Botan 3.0.0-alpha0
Crypto and TLS for C&
sm3.cpp
Go to the documentation of this file.
1/*
2* SM3
3* (C) 2017 Ribose Inc.
4* (C) 2021 Jack Lloyd
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/internal/sm3.h>
10#include <botan/internal/loadstor.h>
11#include <botan/internal/rotate.h>
12#include <botan/internal/bit_ops.h>
13
14namespace Botan {
15
16std::unique_ptr<HashFunction> SM3::copy_state() const
17 {
18 return std::make_unique<SM3>(*this);
19 }
20
21namespace {
22
23const uint32_t SM3_IV[] = {
24 0x7380166fUL, 0x4914b2b9UL, 0x172442d7UL, 0xda8a0600UL,
25 0xa96f30bcUL, 0x163138aaUL, 0xe38dee4dUL, 0xb0fb0e4eUL
26};
27
28inline uint32_t P0(uint32_t X)
29 {
30 return X ^ rotl<9>(X) ^ rotl<17>(X);
31 }
32
33inline void R1(uint32_t A, uint32_t& B, uint32_t C, uint32_t& D,
34 uint32_t E, uint32_t& F, uint32_t G, uint32_t& H,
35 uint32_t TJ, uint32_t Wi, uint32_t Wj)
36 {
37 const uint32_t A12 = rotl<12>(A);
38 const uint32_t SS1 = rotl<7>(A12 + E + TJ);
39 const uint32_t TT1 = (A ^ B ^ C) + D + (SS1 ^ A12) + Wj;
40 const uint32_t TT2 = (E ^ F ^ G) + H + SS1 + Wi;
41
42 B = rotl<9>(B);
43 D = TT1;
44 F = rotl<19>(F);
45 H = P0(TT2);
46 }
47
48inline void R2(uint32_t A, uint32_t& B, uint32_t C, uint32_t& D,
49 uint32_t E, uint32_t& F, uint32_t G, uint32_t& H,
50 uint32_t TJ, uint32_t Wi, uint32_t Wj)
51 {
52 const uint32_t A12 = rotl<12>(A);
53 const uint32_t SS1 = rotl<7>(A12 + E + TJ);
54 const uint32_t TT1 = majority(A, B, C) + D + (SS1 ^ A12) + Wj;
55 const uint32_t TT2 = choose(E, F, G) + H + SS1 + Wi;
56
57 B = rotl<9>(B);
58 D = TT1;
59 F = rotl<19>(F);
60 H = P0(TT2);
61 }
62
63inline uint32_t P1(uint32_t X)
64 {
65 return X ^ rotl<15>(X) ^ rotl<23>(X);
66 }
67
68inline uint32_t SM3_E(uint32_t W0, uint32_t W7, uint32_t W13, uint32_t W3, uint32_t W10)
69 {
70 return P1(W0 ^ W7 ^ rotl<15>(W13)) ^ rotl<7>(W3) ^ W10;
71 }
72
73}
74
75/*
76* SM3 Compression Function
77*/
78void SM3::compress_n(const uint8_t input[], size_t blocks)
79 {
80 uint32_t A = m_digest[0], B = m_digest[1], C = m_digest[2], D = m_digest[3],
81 E = m_digest[4], F = m_digest[5], G = m_digest[6], H = m_digest[7];
82
83 for(size_t i = 0; i != blocks; ++i)
84 {
85 uint32_t W00 = load_be<uint32_t>(input, 0);
86 uint32_t W01 = load_be<uint32_t>(input, 1);
87 uint32_t W02 = load_be<uint32_t>(input, 2);
88 uint32_t W03 = load_be<uint32_t>(input, 3);
89 uint32_t W04 = load_be<uint32_t>(input, 4);
90 uint32_t W05 = load_be<uint32_t>(input, 5);
91 uint32_t W06 = load_be<uint32_t>(input, 6);
92 uint32_t W07 = load_be<uint32_t>(input, 7);
93 uint32_t W08 = load_be<uint32_t>(input, 8);
94 uint32_t W09 = load_be<uint32_t>(input, 9);
