New Camellia implementation (replacing previous version)
[openssl.git] / crypto / camellia / camellia.c
1 /* crypto/camellia/camellia.c -*- mode:C; c-file-style: "eay" -*- */
2 /* ====================================================================
3  * Copyright 2006 NTT (Nippon Telegraph and Telephone Corporation) . 
4  * ALL RIGHTS RESERVED.
5  *
6  * Intellectual Property information for Camellia:
7  *     http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html
8  *
9  * News Release for Announcement of Camellia open source:
10  *     http://www.ntt.co.jp/news/news06e/0604/060413a.html
11  *
12  * The Camellia Code included herein is developed by
13  * NTT (Nippon Telegraph and Telephone Corporation), and is contributed
14  * to the OpenSSL project.
15  *
16  * The Camellia Code is licensed pursuant to the OpenSSL open source
17  * license provided below.
18  */
19 /* ====================================================================
20  * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  *
26  * 1. Redistributions of source code must retain the above copyright
27  *    notice, this list of conditions and the following disclaimer. 
28  *
29  * 2. Redistributions in binary form must reproduce the above copyright
30  *    notice, this list of conditions and the following disclaimer in
31  *    the documentation and/or other materials provided with the
32  *    distribution.
33  *
34  * 3. All advertising materials mentioning features or use of this
35  *    software must display the following acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
38  *
39  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
40  *    endorse or promote products derived from this software without
41  *    prior written permission. For written permission, please contact
42  *    openssl-core@openssl.org.
43  *
44  * 5. Products derived from this software may not be called "OpenSSL"
45  *    nor may "OpenSSL" appear in their names without prior written
46  *    permission of the OpenSSL Project.
47  *
48  * 6. Redistributions of any form whatsoever must retain the following
49  *    acknowledgment:
50  *    "This product includes software developed by the OpenSSL Project
51  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
52  *
53  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
54  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
55  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
56  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
57  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
58  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
59  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
60  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
61  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
62  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
63  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
64  * OF THE POSSIBILITY OF SUCH DAMAGE.
65  * ====================================================================
66  */
67
68 /* Algorithm Specification 
69    http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
70 */
71
72
73 #include <string.h>
74 #include <stdlib.h>
75
76 #include "camellia.h"
77 #include "cmll_locl.h"
78
79 /*
80  * must be defined uint32_t
81  */
82
83 /* key constants */
84
85 #define CAMELLIA_SIGMA1L (0xA09E667FL)
86 #define CAMELLIA_SIGMA1R (0x3BCC908BL)
87 #define CAMELLIA_SIGMA2L (0xB67AE858L)
88 #define CAMELLIA_SIGMA2R (0x4CAA73B2L)
89 #define CAMELLIA_SIGMA3L (0xC6EF372FL)
90 #define CAMELLIA_SIGMA3R (0xE94F82BEL)
91 #define CAMELLIA_SIGMA4L (0x54FF53A5L)
92 #define CAMELLIA_SIGMA4R (0xF1D36F1CL)
93 #define CAMELLIA_SIGMA5L (0x10E527FAL)
94 #define CAMELLIA_SIGMA5R (0xDE682D1DL)
95 #define CAMELLIA_SIGMA6L (0xB05688C2L)
96 #define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
97
98 /*
99  *  macros
100  */
101
102 /* e is pointer of subkey */
103 #ifdef L_ENDIAN
104
105 #define CamelliaSubkeyL(INDEX) (subkey[(INDEX)*2 + 1])
106 #define CamelliaSubkeyR(INDEX) (subkey[(INDEX)*2])
107
108 #else /* big endian */
109
110 #define CamelliaSubkeyL(INDEX) (subkey[(INDEX)*2])
111 #define CamelliaSubkeyR(INDEX) (subkey[(INDEX)*2 + 1])
112
113 #endif /* IS_LITTLE_ENDIAN */
114
115 /* rotation right shift 1byte */
116 #define CAMELLIA_RR8(x) (((x) >> 8) + ((x) << 24))
117 /* rotation left shift 1bit */
118 #define CAMELLIA_RL1(x) (((x) << 1) + ((x) >> 31))
119 /* rotation left shift 1byte */
120 #define CAMELLIA_RL8(x) (((x) << 8) + ((x) >> 24))
121
122 #define CAMELLIA_ROLDQ(ll, lr, rl, rr, w0, w1, bits)    \
123 do                                                      \
124         {                                               \
125         w0 = ll;                                        \
126         ll = (ll << bits) + (lr >> (32 - bits));        \
127         lr = (lr << bits) + (rl >> (32 - bits));        \
128         rl = (rl << bits) + (rr >> (32 - bits));        \
129         rr = (rr << bits) + (w0 >> (32 - bits));        \
130         } while(0)
131
132 #define CAMELLIA_ROLDQo32(ll, lr, rl, rr, w0, w1, bits) \
133 do                                                      \
134         {                                               \
135         w0 = ll;                                        \
136         w1 = lr;                                        \
137         ll = (lr << (bits - 32)) + (rl >> (64 - bits)); \
138         lr = (rl << (bits - 32)) + (rr >> (64 - bits)); \
139         rl = (rr << (bits - 32)) + (w0 >> (64 - bits)); \
140         rr = (w0 << (bits - 32)) + (w1 >> (64 - bits)); \
141         } while(0)
142
143 #define CAMELLIA_SP1110(INDEX) (camellia_sp1110[(INDEX)])
144 #define CAMELLIA_SP0222(INDEX) (camellia_sp0222[(INDEX)])
145 #define CAMELLIA_SP3033(INDEX) (camellia_sp3033[(INDEX)])
146 #define CAMELLIA_SP4404(INDEX) (camellia_sp4404[(INDEX)])
147
148 #define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)              \
149 do                                                                      \
150         {                                                               \
151         il = xl ^ kl;                                                   \
152         ir = xr ^ kr;                                                   \
153         t0 = il >> 16;                                                  \
154         t1 = ir >> 16;                                                  \
155         yl = CAMELLIA_SP1110(ir & 0xff)                                 \
156                 ^ CAMELLIA_SP0222((t1 >> 8) & 0xff)                     \
157                 ^ CAMELLIA_SP3033(t1 & 0xff)                            \
158                 ^ CAMELLIA_SP4404((ir >> 8) & 0xff);                    \
159         yr = CAMELLIA_SP1110((t0 >> 8) & 0xff)                          \
160                 ^ CAMELLIA_SP0222(t0 & 0xff)                            \
161                 ^ CAMELLIA_SP3033((il >> 8) & 0xff)                     \
162                 ^ CAMELLIA_SP4404(il & 0xff);                           \
163         yl ^= yr;                                                       \
164         yr = CAMELLIA_RR8(yr);                                          \
165         yr ^= yl;                                                       \
166         } while(0)
167
168
169 /*
170  * for speed up
171  *
172  */
173 #if !defined(_MSC_VER)
174
175 #define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \
176 do                                                                      \
177         {                                                               \
178         t0 = kll;                                                       \
179         t2 = krr;                                                       \
180         t0 &= ll;                                                       \
181         t2 |= rr;                                                       \
182         rl ^= t2;                                                       \
183         lr ^= CAMELLIA_RL1(t0);                                         \
184         t3 = krl;                                                       \
185         t1 = klr;                                                       \
186         t3 &= rl;                                                       \
187         t1 |= lr;                                                       \
188         ll ^= t1;                                                       \
189         rr ^= CAMELLIA_RL1(t3);                                         \
190         } while(0)
191
192 #define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)        \
193 do                                                                      \
194         {                                                               \
195         ir =  CAMELLIA_SP1110(xr & 0xff);                               \
196         il =  CAMELLIA_SP1110((xl>>24) & 0xff);                         \
197         ir ^= CAMELLIA_SP0222((xr>>24) & 0xff);                         \
198         il ^= CAMELLIA_SP0222((xl>>16) & 0xff);                         \
199         ir ^= CAMELLIA_SP3033((xr>>16) & 0xff);                         \
200         il ^= CAMELLIA_SP3033((xl>>8) & 0xff);                          \
201         ir ^= CAMELLIA_SP4404((xr>>8) & 0xff);                          \
202         il ^= CAMELLIA_SP4404(xl & 0xff);                               \
203         il ^= kl;                                                       \
204         ir ^= il ^ kr;                                                  \
