Botan 2.19.2
Crypto and TLS for C&
serpent.cpp
Go to the documentation of this file.
1/*
2* Serpent
3* (C) 1999-2007 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/serpent.h>
9#include <botan/loadstor.h>
10#include <botan/rotate.h>
11#include <botan/internal/serpent_sbox.h>
12
13#if defined(BOTAN_HAS_SERPENT_SIMD) || defined(BOTAN_HAS_SERPENT_AVX2)
14 #include <botan/cpuid.h>
15#endif
16
17namespace Botan {
18
19namespace {
20
21/*
22* Serpent's Linear Transform
23*/
24inline void transform(uint32_t& B0, uint32_t& B1, uint32_t& B2, uint32_t& B3)
25 {
26 B0 = rotl<13>(B0); B2 = rotl<3>(B2);
27 B1 ^= B0 ^ B2; B3 ^= B2 ^ (B0 << 3);
28 B1 = rotl<1>(B1); B3 = rotl<7>(B3);
29 B0 ^= B1 ^ B3; B2 ^= B3 ^ (B1 << 7);
30 B0 = rotl<5>(B0); B2 = rotl<22>(B2);
31 }
32
33/*
34* Serpent's Inverse Linear Transform
35*/
36inline void i_transform(uint32_t& B0, uint32_t& B1, uint32_t& B2, uint32_t& B3)
37 {
38 B2 = rotr<22>(B2); B0 = rotr<5>(B0);
39 B2 ^= B3 ^ (B1 << 7); B0 ^= B1 ^ B3;
40 B3 = rotr<7>(B3); B1 = rotr<1>(B1);
41 B3 ^= B2 ^ (B0 << 3); B1 ^= B0 ^ B2;
42 B2 = rotr<3>(B2); B0 = rotr<13>(B0);
43 }
44
45}
46
47/*
48* XOR a key block with a data block
49*/
50#define key_xor(round, B0, B1, B2, B3) \
51 B0 ^= m_round_key[4*round ]; \
52 B1 ^= m_round_key[4*round+1]; \
53 B2 ^= m_round_key[4*round+2]; \
54 B3 ^= m_round_key[4*round+3];
55
56/*
57* Serpent Encryption
58*/
59void Serpent::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
60 {
61 verify_key_set(m_round_key.empty() == false);
62
63#if defined(BOTAN_HAS_SERPENT_AVX2)
64 if(CPUID::has_avx2())
65 {
66 while(blocks >= 8)
67 {
68 avx2_encrypt_8(in, out);
69 in += 8 * BLOCK_SIZE;
70 out += 8 * BLOCK_SIZE;
71 blocks -= 8;
72 }
73 }
74#endif
75
76#if defined(BOTAN_HAS_SERPENT_SIMD)
77 if(CPUID::has_simd_32())
78 {
79 while(blocks >= 4)
80 {
81 simd_encrypt_4(in, out);
82 in += 4 * BLOCK_SIZE;
83 out += 4 * BLOCK_SIZE;
84 blocks -= 4;
85 }
86 }
87#endif
88
89 BOTAN_PARALLEL_SIMD_FOR(size_t i = 0; i < blocks; ++i)
90 {
91 uint32_t B0, B1, B2, B3;
92 load_le(in + 16*i, B0, B1, B2, B3);
93
94 key_xor( 0,B0,B1,B2,B3); SBoxE0(B0,B1,B2,B3); transform(B0,B1,B2,B3);
95 key_xor( 1,B0,B1,B2,B3); SBoxE1(B0,B1,B2,B3); transform(B0,B1,B2,B3);
96 key_xor( 2,B0,B1,B2,B3); SBoxE2(B0,B1,B2,B3); transform(B0,B1,B2,B3);
97 key_xor( 3,B0,B1,B2,B3); SBoxE3(B0,B1,B2,B3); transform(B0,B1,B2,B3);
98 key_xor( 4,B0,B1,B2,B3); SBoxE4(B0,B1,B2,B3); transform(B0,B1,B2,B3);
99 key_xor( 5,B0,B1,B2,B3); SBoxE5(B0,B1,B2,B3); transform(B0,B1,B2,B3);
100 key_xor( 6,B0,B1,B2,B3); SBoxE6(B0,B1,B2,B3); transform(B0,B1,B2,B3);
