Botan 3.4.0
Crypto and TLS for C&
sm3.cpp
Go to the documentation of this file.
1/*
2* SM3
3* (C) 2017 Ribose Inc.
4* (C) 2021 Jack Lloyd
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/internal/sm3.h>
10
11#include <botan/internal/bit_ops.h>
12#include <botan/internal/loadstor.h>
13#include <botan/internal/rotate.h>
14#include <botan/internal/stl_util.h>
15
16namespace Botan {
17
18namespace {
19
20inline uint32_t P0(uint32_t X) {
21 return X ^ rotl<9>(X) ^ rotl<17>(X);
22}
23
24inline void R1(uint32_t A,
25 uint32_t& B,
26 uint32_t C,
27 uint32_t& D,
28 uint32_t E,
29 uint32_t& F,
30 uint32_t G,
31 uint32_t& H,
32 uint32_t TJ,
33 uint32_t Wi,
34 uint32_t Wj) {
35 const uint32_t A12 = rotl<12>(A);
36 const uint32_t SS1 = rotl<7>(A12 + E + TJ);
37 const uint32_t TT1 = (A ^ B ^ C) + D + (SS1 ^ A12) + Wj;
38 const uint32_t TT2 = (E ^ F ^ G) + H + SS1 + Wi;
39
40 B = rotl<9>(B);
41 D = TT1;
42 F = rotl<19>(F);
43 H = P0(TT2);
44}
45
46inline void R2(uint32_t A,
47 uint32_t& B,
48 uint32_t C,
49 uint32_t& D,
50 uint32_t E,
51 uint32_t& F,
52 uint32_t G,
53 uint32_t& H,
54 uint32_t TJ,
55 uint32_t Wi,
56 uint32_t Wj) {
57 const uint32_t A12 = rotl<12>(A);
58 const uint32_t SS1 = rotl<7>(A12 + E + TJ);
59 const uint32_t TT1 = majority(A, B, C) + D + (SS1 ^ A12) + Wj;
60 const uint32_t TT2 = choose(E, F, G) + H + SS1 + Wi;
61
62 B = rotl<9>(B);
63 D = TT1;
64 F = rotl<19>(F);
65 H = P0(TT2);
66}
67
68inline uint32_t P1(uint32_t X) {
69 return X ^ rotl<15>(X) ^ rotl<23>(X);
70}
71
72inline uint32_t SM3_E(uint32_t W0, uint32_t W7, uint32_t W13, uint32_t W3, uint32_t W10) {
73 return P1(W0 ^ W7 ^ rotl<15>(W13)) ^ rotl<7>(W3) ^ W10;
74}
75
76} // namespace
77
78/*
79* SM3 Compression Function
80*/
81void SM3::compress_n(digest_type& digest, std::span<const uint8_t> input, size_t blocks) {
82 uint32_t A = digest[0], B = digest[1], C = digest[2], D = digest[3], E = digest[4], F = digest[5], G = digest[6],
83 H = digest[7];
84
85 BufferSlicer in(input);
86
87 for(size_t i = 0; i != blocks; ++i) {
88 const auto block = in.take(block_bytes);
89
90 uint32_t W00 = load_be<uint32_t>(block.data(), 0);
91 uint32_t W01 = load_be<uint32_t>(block.data(), 1);
92 uint32_t W02 = load_be<uint32_t>(block.data(), 2);
93 uint32_t W03 = load_be<uint32_t>(block.data(), 3);
94 uint32_t W04 = load_be<uint32_t>(block.data(), 4);
95 uint32_t W05 = load_be<uint32_t>(block.data(), 5);
96 uint32_t W06 = load_be<uint32_t>(block.data(), 6);
97 uint32_t W07 = load_be<uint32_t>(block.data(), 7);
98 uint32_t W08 = load_be<uint32_t>(block.data(), 8);
99 uint32_t W09 = load_be<uint32_t>(block.data(), 9);
100 uint32_t W10 = load_be<uint32_t>(block.data(), 10);