205         yl ^= ir;                                                       \
206         yr ^= CAMELLIA_RR8(il) ^ ir;                                    \
207         } while(0)
208
209 #else /* for MS-VC */
210
211 #define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \
212 do                                                                      \
213         {                                                               \
214         t0 = kll;                                                       \
215         t0 &= ll;                                                       \
216         lr ^= CAMELLIA_RL1(t0);                                         \
217         t1 = klr;                                                       \
218         t1 |= lr;                                                       \
219         ll ^= t1;                                                       \
220                                                                         \
221         t2 = krr;                                                       \
222         t2 |= rr;                                                       \
223         rl ^= t2;                                                       \
224         t3 = krl;                                                       \
225         t3 &= rl;                                                       \
226         rr ^= CAMELLIA_RL1(t3);                                         \
227         } while(0)
228
229 #define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)        \
230 do                                                                      \
231         {                                                               \
232         il = xl;                                                        \
233         ir = xr;                                                        \
234         t0 = il >> 16;                                                  \
235         t1 = ir >> 16;                                                  \
236         ir = CAMELLIA_SP1110(ir & 0xff)                                 \
237                 ^ CAMELLIA_SP0222((t1 >> 8) & 0xff)                     \
238                 ^ CAMELLIA_SP3033(t1 & 0xff)                            \
239                 ^ CAMELLIA_SP4404((ir >> 8) & 0xff);                    \
240         il = CAMELLIA_SP1110((t0 >> 8) & 0xff)                          \
241                 ^ CAMELLIA_SP0222(t0 & 0xff)                            \
242                 ^ CAMELLIA_SP3033((il >> 8) & 0xff)                     \
243                 ^ CAMELLIA_SP4404(il & 0xff);                           \
244         il ^= kl;                                                       \
245         ir ^= kr;                                                       \
246         ir ^= il;                                                       \
247         il = CAMELLIA_RR8(il);                                          \
248         il ^= ir;                                                       \
249         yl ^= ir;                                                       \
250         yr ^= il;                                                       \
251         } while(0)
252 #endif
253
254 static const uint32_t camellia_sp1110[256] =
255         {
256         0x70707000,0x82828200,0x2c2c2c00,0xececec00,
257         0xb3b3b300,0x27272700,0xc0c0c000,0xe5e5e500,
258         0xe4e4e400,0x85858500,0x57575700,0x35353500,
259         0xeaeaea00,0x0c0c0c00,0xaeaeae00,0x41414100,
260         0x23232300,0xefefef00,0x6b6b6b00,0x93939300,
261         0x45454500,0x19191900,0xa5a5a500,0x21212100,
262         0xededed00,0x0e0e0e00,0x4f4f4f00,0x4e4e4e00,
263         0x1d1d1d00,0x65656500,0x92929200,0xbdbdbd00,
264         0x86868600,0xb8b8b800,0xafafaf00,0x8f8f8f00,
265         0x7c7c7c00,0xebebeb00,0x1f1f1f00,0xcecece00,
266         0x3e3e3e00,0x30303000,0xdcdcdc00,0x5f5f5f00,
267         0x5e5e5e00,0xc5c5c500,0x0b0b0b00,0x1a1a1a00,
268         0xa6a6a600,0xe1e1e100,0x39393900,0xcacaca00,
269         0xd5d5d500,0x47474700,0x5d5d5d00,0x3d3d3d00,
270         0xd9d9d900,0x01010100,0x5a5a5a00,0xd6d6d600,
271         0x51515100,0x56565600,0x6c6c6c00,0x4d4d4d00,
272         0x8b8b8b00,0x0d0d0d00,0x9a9a9a00,0x66666600,
273         0xfbfbfb00,0xcccccc00,0xb0b0b000,0x2d2d2d00,
274         0x74747400,0x12121200,0x2b2b2b00,0x20202000,
275         0xf0f0f000,0xb1b1b100,0x84848400,0x99999900,
276         0xdfdfdf00,0x4c4c4c00,0xcbcbcb00,0xc2c2c200,
277         0x34343400,0x7e7e7e00,0x76767600,0x05050500,
278         0x6d6d6d00,0xb7b7b700,0xa9a9a900,0x31313100,
279         0xd1d1d100,0x17171700,0x04040400,0xd7d7d700,
280         0x14141400,0x58585800,0x3a3a3a00,0x61616100,
281         0xdedede00,0x1b1b1b00,0x11111100,0x1c1c1c00,
282         0x32323200,0x0f0f0f00,0x9c9c9c00,0x16161600,
283         0x53535300,0x18181800,0xf2f2f200,0x22222200,
284         0xfefefe00,0x44444400,0xcfcfcf00,0xb2b2b200,
285         0xc3c3c300,0xb5b5b500,0x7a7a7a00,0x91919100,
286         0x24242400,0x08080800,0xe8e8e800,0xa8a8a800,
287         0x60606000,0xfcfcfc00,0x69696900,0x50505000,
288         0xaaaaaa00,0xd0d0d000,0xa0a0a000,0x7d7d7d00,
289         0xa1a1a100,0x89898900,0x62626200,0x97979700,
290         0x54545400,0x5b5b5b00,0x1e1e1e00,0x95959500,
291         0xe0e0e000,0xffffff00,0x64646400,0xd2d2d200,
292         0x10101000,0xc4c4c400,0x00000000,0x48484800,
293         0xa3a3a300,0xf7f7f700,0x75757500,0xdbdbdb00,
294         0x8a8a8a00,0x03030300,0xe6e6e600,0xdadada00,
295         0x09090900,0x3f3f3f00,0xdddddd00,0x94949400,
296         0x87878700,0x5c5c5c00,0x83838300,0x02020200,
297         0xcdcdcd00,0x4a4a4a00,0x90909000,0x33333300,
298         0x73737300,0x67676700,0xf6f6f600,0xf3f3f300,
299         0x9d9d9d00,0x7f7f7f00,0xbfbfbf00,0xe2e2e200,
300         0x52525200,0x9b9b9b00,0xd8d8d800,0x26262600,
301         0xc8c8c800,0x37373700,0xc6c6c600,0x3b3b3b00,
302         0x81818100,0x96969600,0x6f6f6f00,0x4b4b4b00,
303         0x13131300,0xbebebe00,0x63636300,0x2e2e2e00,
304         0xe9e9e900,0x79797900,0xa7a7a700,0x8c8c8c00,
305         0x9f9f9f00,0x6e6e6e00,0xbcbcbc00,0x8e8e8e00,
306         0x29292900,0xf5f5f500,0xf9f9f900,0xb6b6b600,
307         0x2f2f2f00,0xfdfdfd00,0xb4b4b400,0x59595900,
308         0x78787800,0x98989800,0x06060600,0x6a6a6a00,
309         0xe7e7e700,0x46464600,0x71717100,0xbababa00,
310         0xd4d4d400,0x25252500,0xababab00,0x42424200,
311         0x88888800,0xa2a2a200,0x8d8d8d00,0xfafafa00,
312         0x72727200,0x07070700,0xb9b9b900,0x55555500,
313         0xf8f8f800,0xeeeeee00,0xacacac00,0x0a0a0a00,
314         0x36363600,0x49494900,0x2a2a2a00,0x68686800,
315         0x3c3c3c00,0x38383800,0xf1f1f100,0xa4a4a400,
316         0x40404000,0x28282800,0xd3d3d300,0x7b7b7b00,
317         0xbbbbbb00,0xc9c9c900,0x43434300,0xc1c1c100,
318         0x15151500,0xe3e3e300,0xadadad00,0xf4f4f400,
319         0x77777700,0xc7c7c700,0x80808000,0x9e9e9e00,
320         };
321
322 static const uint32_t camellia_sp0222[256] =
323         {
324         0x00e0e0e0,0x00050505,0x00585858,0x00d9d9d9,
325         0x00676767,0x004e4e4e,0x00818181,0x00cbcbcb,
326         0x00c9c9c9,0x000b0b0b,0x00aeaeae,0x006a6a6a,
327         0x00d5d5d5,0x00181818,0x005d5d5d,0x00828282,
328         0x00464646,0x00dfdfdf,0x00d6d6d6,0x00272727,
329         0x008a8a8a,0x00323232,0x004b4b4b,0x00424242,
330         0x00dbdbdb,0x001c1c1c,0x009e9e9e,0x009c9c9c,
331         0x003a3a3a,0x00cacaca,0x00252525,0x007b7b7b,
332         0x000d0d0d,0x00717171,0x005f5f5f,0x001f1f1f,
333         0x00f8f8f8,0x00d7d7d7,0x003e3e3e,0x009d9d9d,
334         0x007c7c7c,0x00606060,0x00b9b9b9,0x00bebebe,
335         0x00bcbcbc,0x008b8b8b,0x00161616,0x00343434,
336         0x004d4d4d,0x00c3c3c3,0x00727272,0x00959595,
337         0x00ababab,0x008e8e8e,0x00bababa,0x007a7a7a,
338         0x00b3b3b3,0x00020202,0x00b4b4b4,0x00adadad,
339         0x00a2a2a2,0x00acacac,0x00d8d8d8,0x009a9a9a,
340         0x00171717,0x001a1a1a,0x00353535,0x00cccccc,
341         0x00f7f7f7,0x00999999,0x00616161,0x005a5a5a,
342         0x00e8e8e8,0x00242424,0x00565656,0x00404040,
343         0x00e1e1e1,0x00636363,0x00090909,0x00333333,
344         0x00bfbfbf,0x00989898,0x00979797,0x00858585,
345         0x00686868,0x00fcfcfc,0x00ececec,0x000a0a0a,
346         0x00dadada,0x006f6f6f,0x00535353,0x00626262,
347         0x00a3a3a3,0x002e2e2e,0x00080808,0x00afafaf,
348         0x00282828,0x00b0b0b0,0x00747474,0x00c2c2c2,
349         0x00bdbdbd,0x00363636,0x00222222,0x00383838,
350         0x00646464,0x001e1e1e,0x00393939,0x002c2c2c,
351         0x00a6a6a6,0x00303030,0x00e5e5e5,0x00444444,
352         0x00fdfdfd,0x00888888,0x009f9f9f,0x00656565,
353         0x00878787,0x006b6b6b,0x00f4f4f4,0x00232323,
354         0x00484848,0x00101010,0x00d1d1d1,0x00515151,
355         0x00c0c0c0,0x00f9f9f9,0x00d2d2d2,0x00a0a0a0,
356         0x00555555,0x00a1a1a1,0x00414141,0x00fafafa,
357         0x00434343,0x00131313,0x00c4c4c4,0x002f2f2f,
358         0x00a8a8a8,0x00b6b6b6,0x003c3c3c,0x002b2b2b,
359         0x00c1c1c1,0x00ffffff,0x00c8c8c8,0x00a5a5a5,
360         0x00202020,0x00898989,0x00000000,0x00909090,
361         0x00474747,0x00efefef,0x00eaeaea,0x00b7b7b7,
362         0x00151515,0x00060606,0x00cdcdcd,0x00b5b5b5,
363         0x00121212,0x007e7e7e,0x00bbbbbb,0x00292929,
364         0x000f0f0f,0x00b8b8b8,0x00070707,0x00040404,
365         0x009b9b9b,0x00949494,0x00212121,0x00666666,
366         0x00e6e6e6,0x00cecece,0x00ededed,0x00e7e7e7,
367         0x003b3b3b,0x00fefefe,0x007f7f7f,0x00c5c5c5,