101 key_xor( 7,B0,B1,B2,B3); SBoxE7(B0,B1,B2,B3); transform(B0,B1,B2,B3);
102 key_xor( 8,B0,B1,B2,B3); SBoxE0(B0,B1,B2,B3); transform(B0,B1,B2,B3);
103 key_xor( 9,B0,B1,B2,B3); SBoxE1(B0,B1,B2,B3); transform(B0,B1,B2,B3);
104 key_xor(10,B0,B1,B2,B3); SBoxE2(B0,B1,B2,B3); transform(B0,B1,B2,B3);
105 key_xor(11,B0,B1,B2,B3); SBoxE3(B0,B1,B2,B3); transform(B0,B1,B2,B3);
106 key_xor(12,B0,B1,B2,B3); SBoxE4(B0,B1,B2,B3); transform(B0,B1,B2,B3);
107 key_xor(13,B0,B1,B2,B3); SBoxE5(B0,B1,B2,B3); transform(B0,B1,B2,B3);
108 key_xor(14,B0,B1,B2,B3); SBoxE6(B0,B1,B2,B3); transform(B0,B1,B2,B3);
109 key_xor(15,B0,B1,B2,B3); SBoxE7(B0,B1,B2,B3); transform(B0,B1,B2,B3);
110 key_xor(16,B0,B1,B2,B3); SBoxE0(B0,B1,B2,B3); transform(B0,B1,B2,B3);
111 key_xor(17,B0,B1,B2,B3); SBoxE1(B0,B1,B2,B3); transform(B0,B1,B2,B3);
112 key_xor(18,B0,B1,B2,B3); SBoxE2(B0,B1,B2,B3); transform(B0,B1,B2,B3);
113 key_xor(19,B0,B1,B2,B3); SBoxE3(B0,B1,B2,B3); transform(B0,B1,B2,B3);
114 key_xor(20,B0,B1,B2,B3); SBoxE4(B0,B1,B2,B3); transform(B0,B1,B2,B3);
115 key_xor(21,B0,B1,B2,B3); SBoxE5(B0,B1,B2,B3); transform(B0,B1,B2,B3);
116 key_xor(22,B0,B1,B2,B3); SBoxE6(B0,B1,B2,B3); transform(B0,B1,B2,B3);
117 key_xor(23,B0,B1,B2,B3); SBoxE7(B0,B1,B2,B3); transform(B0,B1,B2,B3);
118 key_xor(24,B0,B1,B2,B3); SBoxE0(B0,B1,B2,B3); transform(B0,B1,B2,B3);
119 key_xor(25,B0,B1,B2,B3); SBoxE1(B0,B1,B2,B3); transform(B0,B1,B2,B3);
120 key_xor(26,B0,B1,B2,B3); SBoxE2(B0,B1,B2,B3); transform(B0,B1,B2,B3);
121 key_xor(27,B0,B1,B2,B3); SBoxE3(B0,B1,B2,B3); transform(B0,B1,B2,B3);
122 key_xor(28,B0,B1,B2,B3); SBoxE4(B0,B1,B2,B3); transform(B0,B1,B2,B3);
123 key_xor(29,B0,B1,B2,B3); SBoxE5(B0,B1,B2,B3); transform(B0,B1,B2,B3);
124 key_xor(30,B0,B1,B2,B3); SBoxE6(B0,B1,B2,B3); transform(B0,B1,B2,B3);
125 key_xor(31,B0,B1,B2,B3); SBoxE7(B0,B1,B2,B3); key_xor(32,B0,B1,B2,B3);
126
127 store_le(out + 16*i, B0, B1, B2, B3);
128 }
129 }
130
131/*
132* Serpent Decryption
133*/
134void Serpent::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
135 {
136 verify_key_set(m_round_key.empty() == false);
137
138#if defined(BOTAN_HAS_SERPENT_AVX2)
139 if(CPUID::has_avx2())
140 {
141 while(blocks >= 8)
142 {
143 avx2_decrypt_8(in, out);
144 in += 8 * BLOCK_SIZE;
145 out += 8 * BLOCK_SIZE;
146 blocks -= 8;
147 }
148 }
149#endif
150
151#if defined(BOTAN_HAS_SERPENT_SIMD)
152 if(CPUID::has_simd_32())
153 {
154 while(blocks >= 4)
155 {
156 simd_decrypt_4(in, out);
157 in += 4 * BLOCK_SIZE;
158 out += 4 * BLOCK_SIZE;
159 blocks -= 4;
160 }
161 }
162#endif
163
164 BOTAN_PARALLEL_SIMD_FOR(size_t i = 0; i < blocks; ++i)
165 {
166 uint32_t B0, B1, B2, B3;