101 uint32_t W11 = load_be<uint32_t>(block.data(), 11);
102 uint32_t W12 = load_be<uint32_t>(block.data(), 12);
103 uint32_t W13 = load_be<uint32_t>(block.data(), 13);
104 uint32_t W14 = load_be<uint32_t>(block.data(), 14);
105 uint32_t W15 = load_be<uint32_t>(block.data(), 15);
106
107 R1(A, B, C, D, E, F, G, H, 0x79CC4519, W00, W00 ^ W04);
108 W00 = SM3_E(W00, W07, W13, W03, W10);
109 R1(D, A, B, C, H, E, F, G, 0xF3988A32, W01, W01 ^ W05);
110 W01 = SM3_E(W01, W08, W14, W04, W11);
111 R1(C, D, A, B, G, H, E, F, 0xE7311465, W02, W02 ^ W06);
112 W02 = SM3_E(W02, W09, W15, W05, W12);
113 R1(B, C, D, A, F, G, H, E, 0xCE6228CB, W03, W03 ^ W07);
114 W03 = SM3_E(W03, W10, W00, W06, W13);
115 R1(A, B, C, D, E, F, G, H, 0x9CC45197, W04, W04 ^ W08);
116 W04 = SM3_E(W04, W11, W01, W07, W14);
117 R1(D, A, B, C, H, E, F, G, 0x3988A32F, W05, W05 ^ W09);
118 W05 = SM3_E(W05, W12, W02, W08, W15);
119 R1(C, D, A, B, G, H, E, F, 0x7311465E, W06, W06 ^ W10);
120 W06 = SM3_E(W06, W13, W03, W09, W00);
121 R1(B, C, D, A, F, G, H, E, 0xE6228CBC, W07, W07 ^ W11);
122 W07 = SM3_E(W07, W14, W04, W10, W01);
123 R1(A, B, C, D, E, F, G, H, 0xCC451979, W08, W08 ^ W12);
124 W08 = SM3_E(W08, W15, W05, W11, W02);
125 R1(D, A, B, C, H, E, F, G, 0x988A32F3, W09, W09 ^ W13);
126 W09 = SM3_E(W09, W00, W06, W12, W03);
127 R1(C, D, A, B, G, H, E, F, 0x311465E7, W10, W10 ^ W14);
128 W10 = SM3_E(W10, W01, W07, W13, W04);
129 R1(B, C, D, A, F, G, H, E, 0x6228CBCE, W11, W11 ^ W15);
130 W11 = SM3_E(W11, W02, W08, W14, W05);
131 R1(A, B, C, D, E, F, G, H, 0xC451979C, W12, W12 ^ W00);
132 W12 = SM3_E(W12, W03, W09, W15, W06);
133 R1(D, A, B, C, H, E, F, G, 0x88A32F39, W13, W13 ^ W01);
134 W13 = SM3_E(W13, W04, W10, W00, W07);
135 R1(C, D, A, B, G, H, E, F, 0x11465E73, W14, W14 ^ W02);
136 W14 = SM3_E(W14, W05, W11, W01, W08);
137 R1(B, C, D, A, F, G, H, E, 0x228CBCE6, W15, W15 ^ W03);
138 W15 = SM3_E(W15, W06, W12, W02, W09);
139 R2(A, B, C, D, E, F, G, H, 0x9D8A7A87, W00, W00 ^ W04);
140 W00 = SM3_E(W00, W07, W13, W03, W10);
141 R2(D, A, B, C, H, E, F, G, 0x3B14F50F, W01, W01 ^ W05);
142 W01 = SM3_E(W01, W08, W14, W04, W11);
143 R2(C, D, A, B, G, H, E, F, 0x7629EA1E, W02, W02 ^ W06);
144 W02 = SM3_E(W02, W09, W15, W05, W12);
145 R2(B, C, D, A, F, G, H, E, 0xEC53D43C, W03, W03 ^ W07);
146 W03 = SM3_E(W03, W10, W00, W06, W13);
147 R2(A, B, C, D, E, F, G, H, 0xD8A7A879, W04, W04 ^ W08);
148 W04 = SM3_E(W04, W11, W01, W07, W14);
149 R2(D, A, B, C, H, E, F, G, 0xB14F50F3, W05, W05 ^ W09);
150 W05 = SM3_E(W05, W12, W02, W08, W15);
151 R2(C, D, A, B, G, H, E, F, 0x629EA1E7, W06, W06 ^ W10);
152 W06 = SM3_E(W06, W13, W03, W09, W00);
153 R2(B, C, D, A, F, G, H, E, 0xC53D43CE, W07, W07 ^ W11);