368         0x00a4a4a4,0x00373737,0x00b1b1b1,0x004c4c4c,
369         0x00919191,0x006e6e6e,0x008d8d8d,0x00767676,
370         0x00030303,0x002d2d2d,0x00dedede,0x00969696,
371         0x00262626,0x007d7d7d,0x00c6c6c6,0x005c5c5c,
372         0x00d3d3d3,0x00f2f2f2,0x004f4f4f,0x00191919,
373         0x003f3f3f,0x00dcdcdc,0x00797979,0x001d1d1d,
374         0x00525252,0x00ebebeb,0x00f3f3f3,0x006d6d6d,
375         0x005e5e5e,0x00fbfbfb,0x00696969,0x00b2b2b2,
376         0x00f0f0f0,0x00313131,0x000c0c0c,0x00d4d4d4,
377         0x00cfcfcf,0x008c8c8c,0x00e2e2e2,0x00757575,
378         0x00a9a9a9,0x004a4a4a,0x00575757,0x00848484,
379         0x00111111,0x00454545,0x001b1b1b,0x00f5f5f5,
380         0x00e4e4e4,0x000e0e0e,0x00737373,0x00aaaaaa,
381         0x00f1f1f1,0x00dddddd,0x00595959,0x00141414,
382         0x006c6c6c,0x00929292,0x00545454,0x00d0d0d0,
383         0x00787878,0x00707070,0x00e3e3e3,0x00494949,
384         0x00808080,0x00505050,0x00a7a7a7,0x00f6f6f6,
385         0x00777777,0x00939393,0x00868686,0x00838383,
386         0x002a2a2a,0x00c7c7c7,0x005b5b5b,0x00e9e9e9,
387         0x00eeeeee,0x008f8f8f,0x00010101,0x003d3d3d,
388         };
389
390 static const uint32_t camellia_sp3033[256] =
391         {
392         0x38003838,0x41004141,0x16001616,0x76007676,
393         0xd900d9d9,0x93009393,0x60006060,0xf200f2f2,
394         0x72007272,0xc200c2c2,0xab00abab,0x9a009a9a,
395         0x75007575,0x06000606,0x57005757,0xa000a0a0,
396         0x91009191,0xf700f7f7,0xb500b5b5,0xc900c9c9,
397         0xa200a2a2,0x8c008c8c,0xd200d2d2,0x90009090,
398         0xf600f6f6,0x07000707,0xa700a7a7,0x27002727,
399         0x8e008e8e,0xb200b2b2,0x49004949,0xde00dede,
400         0x43004343,0x5c005c5c,0xd700d7d7,0xc700c7c7,
401         0x3e003e3e,0xf500f5f5,0x8f008f8f,0x67006767,
402         0x1f001f1f,0x18001818,0x6e006e6e,0xaf00afaf,
403         0x2f002f2f,0xe200e2e2,0x85008585,0x0d000d0d,
404         0x53005353,0xf000f0f0,0x9c009c9c,0x65006565,
405         0xea00eaea,0xa300a3a3,0xae00aeae,0x9e009e9e,
406         0xec00ecec,0x80008080,0x2d002d2d,0x6b006b6b,
407         0xa800a8a8,0x2b002b2b,0x36003636,0xa600a6a6,
408         0xc500c5c5,0x86008686,0x4d004d4d,0x33003333,
409         0xfd00fdfd,0x66006666,0x58005858,0x96009696,
410         0x3a003a3a,0x09000909,0x95009595,0x10001010,
411         0x78007878,0xd800d8d8,0x42004242,0xcc00cccc,
412         0xef00efef,0x26002626,0xe500e5e5,0x61006161,
413         0x1a001a1a,0x3f003f3f,0x3b003b3b,0x82008282,
414         0xb600b6b6,0xdb00dbdb,0xd400d4d4,0x98009898,
415         0xe800e8e8,0x8b008b8b,0x02000202,0xeb00ebeb,
416         0x0a000a0a,0x2c002c2c,0x1d001d1d,0xb000b0b0,
417         0x6f006f6f,0x8d008d8d,0x88008888,0x0e000e0e,
418         0x19001919,0x87008787,0x4e004e4e,0x0b000b0b,
419         0xa900a9a9,0x0c000c0c,0x79007979,0x11001111,
420         0x7f007f7f,0x22002222,0xe700e7e7,0x59005959,
421         0xe100e1e1,0xda00dada,0x3d003d3d,0xc800c8c8,
422         0x12001212,0x04000404,0x74007474,0x54005454,
423         0x30003030,0x7e007e7e,0xb400b4b4,0x28002828,
424         0x55005555,0x68006868,0x50005050,0xbe00bebe,
425         0xd000d0d0,0xc400c4c4,0x31003131,0xcb00cbcb,
426         0x2a002a2a,0xad00adad,0x0f000f0f,0xca00caca,
427         0x70007070,0xff00ffff,0x32003232,0x69006969,
428         0x08000808,0x62006262,0x00000000,0x24002424,
429         0xd100d1d1,0xfb00fbfb,0xba00baba,0xed00eded,
430         0x45004545,0x81008181,0x73007373,0x6d006d6d,
431         0x84008484,0x9f009f9f,0xee00eeee,0x4a004a4a,
432         0xc300c3c3,0x2e002e2e,0xc100c1c1,0x01000101,
433         0xe600e6e6,0x25002525,0x48004848,0x99009999,
434         0xb900b9b9,0xb300b3b3,0x7b007b7b,0xf900f9f9,
435         0xce00cece,0xbf00bfbf,0xdf00dfdf,0x71007171,
436         0x29002929,0xcd00cdcd,0x6c006c6c,0x13001313,
437         0x64006464,0x9b009b9b,0x63006363,0x9d009d9d,
438         0xc000c0c0,0x4b004b4b,0xb700b7b7,0xa500a5a5,
439         0x89008989,0x5f005f5f,0xb100b1b1,0x17001717,
440         0xf400f4f4,0xbc00bcbc,0xd300d3d3,0x46004646,
441         0xcf00cfcf,0x37003737,0x5e005e5e,0x47004747,
442         0x94009494,0xfa00fafa,0xfc00fcfc,0x5b005b5b,
443         0x97009797,0xfe00fefe,0x5a005a5a,0xac00acac,
444         0x3c003c3c,0x4c004c4c,0x03000303,0x35003535,
445         0xf300f3f3,0x23002323,0xb800b8b8,0x5d005d5d,
446         0x6a006a6a,0x92009292,0xd500d5d5,0x21002121,
447         0x44004444,0x51005151,0xc600c6c6,0x7d007d7d,
448         0x39003939,0x83008383,0xdc00dcdc,0xaa00aaaa,
449         0x7c007c7c,0x77007777,0x56005656,0x05000505,
450         0x1b001b1b,0xa400a4a4,0x15001515,0x34003434,
451         0x1e001e1e,0x1c001c1c,0xf800f8f8,0x52005252,
452         0x20002020,0x14001414,0xe900e9e9,0xbd00bdbd,
453         0xdd00dddd,0xe400e4e4,0xa100a1a1,0xe000e0e0,
454         0x8a008a8a,0xf100f1f1,0xd600d6d6,0x7a007a7a,
455         0xbb00bbbb,0xe300e3e3,0x40004040,0x4f004f4f,
456         };
457
458 static const uint32_t camellia_sp4404[256] =
459         {
460         0x70700070,0x2c2c002c,0xb3b300b3,0xc0c000c0,
461         0xe4e400e4,0x57570057,0xeaea00ea,0xaeae00ae,
462         0x23230023,0x6b6b006b,0x45450045,0xa5a500a5,
463         0xeded00ed,0x4f4f004f,0x1d1d001d,0x92920092,
464         0x86860086,0xafaf00af,0x7c7c007c,0x1f1f001f,
465         0x3e3e003e,0xdcdc00dc,0x5e5e005e,0x0b0b000b,
466         0xa6a600a6,0x39390039,0xd5d500d5,0x5d5d005d,
467         0xd9d900d9,0x5a5a005a,0x51510051,0x6c6c006c,
468         0x8b8b008b,0x9a9a009a,0xfbfb00fb,0xb0b000b0,
469         0x74740074,0x2b2b002b,0xf0f000f0,0x84840084,
470         0xdfdf00df,0xcbcb00cb,0x34340034,0x76760076,
471         0x6d6d006d,0xa9a900a9,0xd1d100d1,0x04040004,
472         0x14140014,0x3a3a003a,0xdede00de,0x11110011,
473         0x32320032,0x9c9c009c,0x53530053,0xf2f200f2,
474         0xfefe00fe,0xcfcf00cf,0xc3c300c3,0x7a7a007a,
475         0x24240024,0xe8e800e8,0x60600060,0x69690069,
476         0xaaaa00aa,0xa0a000a0,0xa1a100a1,0x62620062,
477         0x54540054,0x1e1e001e,0xe0e000e0,0x64640064,
478         0x10100010,0x00000000,0xa3a300a3,0x75750075,
479         0x8a8a008a,0xe6e600e6,0x09090009,0xdddd00dd,
480         0x87870087,0x83830083,0xcdcd00cd,0x90900090,
481         0x73730073,0xf6f600f6,0x9d9d009d,0xbfbf00bf,
482         0x52520052,0xd8d800d8,0xc8c800c8,0xc6c600c6,
483         0x81810081,0x6f6f006f,0x13130013,0x63630063,
484         0xe9e900e9,0xa7a700a7,0x9f9f009f,0xbcbc00bc,
485         0x29290029,0xf9f900f9,0x2f2f002f,0xb4b400b4,
486         0x78780078,0x06060006,0xe7e700e7,0x71710071,
487         0xd4d400d4,0xabab00ab,0x88880088,0x8d8d008d,
488         0x72720072,0xb9b900b9,0xf8f800f8,0xacac00ac,
489         0x36360036,0x2a2a002a,0x3c3c003c,0xf1f100f1,
490         0x40400040,0xd3d300d3,0xbbbb00bb,0x43430043,
491         0x15150015,0xadad00ad,0x77770077,0x80800080,
492         0x82820082,0xecec00ec,0x27270027,0xe5e500e5,
493         0x85850085,0x35350035,0x0c0c000c,0x41410041,
494         0xefef00ef,0x93930093,0x19190019,0x21210021,
495         0x0e0e000e,0x4e4e004e,0x65650065,0xbdbd00bd,
496         0xb8b800b8,0x8f8f008f,0xebeb00eb,0xcece00ce,
497         0x30300030,0x5f5f005f,0xc5c500c5,0x1a1a001a,
498         0xe1e100e1,0xcaca00ca,0x47470047,0x3d3d003d,
499         0x01010001,0xd6d600d6,0x56560056,0x4d4d004d,
500         0x0d0d000d,0x66660066,0xcccc00cc,0x2d2d002d,
501         0x12120012,0x20200020,0xb1b100b1,0x99990099,
502         0x4c4c004c,0xc2c200c2,0x7e7e007e,0x05050005,
503         0xb7b700b7,0x31310031,0x17170017,0xd7d700d7,
504         0x58580058,0x61610061,0x1b1b001b,0x1c1c001c,
505         0x0f0f000f,0x16160016,0x18180018,0x22220022,
506         0x44440044,0xb2b200b2,0xb5b500b5,0x91910091,
507         0x08080008,0xa8a800a8,0xfcfc00fc,0x50500050,
508         0xd0d000d0,0x7d7d007d,0x89890089,0x97970097,
509         0x5b5b005b,0x95950095,0xffff00ff,0xd2d200d2,
510         0xc4c400c4,0x48480048,0xf7f700f7,0xdbdb00db,
511         0x03030003,0xdada00da,0x3f3f003f,0x94940094,
512         0x5c5c005c,0x02020002,0x4a4a004a,0x33330033,
513         0x67670067,0xf3f300f3,0x7f7f007f,0xe2e200e2,
514         0x9b9b009b,0x26260026,0x37370037,0x3b3b003b,
515         0x96960096,0x4b4b004b,0xbebe00be,0x2e2e002e,
516         0x79790079,0x8c8c008c,0x6e6e006e,0x8e8e008e,
517         0xf5f500f5,0xb6b600b6,0xfdfd00fd,0x59590059,
518         0x98980098,0x6a6a006a,0x46460046,0xbaba00ba,
519         0x25250025,0x42420042,0xa2a200a2,0xfafa00fa,
520         0x07070007,0x55550055,0xeeee00ee,0x0a0a000a,
521         0x49490049,0x68680068,0x38380038,0xa4a400a4,
522         0x28280028,0x7b7b007b,0xc9c900c9,0xc1c100c1,
523         0xe3e300e3,0xf4f400f4,0xc7c700c7,0x9e9e009e,
524         };
525
526
527 /**
528  * Stuff related to the Camellia key schedule
529  */
530 #define subl(x) subL[(x)]
531 #define subr(x) subR[(x)]
532
533 void camellia_setup128(const unsigned char *key, uint32_t *subkey)
534         {
535         uint32_t kll, klr, krl, krr;
536         uint32_t il, ir, t0, t1, w0, w1;
537         uint32_t kw4l, kw4r, dw, tl, tr;
538         uint32_t subL[26];
539         uint32_t subR[26];
540
541         /**
542          *  k == kll || klr || krl || krr (|| is concatination)
543          */
544         kll = GETU32(key     );
545         klr = GETU32(key +  4);
546         krl = GETU32(key +  8);
547         krr = GETU32(key + 12);
548         /**
549          * generate KL dependent subkeys
550          */
551         /* kw1 */
552         subl(0) = kll; subr(0) = klr;
553         /* kw2 */
554         subl(1) = krl; subr(1) = krr;
555         /* rotation left shift 15bit */