167 load_le(in + 16*i, B0, B1, B2, B3);
168
169 key_xor(32,B0,B1,B2,B3); SBoxD7(B0,B1,B2,B3); key_xor(31,B0,B1,B2,B3);
170 i_transform(B0,B1,B2,B3); SBoxD6(B0,B1,B2,B3); key_xor(30,B0,B1,B2,B3);
171 i_transform(B0,B1,B2,B3); SBoxD5(B0,B1,B2,B3); key_xor(29,B0,B1,B2,B3);
172 i_transform(B0,B1,B2,B3); SBoxD4(B0,B1,B2,B3); key_xor(28,B0,B1,B2,B3);
173 i_transform(B0,B1,B2,B3); SBoxD3(B0,B1,B2,B3); key_xor(27,B0,B1,B2,B3);
174 i_transform(B0,B1,B2,B3); SBoxD2(B0,B1,B2,B3); key_xor(26,B0,B1,B2,B3);
175 i_transform(B0,B1,B2,B3); SBoxD1(B0,B1,B2,B3); key_xor(25,B0,B1,B2,B3);
176 i_transform(B0,B1,B2,B3); SBoxD0(B0,B1,B2,B3); key_xor(24,B0,B1,B2,B3);
177 i_transform(B0,B1,B2,B3); SBoxD7(B0,B1,B2,B3); key_xor(23,B0,B1,B2,B3);
178 i_transform(B0,B1,B2,B3); SBoxD6(B0,B1,B2,B3); key_xor(22,B0,B1,B2,B3);
179 i_transform(B0,B1,B2,B3); SBoxD5(B0,B1,B2,B3); key_xor(21,B0,B1,B2,B3);
180 i_transform(B0,B1,B2,B3); SBoxD4(B0,B1,B2,B3); key_xor(20,B0,B1,B2,B3);
181 i_transform(B0,B1,B2,B3); SBoxD3(B0,B1,B2,B3); key_xor(19,B0,B1,B2,B3);
182 i_transform(B0,B1,B2,B3); SBoxD2(B0,B1,B2,B3); key_xor(18,B0,B1,B2,B3);
183 i_transform(B0,B1,B2,B3); SBoxD1(B0,B1,B2,B3); key_xor(17,B0,B1,B2,B3);
184 i_transform(B0,B1,B2,B3); SBoxD0(B0,B1,B2,B3); key_xor(16,B0,B1,B2,B3);
185 i_transform(B0,B1,B2,B3); SBoxD7(B0,B1,B2,B3); key_xor(15,B0,B1,B2,B3);
186 i_transform(B0,B1,B2,B3); SBoxD6(B0,B1,B2,B3); key_xor(14,B0,B1,B2,B3);
187 i_transform(B0,B1,B2,B3); SBoxD5(B0,B1,B2,B3); key_xor(13,B0,B1,B2,B3);
188 i_transform(B0,B1,B2,B3); SBoxD4(B0,B1,B2,B3); key_xor(12,B0,B1,B2,B3);
189 i_transform(B0,B1,B2,B3); SBoxD3(B0,B1,B2,B3); key_xor(11,B0,B1,B2,B3);
190 i_transform(B0,B1,B2,B3); SBoxD2(B0,B1,B2,B3); key_xor(10,B0,B1,B2,B3);
191 i_transform(B0,B1,B2,B3); SBoxD1(B0,B1,B2,B3); key_xor( 9,B0,B1,B2,B3);
192 i_transform(B0,B1,B2,B3); SBoxD0(B0,B1,B2,B3); key_xor( 8,B0,B1,B2,B3);
193 i_transform(B0,B1,B2,B3); SBoxD7(B0,B1,B2,B3); key_xor( 7,B0,B1,B2,B3);
194 i_transform(B0,B1,B2,B3); SBoxD6(B0,B1,B2,B3); key_xor( 6,B0,B1,B2,B3);
195 i_transform(B0,B1,B2,B3); SBoxD5(B0,B1,B2,B3); key_xor( 5,B0,B1,B2,B3);
196 i_transform(B0,B1,B2,B3); SBoxD4(B0,B1,B2,B3); key_xor( 4,B0,B1,B2,B3);
197 i_transform(B0,B1,B2,B3); SBoxD3(B0,B1,B2,B3); key_xor( 3,B0,B1,B2,B3);
198 i_transform(B0,B1,B2,B3); SBoxD2(B0,B1,B2,B3); key_xor( 2,B0,B1,B2,B3);
199 i_transform(B0,B1,B2,B3); SBoxD1(B0,B1,B2,B3); key_xor( 1,B0,B1,B2,B3);
200 i_transform(B0,B1,B2,B3); SBoxD0(B0,B1,B2,B3); key_xor( 0,B0,B1,B2,B3);
201
202 store_le(out + 16*i, B0, B1, B2, B3);
203 }
204 }
205
206#undef key_xor
207#undef transform
208#undef i_transform
209
210/*