154 W07 = SM3_E(W07, W14, W04, W10, W01);
155 R2(A, B, C, D, E, F, G, H, 0x8A7A879D, W08, W08 ^ W12);
156 W08 = SM3_E(W08, W15, W05, W11, W02);
157 R2(D, A, B, C, H, E, F, G, 0x14F50F3B, W09, W09 ^ W13);
158 W09 = SM3_E(W09, W00, W06, W12, W03);
159 R2(C, D, A, B, G, H, E, F, 0x29EA1E76, W10, W10 ^ W14);
160 W10 = SM3_E(W10, W01, W07, W13, W04);
161 R2(B, C, D, A, F, G, H, E, 0x53D43CEC, W11, W11 ^ W15);
162 W11 = SM3_E(W11, W02, W08, W14, W05);
163 R2(A, B, C, D, E, F, G, H, 0xA7A879D8, W12, W12 ^ W00);
164 W12 = SM3_E(W12, W03, W09, W15, W06);
165 R2(D, A, B, C, H, E, F, G, 0x4F50F3B1, W13, W13 ^ W01);
166 W13 = SM3_E(W13, W04, W10, W00, W07);
167 R2(C, D, A, B, G, H, E, F, 0x9EA1E762, W14, W14 ^ W02);
168 W14 = SM3_E(W14, W05, W11, W01, W08);
169 R2(B, C, D, A, F, G, H, E, 0x3D43CEC5, W15, W15 ^ W03);
170 W15 = SM3_E(W15, W06, W12, W02, W09);
171 R2(A, B, C, D, E, F, G, H, 0x7A879D8A, W00, W00 ^ W04);
172 W00 = SM3_E(W00, W07, W13, W03, W10);
173 R2(D, A, B, C, H, E, F, G, 0xF50F3B14, W01, W01 ^ W05);
174 W01 = SM3_E(W01, W08, W14, W04, W11);
175 R2(C, D, A, B, G, H, E, F, 0xEA1E7629, W02, W02 ^ W06);
176 W02 = SM3_E(W02, W09, W15, W05, W12);
177 R2(B, C, D, A, F, G, H, E, 0xD43CEC53, W03, W03 ^ W07);
178 W03 = SM3_E(W03, W10, W00, W06, W13);
179 R2(A, B, C, D, E, F, G, H, 0xA879D8A7, W04, W04 ^ W08);
180 W04 = SM3_E(W04, W11, W01, W07, W14);
181 R2(D, A, B, C, H, E, F, G, 0x50F3B14F, W05, W05 ^ W09);
182 W05 = SM3_E(W05, W12, W02, W08, W15);
183 R2(C, D, A, B, G, H, E, F, 0xA1E7629E, W06, W06 ^ W10);
184 W06 = SM3_E(W06, W13, W03, W09, W00);
185 R2(B, C, D, A, F, G, H, E, 0x43CEC53D, W07, W07 ^ W11);
186 W07 = SM3_E(W07, W14, W04, W10, W01);
187 R2(A, B, C, D, E, F, G, H, 0x879D8A7A, W08, W08 ^ W12);
188 W08 = SM3_E(W08, W15, W05, W11, W02);
189 R2(D, A, B, C, H, E, F, G, 0x0F3B14F5, W09, W09 ^ W13);
190 W09 = SM3_E(W09, W00, W06, W12, W03);
191 R2(C, D, A, B, G, H, E, F, 0x1E7629EA, W10, W10 ^ W14);
192 W10 = SM3_E(W10, W01, W07, W13, W04);
193 R2(B, C, D, A, F, G, H, E, 0x3CEC53D4, W11, W11 ^ W15);
194 W11 = SM3_E(W11, W02, W08, W14, W05);
195 R2(A, B, C, D, E, F, G, H, 0x79D8A7A8, W12, W12 ^ W00);
196 W12 = SM3_E(W12, W03, W09, W15, W06);
197 R2(D, A, B, C, H, E, F, G, 0xF3B14F50, W13, W13 ^ W01);
198 W13 = SM3_E(W13, W04, W10, W00, W07);
199 R2(C, D, A, B, G, H, E, F, 0xE7629EA1, W14, W14 ^ W02);
200 W14 = SM3_E(W14, W05, W11, W01, W08);
201 R2(B, C, D, A, F, G, H, E, 0xCEC53D43, W15, W15 ^ W03);
202 W15 = SM3_E(W15, W06, W12, W02, W09);
203 R2(A, B, C, D, E, F, G, H, 0x9D8A7A87, W00, W00 ^ W04);
204 W00 = SM3_E(W00, W07, W13, W03, W10);
205 R2(D, A, B, C, H, E, F, G, 0x3B14F50F, W01, W01 ^ W05);
206 W01 = SM3_E(W01, W08, W14, W04, W11);