556         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
557         /* k3 */
558         subl(4) = kll; subr(4) = klr;
559         /* k4 */
560         subl(5) = krl; subr(5) = krr;
561         /* rotation left shift 15+30bit */
562         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
563         /* k7 */
564         subl(10) = kll; subr(10) = klr;
565         /* k8 */
566         subl(11) = krl; subr(11) = krr;
567         /* rotation left shift 15+30+15bit */
568         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
569         /* k10 */
570         subl(13) = krl; subr(13) = krr;
571         /* rotation left shift 15+30+15+17 bit */
572         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
573         /* kl3 */
574         subl(16) = kll; subr(16) = klr;
575         /* kl4 */
576         subl(17) = krl; subr(17) = krr;
577         /* rotation left shift 15+30+15+17+17 bit */
578         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
579         /* k13 */
580         subl(18) = kll; subr(18) = klr;
581         /* k14 */
582         subl(19) = krl; subr(19) = krr;
583         /* rotation left shift 15+30+15+17+17+17 bit */
584         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
585         /* k17 */
586         subl(22) = kll; subr(22) = klr;
587         /* k18 */
588         subl(23) = krl; subr(23) = krr;
589
590         /* generate KA */
591         kll = subl(0); klr = subr(0);
592         krl = subl(1); krr = subr(1);
593         CAMELLIA_F(kll, klr,
594                 CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
595                 w0, w1, il, ir, t0, t1);
596         krl ^= w0; krr ^= w1;
597         CAMELLIA_F(krl, krr,
598                 CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
599                 kll, klr, il, ir, t0, t1);
600         /* current status == (kll, klr, w0, w1) */
601         CAMELLIA_F(kll, klr,
602                 CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
603                 krl, krr, il, ir, t0, t1);
604         krl ^= w0; krr ^= w1;
605         CAMELLIA_F(krl, krr,
606                 CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
607                 w0, w1, il, ir, t0, t1);
608         kll ^= w0; klr ^= w1;
609
610         /* generate KA dependent subkeys */
611         /* k1, k2 */
612         subl(2) = kll; subr(2) = klr;
613         subl(3) = krl; subr(3) = krr;
614         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
615         /* k5,k6 */
616         subl(6) = kll; subr(6) = klr;
617         subl(7) = krl; subr(7) = krr;
618         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
619         /* kl1, kl2 */
620         subl(8) = kll; subr(8) = klr;
621         subl(9) = krl; subr(9) = krr;
622         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
623         /* k9 */
624         subl(12) = kll; subr(12) = klr;
625         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
626         /* k11, k12 */
627         subl(14) = kll; subr(14) = klr;
628         subl(15) = krl; subr(15) = krr;
629         CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
630         /* k15, k16 */
631         subl(20) = kll; subr(20) = klr;
632         subl(21) = krl; subr(21) = krr;
633         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
634         /* kw3, kw4 */
635         subl(24) = kll; subr(24) = klr;
636         subl(25) = krl; subr(25) = krr;
637
638
639         /* absorb kw2 to other subkeys */
640 /* round 2 */
641         subl(3) ^= subl(1); subr(3) ^= subr(1);
642 /* round 4 */
643         subl(5) ^= subl(1); subr(5) ^= subr(1);
644 /* round 6 */
645         subl(7) ^= subl(1); subr(7) ^= subr(1);
646         subl(1) ^= subr(1) & ~subr(9);
647         dw = subl(1) & subl(9),
648                 subr(1) ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl2) */
649 /* round 8 */
650         subl(11) ^= subl(1); subr(11) ^= subr(1);
651 /* round 10 */
652         subl(13) ^= subl(1); subr(13) ^= subr(1);
653 /* round 12 */
654         subl(15) ^= subl(1); subr(15) ^= subr(1);
655         subl(1) ^= subr(1) & ~subr(17);
656         dw = subl(1) & subl(17),
657                 subr(1) ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl4) */
658 /* round 14 */
659         subl(19) ^= subl(1); subr(19) ^= subr(1);
660 /* round 16 */
661         subl(21) ^= subl(1); subr(21) ^= subr(1);
662 /* round 18 */
663         subl(23) ^= subl(1); subr(23) ^= subr(1);
664 /* kw3 */
665         subl(24) ^= subl(1); subr(24) ^= subr(1);
666
667         /* absorb kw4 to other subkeys */
668         kw4l = subl(25); kw4r = subr(25);
669 /* round 17 */
670         subl(22) ^= kw4l; subr(22) ^= kw4r;
671 /* round 15 */
672         subl(20) ^= kw4l; subr(20) ^= kw4r;
673 /* round 13 */
674         subl(18) ^= kw4l; subr(18) ^= kw4r;
675         kw4l ^= kw4r & ~subr(16);
676         dw = kw4l & subl(16),
677                 kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl3) */
678 /* round 11 */
679         subl(14) ^= kw4l; subr(14) ^= kw4r;
680 /* round 9 */
681         subl(12) ^= kw4l; subr(12) ^= kw4r;
682 /* round 7 */
683         subl(10) ^= kw4l; subr(10) ^= kw4r;
684         kw4l ^= kw4r & ~subr(8);
685         dw = kw4l & subl(8),
686                 kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl1) */
687 /* round 5 */
688         subl(6) ^= kw4l; subr(6) ^= kw4r;
689 /* round 3 */
690         subl(4) ^= kw4l; subr(4) ^= kw4r;
691 /* round 1 */
692         subl(2) ^= kw4l; subr(2) ^= kw4r;
693 /* kw1 */
694         subl(0) ^= kw4l; subr(0) ^= kw4r;
695
696
697         /* key XOR is end of F-function */
698         CamelliaSubkeyL(0) = subl(0) ^ subl(2);/* kw1 */
699         CamelliaSubkeyR(0) = subr(0) ^ subr(2);
700         CamelliaSubkeyL(2) = subl(3);       /* round 1 */
701         CamelliaSubkeyR(2) = subr(3);
702         CamelliaSubkeyL(3) = subl(2) ^ subl(4); /* round 2 */
703         CamelliaSubkeyR(3) = subr(2) ^ subr(4);
704         CamelliaSubkeyL(4) = subl(3) ^ subl(5); /* round 3 */
705         CamelliaSubkeyR(4) = subr(3) ^ subr(5);
706         CamelliaSubkeyL(5) = subl(4) ^ subl(6); /* round 4 */
707         CamelliaSubkeyR(5) = subr(4) ^ subr(6);
708         CamelliaSubkeyL(6) = subl(5) ^ subl(7); /* round 5 */
709         CamelliaSubkeyR(6) = subr(5) ^ subr(7);
710         tl = subl(10) ^ (subr(10) & ~subr(8));
711         dw = tl & subl(8),  /* FL(kl1) */
712                 tr = subr(10) ^ CAMELLIA_RL1(dw);
713         CamelliaSubkeyL(7) = subl(6) ^ tl; /* round 6 */
714         CamelliaSubkeyR(7) = subr(6) ^ tr;
715         CamelliaSubkeyL(8) = subl(8);       /* FL(kl1) */
716         CamelliaSubkeyR(8) = subr(8);
717         CamelliaSubkeyL(9) = subl(9);       /* FLinv(kl2) */
718         CamelliaSubkeyR(9) = subr(9);
719         tl = subl(7) ^ (subr(7) & ~subr(9));
720         dw = tl & subl(9),  /* FLinv(kl2) */
721                 tr = subr(7) ^ CAMELLIA_RL1(dw);
722         CamelliaSubkeyL(10) = tl ^ subl(11); /* round 7 */
723         CamelliaSubkeyR(10) = tr ^ subr(11);
724         CamelliaSubkeyL(11) = subl(10) ^ subl(12); /* round 8 */
725         CamelliaSubkeyR(11) = subr(10) ^ subr(12);
726         CamelliaSubkeyL(12) = subl(11) ^ subl(13); /* round 9 */
727         CamelliaSubkeyR(12) = subr(11) ^ subr(13);
728         CamelliaSubkeyL(13) = subl(12) ^ subl(14); /* round 10 */
729         CamelliaSubkeyR(13) = subr(12) ^ subr(14);
730         CamelliaSubkeyL(14) = subl(13) ^ subl(15); /* round 11 */
731         CamelliaSubkeyR(14) = subr(13) ^ subr(15);
732         tl = subl(18) ^ (subr(18) & ~subr(16));
733         dw = tl & subl(16), /* FL(kl3) */
734                 tr = subr(18) ^ CAMELLIA_RL1(dw);
735         CamelliaSubkeyL(15) = subl(14) ^ tl; /* round 12 */
736         CamelliaSubkeyR(15) = subr(14) ^ tr;
737         CamelliaSubkeyL(16) = subl(16);     /* FL(kl3) */
738         CamelliaSubkeyR(16) = subr(16);
739         CamelliaSubkeyL(17) = subl(17);     /* FLinv(kl4) */
740         CamelliaSubkeyR(17) = subr(17);
741         tl = subl(15) ^ (subr(15) & ~subr(17));
742         dw = tl & subl(17), /* FLinv(kl4) */
743                 tr = subr(15) ^ CAMELLIA_RL1(dw);
744         CamelliaSubkeyL(18) = tl ^ subl(19); /* round 13 */
745         CamelliaSubkeyR(18) = tr ^ subr(19);
746         CamelliaSubkeyL(19) = subl(18) ^ subl(20); /* round 14 */
747         CamelliaSubkeyR(19) = subr(18) ^ subr(20);
748         CamelliaSubkeyL(20) = subl(19) ^ subl(21); /* round 15 */
749         CamelliaSubkeyR(20) = subr(19) ^ subr(21);
750         CamelliaSubkeyL(21) = subl(20) ^ subl(22); /* round 16 */
751         CamelliaSubkeyR(21) = subr(20) ^ subr(22);
752         CamelliaSubkeyL(22) = subl(21) ^ subl(23); /* round 17 */
753         CamelliaSubkeyR(22) = subr(21) ^ subr(23);
754         CamelliaSubkeyL(23) = subl(22);     /* round 18 */
755         CamelliaSubkeyR(23) = subr(22);
756         CamelliaSubkeyL(24) = subl(24) ^ subl(23); /* kw3 */
757         CamelliaSubkeyR(24) = subr(24) ^ subr(23);
758
759         /* apply the inverse of the last half of P-function */
760         dw = CamelliaSubkeyL(2) ^ CamelliaSubkeyR(2),
761                 dw = CAMELLIA_RL8(dw);/* round 1 */
762         CamelliaSubkeyR(2) = CamelliaSubkeyL(2) ^ dw,
763                 CamelliaSubkeyL(2) = dw;
764         dw = CamelliaSubkeyL(3) ^ CamelliaSubkeyR(3),
765                 dw = CAMELLIA_RL8(dw);/* round 2 */
766         CamelliaSubkeyR(3) = CamelliaSubkeyL(3) ^ dw,
767                 CamelliaSubkeyL(3) = dw;