211* Serpent Key Schedule
212*/
213void Serpent::key_schedule(const uint8_t key[], size_t length)
214 {
215 const uint32_t PHI = 0x9E3779B9;
216
217 secure_vector<uint32_t> W(140);
218 for(size_t i = 0; i != length / 4; ++i)
219 W[i] = load_le<uint32_t>(key, i);
220
221 W[length / 4] |= uint32_t(1) << ((length%4)*8);
222
223 for(size_t i = 8; i != 140; ++i)
224 {
225 uint32_t wi = W[i-8] ^ W[i-5] ^ W[i-3] ^ W[i-1] ^ PHI ^ uint32_t(i-8);
226 W[i] = rotl<11>(wi);
227 }
228
229 SBoxE0(W[ 20],W[ 21],W[ 22],W[ 23]);
230 SBoxE0(W[ 52],W[ 53],W[ 54],W[ 55]);
231 SBoxE0(W[ 84],W[ 85],W[ 86],W[ 87]);
232 SBoxE0(W[116],W[117],W[118],W[119]);
233
234 SBoxE1(W[ 16],W[ 17],W[ 18],W[ 19]);
235 SBoxE1(W[ 48],W[ 49],W[ 50],W[ 51]);
236 SBoxE1(W[ 80],W[ 81],W[ 82],W[ 83]);
237 SBoxE1(W[112],W[113],W[114],W[115]);
238
239 SBoxE2(W[ 12],W[ 13],W[ 14],W[ 15]);
240 SBoxE2(W[ 44],W[ 45],W[ 46],W[ 47]);
241 SBoxE2(W[ 76],W[ 77],W[ 78],W[ 79]);
242 SBoxE2(W[108],W[109],W[110],W[111]);
243
244 SBoxE3(W[ 8],W[ 9],W[ 10],W[ 11]);
245 SBoxE3(W[ 40],W[ 41],W[ 42],W[ 43]);
246 SBoxE3(W[ 72],W[ 73],W[ 74],W[ 75]);
247 SBoxE3(W[104],W[105],W[106],W[107]);
248 SBoxE3(W[136],W[137],W[138],W[139]);
249
250 SBoxE4(W[ 36],W[ 37],W[ 38],W[ 39]);
251 SBoxE4(W[ 68],W[ 69],W[ 70],W[ 71]);
252 SBoxE4(W[100],W[101],W[102],W[103]);
253 SBoxE4(W[132],W[133],W[134],W[135]);
254
255 SBoxE5(W[ 32],W[ 33],W[ 34],W[ 35]);
256 SBoxE5(W[ 64],W[ 65],W[ 66],W[ 67]);
257 SBoxE5(W[ 96],W[ 97],W[ 98],W[ 99]);
258 SBoxE5(W[128],W[129],W[130],W[131]);
259
260 SBoxE6(W[ 28],W[ 29],W[ 30],W[ 31]);
261 SBoxE6(W[ 60],W[ 61],W[ 62],W[ 63]);
262 SBoxE6(W[ 92],W[ 93],W[ 94],W[ 95]);
263 SBoxE6(W[124],W[125],W[126],W[127]);
264
265 SBoxE7(W[ 24],W[ 25],W[ 26],W[ 27]);
266 SBoxE7(W[ 56],W[ 57],W[ 58],W[ 59]);
267 SBoxE7(W[ 88],W[ 89],W[ 90],W[ 91]);
268 SBoxE7(W[120],W[121],W[122],W[123]);
269
270 m_round_key.assign(W.begin() + 8, W.end());
271 }
272
273void Serpent::clear()
274 {
275 zap(m_round_key);
276 }
277
278std::string Serpent::provider() const
279 {
280#if defined(BOTAN_HAS_SERPENT_AVX2)
281 if(CPUID::has_avx2())
282 {
283 return "avx2";
284 }
285#endif
286
287#if defined(BOTAN_HAS_SERPENT_SIMD)
288 if(CPUID::has_simd_32())
289 {
290 return "simd";
291 }
292#endif
293
294 return "base";
295 }
296
297#undef key_xor
298
299}
Botan::Block_Cipher_Fixed_Params< 16, 16, 32, 8 >::BLOCK_SIZE
@ BLOCK_SIZE
Definition: block_cipher.h:224
Botan::CPUID::has_simd_32
static bool has_simd_32()
Definition: cpuid.cpp:16
Botan::Serpent::provider
std::string provider() const override
Definition: serpent.cpp:278
Botan::Serpent::clear
void clear() override