95 uint32_t W10 = load_be<uint32_t>(input, 10);
96 uint32_t W11 = load_be<uint32_t>(input, 11);
97 uint32_t W12 = load_be<uint32_t>(input, 12);
98 uint32_t W13 = load_be<uint32_t>(input, 13);
99 uint32_t W14 = load_be<uint32_t>(input, 14);
100 uint32_t W15 = load_be<uint32_t>(input, 15);
101
102 R1(A, B, C, D, E, F, G, H, 0x79CC4519, W00, W00 ^ W04);
103 W00 = SM3_E(W00, W07, W13, W03, W10);
104 R1(D, A, B, C, H, E, F, G, 0xF3988A32, W01, W01 ^ W05);
105 W01 = SM3_E(W01, W08, W14, W04, W11);
106 R1(C, D, A, B, G, H, E, F, 0xE7311465, W02, W02 ^ W06);
107 W02 = SM3_E(W02, W09, W15, W05, W12);
108 R1(B, C, D, A, F, G, H, E, 0xCE6228CB, W03, W03 ^ W07);
109 W03 = SM3_E(W03, W10, W00, W06, W13);
110 R1(A, B, C, D, E, F, G, H, 0x9CC45197, W04, W04 ^ W08);
111 W04 = SM3_E(W04, W11, W01, W07, W14);
112 R1(D, A, B, C, H, E, F, G, 0x3988A32F, W05, W05 ^ W09);
113 W05 = SM3_E(W05, W12, W02, W08, W15);
114 R1(C, D, A, B, G, H, E, F, 0x7311465E, W06, W06 ^ W10);
115 W06 = SM3_E(W06, W13, W03, W09, W00);
116 R1(B, C, D, A, F, G, H, E, 0xE6228CBC, W07, W07 ^ W11);
117 W07 = SM3_E(W07, W14, W04, W10, W01);
118 R1(A, B, C, D, E, F, G, H, 0xCC451979, W08, W08 ^ W12);
119 W08 = SM3_E(W08, W15, W05, W11, W02);
120 R1(D, A, B, C, H, E, F, G, 0x988A32F3, W09, W09 ^ W13);
121 W09 = SM3_E(W09, W00, W06, W12, W03);
122 R1(C, D, A, B, G, H, E, F, 0x311465E7, W10, W10 ^ W14);
123 W10 = SM3_E(W10, W01, W07, W13, W04);
124 R1(B, C, D, A, F, G, H, E, 0x6228CBCE, W11, W11 ^ W15);
125 W11 = SM3_E(W11, W02, W08, W14, W05);
126 R1(A, B, C, D, E, F, G, H, 0xC451979C, W12, W12 ^ W00);
127 W12 = SM3_E(W12, W03, W09, W15, W06);
128 R1(D, A, B, C, H, E, F, G, 0x88A32F39, W13, W13 ^ W01);
129 W13 = SM3_E(W13, W04, W10, W00, W07);
130 R1(C, D, A, B, G, H, E, F, 0x11465E73, W14, W14 ^ W02);
131 W14 = SM3_E(W14, W05, W11, W01, W08);
132 R1(B, C, D, A, F, G, H, E, 0x228CBCE6, W15, W15 ^ W03);
133 W15 = SM3_E(W15, W06, W12, W02, W09);
134 R2(A, B, C, D, E, F, G, H, 0x9D8A7A87, W00, W00 ^ W04);
135 W00 = SM3_E(W00, W07, W13, W03, W10);
136 R2(D, A, B, C, H, E, F, G, 0x3B14F50F, W01, W01 ^ W05);
137 W01 = SM3_E(W01, W08, W14, W04, W11);
138 R2(C, D, A, B, G, H, E, F, 0x7629EA1E, W02, W02 ^ W06);
139 W02 = SM3_E(W02, W09, W15, W05, W12);
140 R2(B, C, D, A, F, G, H, E, 0xEC53D43C, W03, W03 ^ W07);
141 W03 = SM3_E(W03, W10, W00, W06, W13);
142 R2(A, B, C, D, E, F, G, H, 0xD8A7A879, W04, W04 ^ W08);
143 W04 = SM3_E(W04, W11, W01, W07, W14);
144 R2(D, A, B, C, H, E, F, G, 0xB14F50F3, W05, W05 ^ W09);
145 W05 = SM3_E(W05, W12, W02, W08, W15);
146 R2(C, D, A, B, G, H, E, F, 0x629EA1E7, W06, W06 ^ W10);
147 W06 = SM3_E(W06, W13, W03, W09, W00);