768         dw = CamelliaSubkeyL(4) ^ CamelliaSubkeyR(4),
769                 dw = CAMELLIA_RL8(dw);/* round 3 */
770         CamelliaSubkeyR(4) = CamelliaSubkeyL(4) ^ dw,
771                 CamelliaSubkeyL(4) = dw;
772         dw = CamelliaSubkeyL(5) ^ CamelliaSubkeyR(5),
773                 dw = CAMELLIA_RL8(dw);/* round 4 */
774         CamelliaSubkeyR(5) = CamelliaSubkeyL(5) ^ dw,
775                 CamelliaSubkeyL(5) = dw;
776         dw = CamelliaSubkeyL(6) ^ CamelliaSubkeyR(6),
777                 dw = CAMELLIA_RL8(dw);/* round 5 */
778         CamelliaSubkeyR(6) = CamelliaSubkeyL(6) ^ dw,
779                 CamelliaSubkeyL(6) = dw;
780         dw = CamelliaSubkeyL(7) ^ CamelliaSubkeyR(7),
781                 dw = CAMELLIA_RL8(dw);/* round 6 */
782         CamelliaSubkeyR(7) = CamelliaSubkeyL(7) ^ dw,
783                 CamelliaSubkeyL(7) = dw;
784         dw = CamelliaSubkeyL(10) ^ CamelliaSubkeyR(10),
785                 dw = CAMELLIA_RL8(dw);/* round 7 */
786         CamelliaSubkeyR(10) = CamelliaSubkeyL(10) ^ dw,
787                 CamelliaSubkeyL(10) = dw;
788         dw = CamelliaSubkeyL(11) ^ CamelliaSubkeyR(11),
789                 dw = CAMELLIA_RL8(dw);/* round 8 */
790         CamelliaSubkeyR(11) = CamelliaSubkeyL(11) ^ dw,
791                 CamelliaSubkeyL(11) = dw;
792         dw = CamelliaSubkeyL(12) ^ CamelliaSubkeyR(12),
793                 dw = CAMELLIA_RL8(dw);/* round 9 */
794         CamelliaSubkeyR(12) = CamelliaSubkeyL(12) ^ dw,
795                 CamelliaSubkeyL(12) = dw;
796         dw = CamelliaSubkeyL(13) ^ CamelliaSubkeyR(13),
797                 dw = CAMELLIA_RL8(dw);/* round 10 */
798         CamelliaSubkeyR(13) = CamelliaSubkeyL(13) ^ dw,
799                 CamelliaSubkeyL(13) = dw;
800         dw = CamelliaSubkeyL(14) ^ CamelliaSubkeyR(14),
801                 dw = CAMELLIA_RL8(dw);/* round 11 */
802         CamelliaSubkeyR(14) = CamelliaSubkeyL(14) ^ dw,
803                 CamelliaSubkeyL(14) = dw;
804         dw = CamelliaSubkeyL(15) ^ CamelliaSubkeyR(15),
805                 dw = CAMELLIA_RL8(dw);/* round 12 */
806         CamelliaSubkeyR(15) = CamelliaSubkeyL(15) ^ dw,
807                 CamelliaSubkeyL(15) = dw;
808         dw = CamelliaSubkeyL(18) ^ CamelliaSubkeyR(18),
809                 dw = CAMELLIA_RL8(dw);/* round 13 */
810         CamelliaSubkeyR(18) = CamelliaSubkeyL(18) ^ dw,
811                 CamelliaSubkeyL(18) = dw;
812         dw = CamelliaSubkeyL(19) ^ CamelliaSubkeyR(19),
813                 dw = CAMELLIA_RL8(dw);/* round 14 */
814         CamelliaSubkeyR(19) = CamelliaSubkeyL(19) ^ dw,
815                 CamelliaSubkeyL(19) = dw;
816         dw = CamelliaSubkeyL(20) ^ CamelliaSubkeyR(20),
817                 dw = CAMELLIA_RL8(dw);/* round 15 */
818         CamelliaSubkeyR(20) = CamelliaSubkeyL(20) ^ dw,
819                 CamelliaSubkeyL(20) = dw;
820         dw = CamelliaSubkeyL(21) ^ CamelliaSubkeyR(21),
821                 dw = CAMELLIA_RL8(dw);/* round 16 */
822         CamelliaSubkeyR(21) = CamelliaSubkeyL(21) ^ dw,
823                 CamelliaSubkeyL(21) = dw;
824         dw = CamelliaSubkeyL(22) ^ CamelliaSubkeyR(22),
825                 dw = CAMELLIA_RL8(dw);/* round 17 */
826         CamelliaSubkeyR(22) = CamelliaSubkeyL(22) ^ dw,
827                 CamelliaSubkeyL(22) = dw;
828         dw = CamelliaSubkeyL(23) ^ CamelliaSubkeyR(23),
829                 dw = CAMELLIA_RL8(dw);/* round 18 */
830         CamelliaSubkeyR(23) = CamelliaSubkeyL(23) ^ dw,
831                 CamelliaSubkeyL(23) = dw;
832
833         return;
834         }
835
836 void camellia_setup256(const unsigned char *key, uint32_t *subkey)
837         {
838         uint32_t kll,klr,krl,krr;           /* left half of key */
839         uint32_t krll,krlr,krrl,krrr;       /* right half of key */
840         uint32_t il, ir, t0, t1, w0, w1;    /* temporary variables */
841         uint32_t kw4l, kw4r, dw, tl, tr;
842         uint32_t subL[34];
843         uint32_t subR[34];
844
845         /**
846          *  key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
847          *  (|| is concatination)
848          */
849
850         kll  = GETU32(key     );
851         klr  = GETU32(key +  4);
852         krl  = GETU32(key +  8);
853         krr  = GETU32(key + 12);
854         krll = GETU32(key + 16);
855         krlr = GETU32(key + 20);
856         krrl = GETU32(key + 24);
857         krrr = GETU32(key + 28);
858
859         /* generate KL dependent subkeys */
860         /* kw1 */
861         subl(0) = kll; subr(0) = klr;
862         /* kw2 */
863         subl(1) = krl; subr(1) = krr;
864         CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
865         /* k9 */
866         subl(12) = kll; subr(12) = klr;
867         /* k10 */
868         subl(13) = krl; subr(13) = krr;
869         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
870         /* kl3 */
871         subl(16) = kll; subr(16) = klr;
872         /* kl4 */
873         subl(17) = krl; subr(17) = krr;
874         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
875         /* k17 */
876         subl(22) = kll; subr(22) = klr;
877         /* k18 */
878         subl(23) = krl; subr(23) = krr;
879         CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
880         /* k23 */
881         subl(30) = kll; subr(30) = klr;
882         /* k24 */
883         subl(31) = krl; subr(31) = krr;
884
885         /* generate KR dependent subkeys */
886         CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
887         /* k3 */
888         subl(4) = krll; subr(4) = krlr;
889         /* k4 */
890         subl(5) = krrl; subr(5) = krrr;
891         CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
892         /* kl1 */
893         subl(8) = krll; subr(8) = krlr;
894         /* kl2 */
895         subl(9) = krrl; subr(9) = krrr;
896         CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
897         /* k13 */
898         subl(18) = krll; subr(18) = krlr;
899         /* k14 */
900         subl(19) = krrl; subr(19) = krrr;
901         CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
902         /* k19 */
903         subl(26) = krll; subr(26) = krlr;
904         /* k20 */
905         subl(27) = krrl; subr(27) = krrr;
906         CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
907
908         /* generate KA */
909         kll = subl(0) ^ krll; klr = subr(0) ^ krlr;
910         krl = subl(1) ^ krrl; krr = subr(1) ^ krrr;
911         CAMELLIA_F(kll, klr,
912                 CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
913                 w0, w1, il, ir, t0, t1);
914         krl ^= w0; krr ^= w1;
915         CAMELLIA_F(krl, krr,
916                 CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
917                 kll, klr, il, ir, t0, t1);
918         kll ^= krll; klr ^= krlr;
919         CAMELLIA_F(kll, klr,
920                 CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
921                 krl, krr, il, ir, t0, t1);
922         krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
923         CAMELLIA_F(krl, krr,
924                 CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
925                 w0, w1, il, ir, t0, t1);
926         kll ^= w0; klr ^= w1;
927
928         /* generate KB */
929         krll ^= kll; krlr ^= klr;
930         krrl ^= krl; krrr ^= krr;
931         CAMELLIA_F(krll, krlr,
932                 CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
933                 w0, w1, il, ir, t0, t1);
934         krrl ^= w0; krrr ^= w1;
935         CAMELLIA_F(krrl, krrr,
936                 CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
937                 w0, w1, il, ir, t0, t1);
938         krll ^= w0; krlr ^= w1;
939
940         /* generate KA dependent subkeys */
941         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
942         /* k5 */
943         subl(6) = kll; subr(6) = klr;
944         /* k6 */
945         subl(7) = krl; subr(7) = krr;
946         CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
947         /* k11 */
948         subl(14) = kll; subr(14) = klr;
949         /* k12 */
950         subl(15) = krl; subr(15) = krr;
951         /* rotation left shift 32bit */
952         /* kl5 */
953         subl(24) = klr; subr(24) = krl;
954         /* kl6 */
955         subl(25) = krr; subr(25) = kll;
956         /* rotation left shift 49 from k11,k12 -> k21,k22 */
957         CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
958         /* k21 */
959         subl(28) = kll; subr(28) = klr;
960         /* k22 */
961         subl(29) = krl; subr(29) = krr;
962
963         /* generate KB dependent subkeys */
964         /* k1 */
965         subl(2) = krll; subr(2) = krlr;
966         /* k2 */
967         subl(3) = krrl; subr(3) = krrr;
968         CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
969         /* k7 */
970         subl(10) = krll; subr(10) = krlr;
971         /* k8 */
972         subl(11) = krrl; subr(11) = krrr;
973         CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
974         /* k15 */
975         subl(20) = krll; subr(20) = krlr;
976         /* k16 */
977         subl(21) = krrl; subr(21) = krrr;
978         CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
979         /* kw3 */
980         subl(32) = krll; subr(32) = krlr;
981         /* kw4 */
982         subl(33) = krrl; subr(33) = krrr;
983
984         /* absorb kw2 to other subkeys */
985 /* round 2 */
986         subl(3) ^= subl(1); subr(3) ^= subr(1);
987 /* round 4 */