207 R2(C, D, A, B, G, H, E, F, 0x7629EA1E, W02, W02 ^ W06);
208 W02 = SM3_E(W02, W09, W15, W05, W12);
209 R2(B, C, D, A, F, G, H, E, 0xEC53D43C, W03, W03 ^ W07);
210 W03 = SM3_E(W03, W10, W00, W06, W13);
211 R2(A, B, C, D, E, F, G, H, 0xD8A7A879, W04, W04 ^ W08);
212 R2(D, A, B, C, H, E, F, G, 0xB14F50F3, W05, W05 ^ W09);
213 R2(C, D, A, B, G, H, E, F, 0x629EA1E7, W06, W06 ^ W10);
214 R2(B, C, D, A, F, G, H, E, 0xC53D43CE, W07, W07 ^ W11);
215 R2(A, B, C, D, E, F, G, H, 0x8A7A879D, W08, W08 ^ W12);
216 R2(D, A, B, C, H, E, F, G, 0x14F50F3B, W09, W09 ^ W13);
217 R2(C, D, A, B, G, H, E, F, 0x29EA1E76, W10, W10 ^ W14);
218 R2(B, C, D, A, F, G, H, E, 0x53D43CEC, W11, W11 ^ W15);
219 R2(A, B, C, D, E, F, G, H, 0xA7A879D8, W12, W12 ^ W00);
220 R2(D, A, B, C, H, E, F, G, 0x4F50F3B1, W13, W13 ^ W01);
221 R2(C, D, A, B, G, H, E, F, 0x9EA1E762, W14, W14 ^ W02);
222 R2(B, C, D, A, F, G, H, E, 0x3D43CEC5, W15, W15 ^ W03);
223
224 A = (digest[0] ^= A);
225 B = (digest[1] ^= B);
226 C = (digest[2] ^= C);
227 D = (digest[3] ^= D);
228 E = (digest[4] ^= E);
229 F = (digest[5] ^= F);
230 G = (digest[6] ^= G);
231 H = (digest[7] ^= H);
232 }
233}
234
235void SM3::init(digest_type& digest) {
236 digest.assign(
237 {0x7380166fUL, 0x4914b2b9UL, 0x172442d7UL, 0xda8a0600UL, 0xa96f30bcUL, 0x163138aaUL, 0xe38dee4dUL, 0xb0fb0e4eUL});
238}
239
240std::unique_ptr<HashFunction> SM3::new_object() const {
241 return std::make_unique<SM3>();
242}
243
244std::unique_ptr<HashFunction> SM3::copy_state() const {
245 return std::make_unique<SM3>(*this);
246}
247
248void SM3::add_data(std::span<const uint8_t> input) {
249 m_md.update(input);
250}
251
252void SM3::final_result(std::span<uint8_t> output) {
253 m_md.final(output);
254}
255
256} // namespace Botan
Botan::BufferSlicer::take
std::span< const uint8_t > take(const size_t count)
Definition stl_util.h:156
Botan::SM3::copy_state
std::unique_ptr< HashFunction > copy_state() const override
Definition sm3.cpp:244
Botan::SM3::new_object
std::unique_ptr< HashFunction > new_object() const override
Definition sm3.cpp:240
Botan::SM3::digest_type
secure_vector< uint32_t > digest_type
Definition sm3.h:20
Botan::SM3::block_bytes
static constexpr size_t block_bytes
Definition sm3.h:24
Botan::SM3::compress_n
static void compress_n(digest_type &digest, std::span< const uint8_t > input, size_t blocks)
Definition sm3.cpp:81
Botan::SM3::init
static void init(digest_type &digest)
Definition sm3.cpp:235
X
FE_25519 X
Definition ge.cpp:25
Botan::choose
constexpr T choose(T mask, T a, T b)
Definition bit_ops.h:180
Botan::majority
constexpr T majority(T a, T b, T c)
Definition bit_ops.h:186
Generated by doxygen 1.10.0