148 R2(B, C, D, A, F, G, H, E, 0xC53D43CE, W07, W07 ^ W11);
149 W07 = SM3_E(W07, W14, W04, W10, W01);
150 R2(A, B, C, D, E, F, G, H, 0x8A7A879D, W08, W08 ^ W12);
151 W08 = SM3_E(W08, W15, W05, W11, W02);
152 R2(D, A, B, C, H, E, F, G, 0x14F50F3B, W09, W09 ^ W13);
153 W09 = SM3_E(W09, W00, W06, W12, W03);
154 R2(C, D, A, B, G, H, E, F, 0x29EA1E76, W10, W10 ^ W14);
155 W10 = SM3_E(W10, W01, W07, W13, W04);
156 R2(B, C, D, A, F, G, H, E, 0x53D43CEC, W11, W11 ^ W15);
157 W11 = SM3_E(W11, W02, W08, W14, W05);
158 R2(A, B, C, D, E, F, G, H, 0xA7A879D8, W12, W12 ^ W00);
159 W12 = SM3_E(W12, W03, W09, W15, W06);
160 R2(D, A, B, C, H, E, F, G, 0x4F50F3B1, W13, W13 ^ W01);
161 W13 = SM3_E(W13, W04, W10, W00, W07);
162 R2(C, D, A, B, G, H, E, F, 0x9EA1E762, W14, W14 ^ W02);
163 W14 = SM3_E(W14, W05, W11, W01, W08);
164 R2(B, C, D, A, F, G, H, E, 0x3D43CEC5, W15, W15 ^ W03);
165 W15 = SM3_E(W15, W06, W12, W02, W09);
166 R2(A, B, C, D, E, F, G, H, 0x7A879D8A, W00, W00 ^ W04);
167 W00 = SM3_E(W00, W07, W13, W03, W10);
168 R2(D, A, B, C, H, E, F, G, 0xF50F3B14, W01, W01 ^ W05);
169 W01 = SM3_E(W01, W08, W14, W04, W11);
170 R2(C, D, A, B, G, H, E, F, 0xEA1E7629, W02, W02 ^ W06);
171 W02 = SM3_E(W02, W09, W15, W05, W12);
172 R2(B, C, D, A, F, G, H, E, 0xD43CEC53, W03, W03 ^ W07);
173 W03 = SM3_E(W03, W10, W00, W06, W13);
174 R2(A, B, C, D, E, F, G, H, 0xA879D8A7, W04, W04 ^ W08);
175 W04 = SM3_E(W04, W11, W01, W07, W14);
176 R2(D, A, B, C, H, E, F, G, 0x50F3B14F, W05, W05 ^ W09);
177 W05 = SM3_E(W05, W12, W02, W08, W15);
178 R2(C, D, A, B, G, H, E, F, 0xA1E7629E, W06, W06 ^ W10);
179 W06 = SM3_E(W06, W13, W03, W09, W00);
180 R2(B, C, D, A, F, G, H, E, 0x43CEC53D, W07, W07 ^ W11);
181 W07 = SM3_E(W07, W14, W04, W10, W01);
182 R2(A, B, C, D, E, F, G, H, 0x879D8A7A, W08, W08 ^ W12);
183 W08 = SM3_E(W08, W15, W05, W11, W02);
184 R2(D, A, B, C, H, E, F, G, 0x0F3B14F5, W09, W09 ^ W13);
185 W09 = SM3_E(W09, W00, W06, W12, W03);
186 R2(C, D, A, B, G, H, E, F, 0x1E7629EA, W10, W10 ^ W14);
187 W10 = SM3_E(W10, W01, W07, W13, W04);
188 R2(B, C, D, A, F, G, H, E, 0x3CEC53D4, W11, W11 ^ W15);
189 W11 = SM3_E(W11, W02, W08, W14, W05);
190 R2(A, B, C, D, E, F, G, H, 0x79D8A7A8, W12, W12 ^ W00);
191 W12 = SM3_E(W12, W03, W09, W15, W06);
192 R2(D, A, B, C, H, E, F, G, 0xF3B14F50, W13, W13 ^ W01);
193 W13 = SM3_E(W13, W04, W10, W00, W07);
194 R2(C, D, A, B, G, H, E, F, 0xE7629EA1, W14, W14 ^ W02);
195 W14 = SM3_E(W14, W05, W11, W01, W08);
196 R2(B, C, D, A, F, G, H, E, 0xCEC53D43, W15, W15 ^ W03);
197 W15 = SM3_E(W15, W06, W12, W02, W09);
198 R2(A, B, C, D, E, F, G, H, 0x9D8A7A87, W00, W00 ^ W04);