988         subl(5) ^= subl(1); subr(5) ^= subr(1);
989 /* round 6 */
990         subl(7) ^= subl(1); subr(7) ^= subr(1);
991         subl(1) ^= subr(1) & ~subr(9);
992         dw = subl(1) & subl(9),
993                 subr(1) ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl2) */
994 /* round 8 */
995         subl(11) ^= subl(1); subr(11) ^= subr(1);
996 /* round 10 */
997         subl(13) ^= subl(1); subr(13) ^= subr(1);
998 /* round 12 */
999         subl(15) ^= subl(1); subr(15) ^= subr(1);
1000         subl(1) ^= subr(1) & ~subr(17);
1001         dw = subl(1) & subl(17),
1002                 subr(1) ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl4) */
1003 /* round 14 */
1004         subl(19) ^= subl(1); subr(19) ^= subr(1);
1005 /* round 16 */
1006         subl(21) ^= subl(1); subr(21) ^= subr(1);
1007 /* round 18 */
1008         subl(23) ^= subl(1); subr(23) ^= subr(1);
1009         subl(1) ^= subr(1) & ~subr(25);
1010         dw = subl(1) & subl(25),
1011                 subr(1) ^= CAMELLIA_RL1(dw); /* modified for FLinv(kl6) */
1012 /* round 20 */
1013         subl(27) ^= subl(1); subr(27) ^= subr(1);
1014 /* round 22 */
1015         subl(29) ^= subl(1); subr(29) ^= subr(1);
1016 /* round 24 */
1017         subl(31) ^= subl(1); subr(31) ^= subr(1);
1018 /* kw3 */
1019         subl(32) ^= subl(1); subr(32) ^= subr(1);
1020
1021
1022         /* absorb kw4 to other subkeys */
1023         kw4l = subl(33); kw4r = subr(33);
1024 /* round 23 */
1025         subl(30) ^= kw4l; subr(30) ^= kw4r;
1026 /* round 21 */
1027         subl(28) ^= kw4l; subr(28) ^= kw4r;
1028 /* round 19 */
1029         subl(26) ^= kw4l; subr(26) ^= kw4r;
1030         kw4l ^= kw4r & ~subr(24);
1031         dw = kw4l & subl(24),
1032                 kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl5) */
1033 /* round 17 */
1034         subl(22) ^= kw4l; subr(22) ^= kw4r;
1035 /* round 15 */
1036         subl(20) ^= kw4l; subr(20) ^= kw4r;
1037 /* round 13 */
1038         subl(18) ^= kw4l; subr(18) ^= kw4r;
1039         kw4l ^= kw4r & ~subr(16);
1040         dw = kw4l & subl(16),
1041                 kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl3) */
1042 /* round 11 */
1043         subl(14) ^= kw4l; subr(14) ^= kw4r;
1044 /* round 9 */
1045         subl(12) ^= kw4l; subr(12) ^= kw4r;
1046 /* round 7 */
1047         subl(10) ^= kw4l; subr(10) ^= kw4r;
1048         kw4l ^= kw4r & ~subr(8);
1049         dw = kw4l & subl(8),
1050                 kw4r ^= CAMELLIA_RL1(dw); /* modified for FL(kl1) */
1051 /* round 5 */
1052         subl(6) ^= kw4l; subr(6) ^= kw4r;
1053 /* round 3 */
1054         subl(4) ^= kw4l; subr(4) ^= kw4r;
1055 /* round 1 */
1056         subl(2) ^= kw4l; subr(2) ^= kw4r;
1057 /* kw1 */
1058         subl(0) ^= kw4l; subr(0) ^= kw4r;
1059
1060         /* key XOR is end of F-function */
1061         CamelliaSubkeyL(0) = subl(0) ^ subl(2);/* kw1 */
1062         CamelliaSubkeyR(0) = subr(0) ^ subr(2);
1063         CamelliaSubkeyL(2) = subl(3);       /* round 1 */
1064         CamelliaSubkeyR(2) = subr(3);
1065         CamelliaSubkeyL(3) = subl(2) ^ subl(4); /* round 2 */
1066         CamelliaSubkeyR(3) = subr(2) ^ subr(4);
1067         CamelliaSubkeyL(4) = subl(3) ^ subl(5); /* round 3 */
1068         CamelliaSubkeyR(4) = subr(3) ^ subr(5);
1069         CamelliaSubkeyL(5) = subl(4) ^ subl(6); /* round 4 */
1070         CamelliaSubkeyR(5) = subr(4) ^ subr(6);
1071         CamelliaSubkeyL(6) = subl(5) ^ subl(7); /* round 5 */
1072         CamelliaSubkeyR(6) = subr(5) ^ subr(7);
1073         tl = subl(10) ^ (subr(10) & ~subr(8));
1074         dw = tl & subl(8),  /* FL(kl1) */
1075                 tr = subr(10) ^ CAMELLIA_RL1(dw);
1076         CamelliaSubkeyL(7) = subl(6) ^ tl; /* round 6 */
1077         CamelliaSubkeyR(7) = subr(6) ^ tr;
1078         CamelliaSubkeyL(8) = subl(8);       /* FL(kl1) */
1079         CamelliaSubkeyR(8) = subr(8);
1080         CamelliaSubkeyL(9) = subl(9);       /* FLinv(kl2) */
1081         CamelliaSubkeyR(9) = subr(9);
1082         tl = subl(7) ^ (subr(7) & ~subr(9));
1083         dw = tl & subl(9),  /* FLinv(kl2) */
1084                 tr = subr(7) ^ CAMELLIA_RL1(dw);
1085         CamelliaSubkeyL(10) = tl ^ subl(11); /* round 7 */
1086         CamelliaSubkeyR(10) = tr ^ subr(11);
1087         CamelliaSubkeyL(11) = subl(10) ^ subl(12); /* round 8 */
1088         CamelliaSubkeyR(11) = subr(10) ^ subr(12);
1089         CamelliaSubkeyL(12) = subl(11) ^ subl(13); /* round 9 */
1090         CamelliaSubkeyR(12) = subr(11) ^ subr(13);
1091         CamelliaSubkeyL(13) = subl(12) ^ subl(14); /* round 10 */
1092         CamelliaSubkeyR(13) = subr(12) ^ subr(14);
1093         CamelliaSubkeyL(14) = subl(13) ^ subl(15); /* round 11 */
1094         CamelliaSubkeyR(14) = subr(13) ^ subr(15);
1095         tl = subl(18) ^ (subr(18) & ~subr(16));
1096         dw = tl & subl(16), /* FL(kl3) */
1097                 tr = subr(18) ^ CAMELLIA_RL1(dw);
1098         CamelliaSubkeyL(15) = subl(14) ^ tl; /* round 12 */
1099         CamelliaSubkeyR(15) = subr(14) ^ tr;
1100         CamelliaSubkeyL(16) = subl(16);     /* FL(kl3) */
1101         CamelliaSubkeyR(16) = subr(16);
1102         CamelliaSubkeyL(17) = subl(17);     /* FLinv(kl4) */
1103         CamelliaSubkeyR(17) = subr(17);
1104         tl = subl(15) ^ (subr(15) & ~subr(17));
1105         dw = tl & subl(17), /* FLinv(kl4) */
1106                 tr = subr(15) ^ CAMELLIA_RL1(dw);
1107         CamelliaSubkeyL(18) = tl ^ subl(19); /* round 13 */
1108         CamelliaSubkeyR(18) = tr ^ subr(19);
1109         CamelliaSubkeyL(19) = subl(18) ^ subl(20); /* round 14 */
1110         CamelliaSubkeyR(19) = subr(18) ^ subr(20);
1111         CamelliaSubkeyL(20) = subl(19) ^ subl(21); /* round 15 */
1112         CamelliaSubkeyR(20) = subr(19) ^ subr(21);
1113         CamelliaSubkeyL(21) = subl(20) ^ subl(22); /* round 16 */
1114         CamelliaSubkeyR(21) = subr(20) ^ subr(22);
1115         CamelliaSubkeyL(22) = subl(21) ^ subl(23); /* round 17 */
1116         CamelliaSubkeyR(22) = subr(21) ^ subr(23);
1117         tl = subl(26) ^ (subr(26)
1118                 & ~subr(24));
1119         dw = tl & subl(24), /* FL(kl5) */
1120                 tr = subr(26) ^ CAMELLIA_RL1(dw);
1121         CamelliaSubkeyL(23) = subl(22) ^ tl; /* round 18 */
1122         CamelliaSubkeyR(23) = subr(22) ^ tr;
1123         CamelliaSubkeyL(24) = subl(24);     /* FL(kl5) */
1124         CamelliaSubkeyR(24) = subr(24);
1125         CamelliaSubkeyL(25) = subl(25);     /* FLinv(kl6) */
1126         CamelliaSubkeyR(25) = subr(25);
1127         tl = subl(23) ^ (subr(23) &
1128                 ~subr(25));
1129         dw = tl & subl(25), /* FLinv(kl6) */
1130                 tr = subr(23) ^ CAMELLIA_RL1(dw);
1131         CamelliaSubkeyL(26) = tl ^ subl(27); /* round 19 */
1132         CamelliaSubkeyR(26) = tr ^ subr(27);
1133         CamelliaSubkeyL(27) = subl(26) ^ subl(28); /* round 20 */
1134         CamelliaSubkeyR(27) = subr(26) ^ subr(28);
1135         CamelliaSubkeyL(28) = subl(27) ^ subl(29); /* round 21 */
1136         CamelliaSubkeyR(28) = subr(27) ^ subr(29);
1137         CamelliaSubkeyL(29) = subl(28) ^ subl(30); /* round 22 */
1138         CamelliaSubkeyR(29) = subr(28) ^ subr(30);
1139         CamelliaSubkeyL(30) = subl(29) ^ subl(31); /* round 23 */
1140         CamelliaSubkeyR(30) = subr(29) ^ subr(31);
1141         CamelliaSubkeyL(31) = subl(30);     /* round 24 */
1142         CamelliaSubkeyR(31) = subr(30);
1143         CamelliaSubkeyL(32) = subl(32) ^ subl(31); /* kw3 */
1144         CamelliaSubkeyR(32) = subr(32) ^ subr(31);
1145
1146         /* apply the inverse of the last half of P-function */
1147         dw = CamelliaSubkeyL(2) ^ CamelliaSubkeyR(2),
1148                 dw = CAMELLIA_RL8(dw);/* round 1 */
1149         CamelliaSubkeyR(2) = CamelliaSubkeyL(2) ^ dw,
1150                 CamelliaSubkeyL(2) = dw;
1151         dw = CamelliaSubkeyL(3) ^ CamelliaSubkeyR(3),
1152                 dw = CAMELLIA_RL8(dw);/* round 2 */
1153         CamelliaSubkeyR(3) = CamelliaSubkeyL(3) ^ dw,
1154                 CamelliaSubkeyL(3) = dw;
1155         dw = CamelliaSubkeyL(4) ^ CamelliaSubkeyR(4),
1156                 dw = CAMELLIA_RL8(dw);/* round 3 */
1157         CamelliaSubkeyR(4) = CamelliaSubkeyL(4) ^ dw,
1158                 CamelliaSubkeyL(4) = dw;
1159         dw = CamelliaSubkeyL(5) ^ CamelliaSubkeyR(5),
1160                 dw = CAMELLIA_RL8(dw);/* round 4 */
1161         CamelliaSubkeyR(5) = CamelliaSubkeyL(5) ^ dw,
1162                 CamelliaSubkeyL(5) = dw;
1163         dw = CamelliaSubkeyL(6) ^ CamelliaSubkeyR(6),
1164                 dw = CAMELLIA_RL8(dw);/* round 5 */
1165         CamelliaSubkeyR(6) = CamelliaSubkeyL(6) ^ dw,
1166                 CamelliaSubkeyL(6) = dw;
1167         dw = CamelliaSubkeyL(7) ^ CamelliaSubkeyR(7),
1168                 dw = CAMELLIA_RL8(dw);/* round 6 */
1169         CamelliaSubkeyR(7) = CamelliaSubkeyL(7) ^ dw,
1170                 CamelliaSubkeyL(7) = dw;
1171         dw = CamelliaSubkeyL(10) ^ CamelliaSubkeyR(10),
1172                 dw = CAMELLIA_RL8(dw);/* round 7 */
1173         CamelliaSubkeyR(10) = CamelliaSubkeyL(10) ^ dw,
1174                 CamelliaSubkeyL(10) = dw;
1175         dw = CamelliaSubkeyL(11) ^ CamelliaSubkeyR(11),
1176                 dw = CAMELLIA_RL8(dw);/* round 8 */
1177         CamelliaSubkeyR(11) = CamelliaSubkeyL(11) ^ dw,
1178                 CamelliaSubkeyL(11) = dw;
1179         dw = CamelliaSubkeyL(12) ^ CamelliaSubkeyR(12),
