   // Shared computation for S0(x) and S1(x)
   const auto sub = hw_aes_sbox(pre.affine_transform(X));
 
   // Compute S0(x) and S1(x)
   const auto s0 = post_s0.affine_transform(sub);
   const auto s1 = post_s1.affine_transform(sub);
 
   // Blend S0(x) and S1(x) outputs in alternating bytes
   const auto sbox = SIMD_4x32::byte_blend(0x00FF00FF, s0, s1);
 
   // Linear mixing step
   const auto M0 = SIMD_4x32::splat(0x3FCFF3FC);
   const auto M1 = SIMD_4x32::splat(0xFC3FCFF3);
   const auto M2 = SIMD_4x32::splat(0xF3FC3FCF);
   const auto M3 = SIMD_4x32::splat(0xCFF3FC3F);
 
   // Broadcast each byte of a 32-bit word to all 4 positions
   const auto SHUF0 = SIMD_4x32(0x00000000, 0x04040404, 0x08080808, 0x0C0C0C0C);
   const auto SHUF1 = SIMD_4x32(0x01010101, 0x05050505, 0x09090909, 0x0D0D0D0D);
   const auto SHUF2 = SIMD_4x32(0x02020202, 0x06060606, 0x0A0A0A0A, 0x0E0E0E0E);
   const auto SHUF3 = SIMD_4x32(0x03030303, 0x07070707, 0x0B0B0B0B, 0x0F0F0F0F);
 
   auto b0 = SIMD_4x32::byte_shuffle(sbox, SHUF0);
   auto b1 = SIMD_4x32::byte_shuffle(sbox, SHUF1);
   auto b2 = SIMD_4x32::byte_shuffle(sbox, SHUF2);
   auto b3 = SIMD_4x32::byte_shuffle(sbox, SHUF3);
 
   return (b0 & M0) ^ (b1 & M1) ^ (b2 & M2) ^ (b3 & M3);
}
 
BOTAN_FORCE_INLINE BOTAN_FN_ISA_HWAES void seed_round(
   SIMD_4x32& B0, SIMD_4x32& B1, SIMD_4x32& B2, SIMD_4x32& B3, uint32_t K0, uint32_t K1, uint32_t K2, uint32_t K3) {
   auto T0 = B2 ^ SIMD_4x32::splat(K0);
   auto T1 = seed_g(B2 ^ B3 ^ SIMD_4x32::splat(K1));
   T0 = seed_g(T1 + T0);
   T1 = seed_g(T1 + T0);
   B1 ^= T1;
   B0 ^= T0 + T1;
 
   T0 = B0 ^ SIMD_4x32::splat(K2);
   T1 = seed_g(B0 ^ B1 ^ SIMD_4x32::splat(K3));
   T0 = seed_g(T1 + T0);
   T1 = seed_g(T1 + T0);
   B3 ^= T1;
   B2 ^= T0 + T1;
}
 
BOTAN_FN_ISA_HWAES void encrypt_4(const uint8_t ptext[4 * 16], uint8_t ctext[4 * 16], std::span<const uint32_t> RK) {
   auto B0 = SIMD_4x32::load_be(ptext);
   auto B1 = SIMD_4x32::load_be(ptext + 16);
   auto B2 = SIMD_4x32::load_be(ptext + 32);
   auto B3 = SIMD_4x32::load_be(ptext + 48);
 
   SIMD_4x32::transpose(B0, B1, B2, B3);
 
   for(size_t j = 0; j != 8; ++j) {
      const uint32_t K0 = RK[4 * j];
      const uint32_t K1 = RK[4 * j + 1];
      const uint32_t K2 = RK[4 * j + 2];
      const uint32_t K3 = RK[4 * j + 3];
 
      seed_round(B0, B1, B2, B3, K0, K1, K2, K3);
   }
 
   // Output order: B2, B3, B0, B1
   SIMD_4x32::transpose(B2, B3, B0, B1);
 
   B2.store_be(ctext);
   B3.store_be(ctext + 16);
   B0.store_be(ctext + 32);
   B1.store_be(ctext + 48);
}
 
BOTAN_FN_ISA_HWAES void decrypt_4(const uint8_t ctext[4 * 16], uint8_t ptext[4 * 16], std::span<const uint32_t> RK) {
   auto B0 = SIMD_4x32::load_be(ctext);
   auto B1 = SIMD_4x32::load_be(ctext + 16);
   auto B2 = SIMD_4x32::load_be(ctext + 32);
   auto B3 = SIMD_4x32::load_be(ctext + 48);
 
   SIMD_4x32::transpose(B0, B1, B2, B3);
 
   for(size_t j = 0; j != 8; ++j) {
      const uint32_t K0 = RK[30 - 4 * j];
      const uint32_t K1 = RK[31 - 4 * j];
      const uint32_t K2 = RK[28 - 4 * j];
      const uint32_t K3 = RK[29 - 4 * j];
 
      seed_round(B0, B1, B2, B3, K0, K1, K2, K3);
   }
 
   SIMD_4x32::transpose(B2, B3, B0, B1);
 
   B2.store_be(ptext);
   B3.store_be(ptext + 16);
   B0.store_be(ptext + 32);
   B1.store_be(ptext + 48);
}
 
}  // namespace
 
}  // namespace SEED_HWAES
 
void BOTAN_FN_ISA_HWAES SEED::hwaes_encrypt(const uint8_t ptext[], uint8_t ctext[], size_t blocks) const {
   while(blocks >= 4) {
      SEED_HWAES::encrypt_4(ptext, ctext, m_K);
      ptext += 4 * 16;
      ctext += 4 * 16;
      blocks -= 4;
   }
 
   if(blocks > 0) {
      uint8_t pbuf[4 * 16] = {0};
      uint8_t cbuf[4 * 16] = {0};
      copy_mem(pbuf, ptext, blocks * 16);
      SEED_HWAES::encrypt_4(pbuf, cbuf, m_K);
      copy_mem(ctext, cbuf, blocks * 16);
   }
}
 
void BOTAN_FN_ISA_HWAES SEED::hwaes_decrypt(const uint8_t ctext[], uint8_t ptext[], size_t blocks) const {
   while(blocks >= 4) {
      SEED_HWAES::decrypt_4(ctext, ptext, m_K);
      ptext += 4 * 16;
      ctext += 4 * 16;
      blocks -= 4;
   }
 
   if(blocks > 0) {
      uint8_t cbuf[4 * 16] = {0};
      uint8_t pbuf[4 * 16] = {0};
      copy_mem(cbuf, ctext, blocks * 16);
      SEED_HWAES::decrypt_4(cbuf, pbuf, m_K);
      copy_mem(ptext, pbuf, blocks * 16);
   }
}
 
}  // namespace Botan