199 W00 = SM3_E(W00, W07, W13, W03, W10);
200 R2(D, A, B, C, H, E, F, G, 0x3B14F50F, W01, W01 ^ W05);
201 W01 = SM3_E(W01, W08, W14, W04, W11);
202 R2(C, D, A, B, G, H, E, F, 0x7629EA1E, W02, W02 ^ W06);
203 W02 = SM3_E(W02, W09, W15, W05, W12);
204 R2(B, C, D, A, F, G, H, E, 0xEC53D43C, W03, W03 ^ W07);
205 W03 = SM3_E(W03, W10, W00, W06, W13);
206 R2(A, B, C, D, E, F, G, H, 0xD8A7A879, W04, W04 ^ W08);
207 R2(D, A, B, C, H, E, F, G, 0xB14F50F3, W05, W05 ^ W09);
208 R2(C, D, A, B, G, H, E, F, 0x629EA1E7, W06, W06 ^ W10);
209 R2(B, C, D, A, F, G, H, E, 0xC53D43CE, W07, W07 ^ W11);
210 R2(A, B, C, D, E, F, G, H, 0x8A7A879D, W08, W08 ^ W12);
211 R2(D, A, B, C, H, E, F, G, 0x14F50F3B, W09, W09 ^ W13);
212 R2(C, D, A, B, G, H, E, F, 0x29EA1E76, W10, W10 ^ W14);
213 R2(B, C, D, A, F, G, H, E, 0x53D43CEC, W11, W11 ^ W15);
214 R2(A, B, C, D, E, F, G, H, 0xA7A879D8, W12, W12 ^ W00);
215 R2(D, A, B, C, H, E, F, G, 0x4F50F3B1, W13, W13 ^ W01);
216 R2(C, D, A, B, G, H, E, F, 0x9EA1E762, W14, W14 ^ W02);
217 R2(B, C, D, A, F, G, H, E, 0x3D43CEC5, W15, W15 ^ W03);
218
219 A = (m_digest[0] ^= A);
220 B = (m_digest[1] ^= B);
221 C = (m_digest[2] ^= C);
222 D = (m_digest[3] ^= D);
223 E = (m_digest[4] ^= E);
224 F = (m_digest[5] ^= F);
225 G = (m_digest[6] ^= G);
226 H = (m_digest[7] ^= H);
227
228 input += hash_block_size();
229 }
230 }
231
232/*
233* Copy out the digest
234*/
235void SM3::copy_out(uint8_t output[])
236 {
237 copy_out_vec_be(output, output_length(), m_digest);
238 }
239
240/*
241* Clear memory of sensitive data
242*/
243void SM3::clear()
244 {
245 MDx_HashFunction::clear();
246 std::copy(std::begin(SM3_IV), std::end(SM3_IV), m_digest.begin());
247 }
248
249}
Botan::MDx_HashFunction::hash_block_size
size_t hash_block_size() const override final
Definition: mdx_hash.h:33
Botan::MDx_HashFunction::clear
void clear() override
Definition: mdx_hash.cpp:41
Botan::SM3::copy_state
std::unique_ptr< HashFunction > copy_state() const override
Definition: sm3.cpp:16
Botan::SM3::clear
void clear() override
Definition: sm3.cpp:243
Botan::SM3::output_length
size_t output_length() const override
Definition: sm3.h:27
X
fe X
Definition: ge.cpp:26
Botan
Definition: alg_id.cpp:13
Botan::choose
constexpr T choose(T mask, T a, T b)
Definition: bit_ops.h:170
Botan::load_be< uint32_t >
constexpr uint32_t load_be< uint32_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:190
Botan::majority
constexpr T majority(T a, T b, T c)
Definition: bit_ops.h:177
Botan::copy_out_vec_be
void copy_out_vec_be(uint8_t out[], size_t out_bytes, const std::vector< T, Alloc > &in)
Definition: loadstor.h:684
Generated by doxygen 1.9.3