1180                 dw = CAMELLIA_RL8(dw);/* round 9 */
1181         CamelliaSubkeyR(12) = CamelliaSubkeyL(12) ^ dw,
1182                 CamelliaSubkeyL(12) = dw;
1183         dw = CamelliaSubkeyL(13) ^ CamelliaSubkeyR(13),
1184                 dw = CAMELLIA_RL8(dw);/* round 10 */
1185         CamelliaSubkeyR(13) = CamelliaSubkeyL(13) ^ dw,
1186                 CamelliaSubkeyL(13) = dw;
1187         dw = CamelliaSubkeyL(14) ^ CamelliaSubkeyR(14),
1188                 dw = CAMELLIA_RL8(dw);/* round 11 */
1189         CamelliaSubkeyR(14) = CamelliaSubkeyL(14) ^ dw,
1190                 CamelliaSubkeyL(14) = dw;
1191         dw = CamelliaSubkeyL(15) ^ CamelliaSubkeyR(15),
1192                 dw = CAMELLIA_RL8(dw);/* round 12 */
1193         CamelliaSubkeyR(15) = CamelliaSubkeyL(15) ^ dw,
1194                 CamelliaSubkeyL(15) = dw;
1195         dw = CamelliaSubkeyL(18) ^ CamelliaSubkeyR(18),
1196                 dw = CAMELLIA_RL8(dw);/* round 13 */
1197         CamelliaSubkeyR(18) = CamelliaSubkeyL(18) ^ dw,
1198                 CamelliaSubkeyL(18) = dw;
1199         dw = CamelliaSubkeyL(19) ^ CamelliaSubkeyR(19),
1200                 dw = CAMELLIA_RL8(dw);/* round 14 */
1201         CamelliaSubkeyR(19) = CamelliaSubkeyL(19) ^ dw,
1202                 CamelliaSubkeyL(19) = dw;
1203         dw = CamelliaSubkeyL(20) ^ CamelliaSubkeyR(20),
1204                 dw = CAMELLIA_RL8(dw);/* round 15 */
1205         CamelliaSubkeyR(20) = CamelliaSubkeyL(20) ^ dw,
1206                 CamelliaSubkeyL(20) = dw;
1207         dw = CamelliaSubkeyL(21) ^ CamelliaSubkeyR(21),
1208                 dw = CAMELLIA_RL8(dw);/* round 16 */
1209         CamelliaSubkeyR(21) = CamelliaSubkeyL(21) ^ dw,
1210                 CamelliaSubkeyL(21) = dw;
1211         dw = CamelliaSubkeyL(22) ^ CamelliaSubkeyR(22),
1212                 dw = CAMELLIA_RL8(dw);/* round 17 */
1213         CamelliaSubkeyR(22) = CamelliaSubkeyL(22) ^ dw,
1214                 CamelliaSubkeyL(22) = dw;
1215         dw = CamelliaSubkeyL(23) ^ CamelliaSubkeyR(23),
1216                 dw = CAMELLIA_RL8(dw);/* round 18 */
1217         CamelliaSubkeyR(23) = CamelliaSubkeyL(23) ^ dw,
1218                 CamelliaSubkeyL(23) = dw;
1219         dw = CamelliaSubkeyL(26) ^ CamelliaSubkeyR(26),
1220                 dw = CAMELLIA_RL8(dw);/* round 19 */
1221         CamelliaSubkeyR(26) = CamelliaSubkeyL(26) ^ dw,
1222                 CamelliaSubkeyL(26) = dw;
1223         dw = CamelliaSubkeyL(27) ^ CamelliaSubkeyR(27),
1224                 dw = CAMELLIA_RL8(dw);/* round 20 */
1225         CamelliaSubkeyR(27) = CamelliaSubkeyL(27) ^ dw,
1226                 CamelliaSubkeyL(27) = dw;
1227         dw = CamelliaSubkeyL(28) ^ CamelliaSubkeyR(28),
1228                 dw = CAMELLIA_RL8(dw);/* round 21 */
1229         CamelliaSubkeyR(28) = CamelliaSubkeyL(28) ^ dw,
1230                 CamelliaSubkeyL(28) = dw;
1231         dw = CamelliaSubkeyL(29) ^ CamelliaSubkeyR(29),
1232                 dw = CAMELLIA_RL8(dw);/* round 22 */
1233         CamelliaSubkeyR(29) = CamelliaSubkeyL(29) ^ dw,
1234                 CamelliaSubkeyL(29) = dw;
1235         dw = CamelliaSubkeyL(30) ^ CamelliaSubkeyR(30),
1236                 dw = CAMELLIA_RL8(dw);/* round 23 */
1237         CamelliaSubkeyR(30) = CamelliaSubkeyL(30) ^ dw,
1238                 CamelliaSubkeyL(30) = dw;
1239         dw = CamelliaSubkeyL(31) ^ CamelliaSubkeyR(31),
1240                 dw = CAMELLIA_RL8(dw);/* round 24 */
1241         CamelliaSubkeyR(31) = CamelliaSubkeyL(31) ^ dw,
1242                 CamelliaSubkeyL(31) = dw;
1243
1244     
1245         return;
1246         }
1247
1248 void camellia_setup192(const unsigned char *key, uint32_t *subkey)
1249         {
1250         unsigned char kk[32];
1251         uint32_t krll, krlr, krrl,krrr;
1252
1253         memcpy(kk, key, 24);
1254         memcpy((unsigned char *)&krll, key+16,4);
1255         memcpy((unsigned char *)&krlr, key+20,4);
1256         krrl = ~krll;
1257         krrr = ~krlr;
1258         memcpy(kk+24, (unsigned char *)&krrl, 4);
1259         memcpy(kk+28, (unsigned char *)&krrr, 4);
1260         camellia_setup256(kk, subkey);
1261         return;
1262         }
1263
1264
1265 /**
1266  * Stuff related to camellia encryption/decryption
1267  */
1268 void camellia_encrypt128(const uint32_t *subkey, uint32_t *io)
1269         {
1270         uint32_t il, ir, t0, t1;
1271
1272         SWAP4WORD(io);
1273         /* pre whitening but absorb kw2*/
1274         io[0] ^= CamelliaSubkeyL(0);
1275         io[1] ^= CamelliaSubkeyR(0);
1276         /* main iteration */
1277
1278         CAMELLIA_ROUNDSM(io[0],io[1],
1279                 CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1280                 io[2],io[3],il,ir,t0,t1);
1281         CAMELLIA_ROUNDSM(io[2],io[3],
1282                 CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1283                 io[0],io[1],il,ir,t0,t1);
1284         CAMELLIA_ROUNDSM(io[0],io[1],
1285                 CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1286                 io[2],io[3],il,ir,t0,t1);
1287         CAMELLIA_ROUNDSM(io[2],io[3],
1288                 CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1289                 io[0],io[1],il,ir,t0,t1);
1290         CAMELLIA_ROUNDSM(io[0],io[1],
1291                 CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1292                 io[2],io[3],il,ir,t0,t1);
1293         CAMELLIA_ROUNDSM(io[2],io[3],
1294                 CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1295                 io[0],io[1],il,ir,t0,t1);
1296
1297         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1298                 CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1299                 CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1300                 t0,t1,il,ir);
1301
1302         CAMELLIA_ROUNDSM(io[0],io[1],
1303                 CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1304                 io[2],io[3],il,ir,t0,t1);
1305         CAMELLIA_ROUNDSM(io[2],io[3],
1306                 CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1307                 io[0],io[1],il,ir,t0,t1);
1308         CAMELLIA_ROUNDSM(io[0],io[1],
1309                 CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1310                 io[2],io[3],il,ir,t0,t1);
1311         CAMELLIA_ROUNDSM(io[2],io[3],
1312                 CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1313                 io[0],io[1],il,ir,t0,t1);
1314         CAMELLIA_ROUNDSM(io[0],io[1],
1315                 CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1316                 io[2],io[3],il,ir,t0,t1);
1317         CAMELLIA_ROUNDSM(io[2],io[3],
1318                 CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1319                 io[0],io[1],il,ir,t0,t1);
1320
1321         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1322                 CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1323                 CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1324                 t0,t1,il,ir);
1325
1326         CAMELLIA_ROUNDSM(io[0],io[1],
1327                 CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1328                 io[2],io[3],il,ir,t0,t1);
1329         CAMELLIA_ROUNDSM(io[2],io[3],
1330                 CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1331                 io[0],io[1],il,ir,t0,t1);
1332         CAMELLIA_ROUNDSM(io[0],io[1],
1333                 CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1334                 io[2],io[3],il,ir,t0,t1);
1335         CAMELLIA_ROUNDSM(io[2],io[3],
1336                 CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1337                 io[0],io[1],il,ir,t0,t1);
1338         CAMELLIA_ROUNDSM(io[0],io[1],
1339                 CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1340                 io[2],io[3],il,ir,t0,t1);
1341         CAMELLIA_ROUNDSM(io[2],io[3],
1342                 CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1343                 io[0],io[1],il,ir,t0,t1);
1344
1345         /* post whitening but kw4 */
1346         io[2] ^= CamelliaSubkeyL(24);
1347         io[3] ^= CamelliaSubkeyR(24);
1348
1349         t0 = io[0];
1350         t1 = io[1];
1351         io[0] = io[2];
1352         io[1] = io[3];
1353         io[2] = t0;
1354         io[3] = t1;
1355         SWAP4WORD(io);
1356         
1357         return;
1358         }
1359
1360 void camellia_decrypt128(const uint32_t *subkey, uint32_t *io)
1361         {
1362         uint32_t il,ir,t0,t1;               /* temporary valiables */
1363     
1364         SWAP4WORD(io);
1365
1366         /* pre whitening but absorb kw2*/
1367         io[0] ^= CamelliaSubkeyL(24);
1368         io[1] ^= CamelliaSubkeyR(24);
1369
1370         /* main iteration */
1371         CAMELLIA_ROUNDSM(io[0],io[1],
1372                 CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1373                 io[2],io[3],il,ir,t0,t1);
1374         CAMELLIA_ROUNDSM(io[2],io[3],
1375                 CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1376                 io[0],io[1],il,ir,t0,t1);
1377         CAMELLIA_ROUNDSM(io[0],io[1],
1378                 CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1379                 io[2],io[3],il,ir,t0,t1);
1380         CAMELLIA_ROUNDSM(io[2],io[3],
1381                 CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1382                 io[0],io[1],il,ir,t0,t1);
1383         CAMELLIA_ROUNDSM(io[0],io[1],