Definition: serpent.cpp:273
Botan::Serpent::encrypt_n
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition: serpent.cpp:59
Botan::Serpent::decrypt_n
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition: serpent.cpp:134
Botan::SymmetricAlgorithm::verify_key_set
void verify_key_set(bool cond) const
Definition: sym_algo.h:171
BOTAN_PARALLEL_SIMD_FOR
#define BOTAN_PARALLEL_SIMD_FOR
Definition: compiler.h:220
Botan
Definition: alg_id.cpp:13
Botan::zap
void zap(std::vector< T, Alloc > &vec)
Definition: secmem.h:124
Botan::load_le< uint32_t >
uint32_t load_le< uint32_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:198
Botan::load_le
T load_le(const uint8_t in[], size_t off)
Definition: loadstor.h:123
Botan::store_le
void store_le(uint16_t in, uint8_t out[2])
Definition: loadstor.h:454
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
key_xor
#define key_xor(round, B0, B1, B2, B3)
Definition: serpent.cpp:50
i_transform
#define i_transform(B0, B1, B2, B3)
Definition: serpent_avx2.cpp:39
transform
#define transform(B0, B1, B2, B3)
Definition: serpent_avx2.cpp:25
SBoxE6
BOTAN_FORCE_INLINE void SBoxE6(T &a, T &b, T &c, T &d)
Definition: serpent_sbox.h:177
SBoxE1
BOTAN_FORCE_INLINE void SBoxE1(T &a, T &b, T &c, T &d)
Definition: serpent_sbox.h:43
SBoxD6
BOTAN_FORCE_INLINE void SBoxD6(T &a, T &b, T &c, T &d)
Definition: serpent_sbox.h:394
SBoxE7
BOTAN_FORCE_INLINE void SBoxE7(T &a, T &b, T &c, T &d)
Definition: serpent_sbox.h:201
SBoxD1
BOTAN_FORCE_INLINE void SBoxD1(T &a, T &b, T &c, T &d)
Definition: serpent_sbox.h:256
SBoxD3
BOTAN_FORCE_INLINE void SBoxD3(T &a, T &b, T &c, T &d)
Definition: serpent_sbox.h:311
SBoxE3
BOTAN_FORCE_INLINE void SBoxE3(T &a, T &b, T &c, T &d)
Definition: serpent_sbox.h:94
SBoxD2
BOTAN_FORCE_INLINE void SBoxD2(T &a, T &b, T &c, T &d)
Definition: serpent_sbox.h:285
SBoxE4
BOTAN_FORCE_INLINE void SBoxE4(T &a, T &b, T &c, T &d)
Definition: serpent_sbox.h:121
SBoxE5
BOTAN_FORCE_INLINE void SBoxE5(T &a, T &b, T &c, T &d)
Definition: serpent_sbox.h:149
SBoxD4
BOTAN_FORCE_INLINE void SBoxD4(T &a, T &b, T &c, T &d)
Definition: serpent_sbox.h:338
SBoxD5
BOTAN_FORCE_INLINE void SBoxD5(T &a, T &b, T &c, T &d)
Definition: serpent_sbox.h:365
SBoxD0
BOTAN_FORCE_INLINE void SBoxD0(T &a, T &b, T &c, T &d)
Definition: serpent_sbox.h:230
SBoxE2
BOTAN_FORCE_INLINE void SBoxE2(T &a, T &b, T &c, T &d)
Definition: serpent_sbox.h:70
SBoxD7
BOTAN_FORCE_INLINE void SBoxD7(T &a, T &b, T &c, T &d)
Definition: serpent_sbox.h:419
SBoxE0
BOTAN_FORCE_INLINE void SBoxE0(T &a, T &b, T &c, T &d)
Definition: serpent_sbox.h:17
Generated by doxygen 1.9.3