1384                 CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1385                 io[2],io[3],il,ir,t0,t1);
1386         CAMELLIA_ROUNDSM(io[2],io[3],
1387                 CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1388                 io[0],io[1],il,ir,t0,t1);
1389
1390         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1391                 CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1392                 CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1393                 t0,t1,il,ir);
1394
1395         CAMELLIA_ROUNDSM(io[0],io[1],
1396                 CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1397                 io[2],io[3],il,ir,t0,t1);
1398         CAMELLIA_ROUNDSM(io[2],io[3],
1399                 CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1400                 io[0],io[1],il,ir,t0,t1);
1401         CAMELLIA_ROUNDSM(io[0],io[1],
1402                 CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1403                 io[2],io[3],il,ir,t0,t1);
1404         CAMELLIA_ROUNDSM(io[2],io[3],
1405                 CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1406                 io[0],io[1],il,ir,t0,t1);
1407         CAMELLIA_ROUNDSM(io[0],io[1],
1408                 CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1409                 io[2],io[3],il,ir,t0,t1);
1410         CAMELLIA_ROUNDSM(io[2],io[3],
1411                 CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1412                 io[0],io[1],il,ir,t0,t1);
1413
1414         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1415                 CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1416                 CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1417                 t0,t1,il,ir);
1418
1419         CAMELLIA_ROUNDSM(io[0],io[1],
1420                 CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1421                 io[2],io[3],il,ir,t0,t1);
1422         CAMELLIA_ROUNDSM(io[2],io[3],
1423                 CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1424                 io[0],io[1],il,ir,t0,t1);
1425         CAMELLIA_ROUNDSM(io[0],io[1],
1426                 CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1427                 io[2],io[3],il,ir,t0,t1);
1428         CAMELLIA_ROUNDSM(io[2],io[3],
1429                 CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1430                 io[0],io[1],il,ir,t0,t1);
1431         CAMELLIA_ROUNDSM(io[0],io[1],
1432                 CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1433                 io[2],io[3],il,ir,t0,t1);
1434         CAMELLIA_ROUNDSM(io[2],io[3],
1435                 CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1436                 io[0],io[1],il,ir,t0,t1);
1437
1438         /* post whitening but kw4 */
1439         io[2] ^= CamelliaSubkeyL(0);
1440         io[3] ^= CamelliaSubkeyR(0);
1441
1442         t0 = io[0];
1443         t1 = io[1];
1444         io[0] = io[2];
1445         io[1] = io[3];
1446         io[2] = t0;
1447         io[3] = t1;
1448         SWAP4WORD(io);
1449
1450         return;
1451         }
1452
1453 /**
1454  * stuff for 192 and 256bit encryption/decryption
1455  */
1456 void camellia_encrypt256(const uint32_t *subkey, uint32_t *io)
1457         {
1458         uint32_t il,ir,t0,t1;           /* temporary valiables */
1459
1460         SWAP4WORD(io);
1461
1462         /* pre whitening but absorb kw2*/
1463         io[0] ^= CamelliaSubkeyL(0);
1464         io[1] ^= CamelliaSubkeyR(0);
1465
1466         /* main iteration */
1467         CAMELLIA_ROUNDSM(io[0],io[1],
1468                 CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1469                 io[2],io[3],il,ir,t0,t1);
1470         CAMELLIA_ROUNDSM(io[2],io[3],
1471                 CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1472                 io[0],io[1],il,ir,t0,t1);
1473         CAMELLIA_ROUNDSM(io[0],io[1],
1474                 CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1475                 io[2],io[3],il,ir,t0,t1);
1476         CAMELLIA_ROUNDSM(io[2],io[3],
1477                 CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1478                 io[0],io[1],il,ir,t0,t1);
1479         CAMELLIA_ROUNDSM(io[0],io[1],
1480                 CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1481                 io[2],io[3],il,ir,t0,t1);
1482         CAMELLIA_ROUNDSM(io[2],io[3],
1483                 CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1484                 io[0],io[1],il,ir,t0,t1);
1485
1486         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1487                 CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1488                 CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1489                 t0,t1,il,ir);
1490
1491         CAMELLIA_ROUNDSM(io[0],io[1],
1492                 CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1493                 io[2],io[3],il,ir,t0,t1);
1494         CAMELLIA_ROUNDSM(io[2],io[3],
1495                 CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1496                 io[0],io[1],il,ir,t0,t1);
1497         CAMELLIA_ROUNDSM(io[0],io[1],
1498                 CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1499                 io[2],io[3],il,ir,t0,t1);
1500         CAMELLIA_ROUNDSM(io[2],io[3],
1501                 CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1502                 io[0],io[1],il,ir,t0,t1);
1503         CAMELLIA_ROUNDSM(io[0],io[1],
1504                 CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1505                 io[2],io[3],il,ir,t0,t1);
1506         CAMELLIA_ROUNDSM(io[2],io[3],
1507                 CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1508                 io[0],io[1],il,ir,t0,t1);
1509
1510         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1511                 CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1512                 CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1513                 t0,t1,il,ir);
1514
1515         CAMELLIA_ROUNDSM(io[0],io[1],
1516                 CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1517                 io[2],io[3],il,ir,t0,t1);
1518         CAMELLIA_ROUNDSM(io[2],io[3],
1519                 CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1520                 io[0],io[1],il,ir,t0,t1);
1521         CAMELLIA_ROUNDSM(io[0],io[1],
1522                 CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1523                 io[2],io[3],il,ir,t0,t1);
1524         CAMELLIA_ROUNDSM(io[2],io[3],
1525                 CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1526                 io[0],io[1],il,ir,t0,t1);
1527         CAMELLIA_ROUNDSM(io[0],io[1],
1528                 CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1529                 io[2],io[3],il,ir,t0,t1);
1530         CAMELLIA_ROUNDSM(io[2],io[3],
1531                 CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1532                 io[0],io[1],il,ir,t0,t1);
1533
1534         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1535                 CamelliaSubkeyL(24),CamelliaSubkeyR(24),
1536                 CamelliaSubkeyL(25),CamelliaSubkeyR(25),
1537                 t0,t1,il,ir);
1538
1539         CAMELLIA_ROUNDSM(io[0],io[1],
1540                 CamelliaSubkeyL(26),CamelliaSubkeyR(26),
1541                 io[2],io[3],il,ir,t0,t1);
1542         CAMELLIA_ROUNDSM(io[2],io[3],
1543                 CamelliaSubkeyL(27),CamelliaSubkeyR(27),
1544                 io[0],io[1],il,ir,t0,t1);
1545         CAMELLIA_ROUNDSM(io[0],io[1],
1546                 CamelliaSubkeyL(28),CamelliaSubkeyR(28),
1547                 io[2],io[3],il,ir,t0,t1);
1548         CAMELLIA_ROUNDSM(io[2],io[3],
1549                 CamelliaSubkeyL(29),CamelliaSubkeyR(29),
1550                 io[0],io[1],il,ir,t0,t1);
1551         CAMELLIA_ROUNDSM(io[0],io[1],
1552                 CamelliaSubkeyL(30),CamelliaSubkeyR(30),
1553                 io[2],io[3],il,ir,t0,t1);
1554         CAMELLIA_ROUNDSM(io[2],io[3],
1555                 CamelliaSubkeyL(31),CamelliaSubkeyR(31),
1556                 io[0],io[1],il,ir,t0,t1);
1557
1558         /* post whitening but kw4 */
1559         io[2] ^= CamelliaSubkeyL(32);
1560         io[3] ^= CamelliaSubkeyR(32);
1561
1562         t0 = io[0];
1563         t1 = io[1];
1564         io[0] = io[2];
1565         io[1] = io[3];
1566         io[2] = t0;
1567         io[3] = t1;
1568         SWAP4WORD(io);
1569
1570         return;
1571         }
1572
1573 void camellia_decrypt256(const uint32_t *subkey, uint32_t *io)
1574         {
1575         uint32_t il,ir,t0,t1;           /* temporary valiables */
1576
1577         SWAP4WORD(io);
1578         /* pre whitening but absorb kw2*/
1579         io[0] ^= CamelliaSubkeyL(32);
1580         io[1] ^= CamelliaSubkeyR(32);
1581         
1582         /* main iteration */
1583         CAMELLIA_ROUNDSM(io[0],io[1],
1584                 CamelliaSubkeyL(31),CamelliaSubkeyR(31),
1585                 io[2],io[3],il,ir,t0,t1);
1586         CAMELLIA_ROUNDSM(io[2],io[3],
1587                 CamelliaSubkeyL(30),CamelliaSubkeyR(30),
1588                 io[0],io[1],il,ir,t0,t1);
1589         CAMELLIA_ROUNDSM(io[0],io[1],
1590                 CamelliaSubkeyL(29),CamelliaSubkeyR(29),
1591                 io[2],io[3],il,ir,t0,t1);
1592         CAMELLIA_ROUNDSM(io[2],io[3],
1593                 CamelliaSubkeyL(28),CamelliaSubkeyR(28),
1594                 io[0],io[1],il,ir,t0,t1);
1595         CAMELLIA_ROUNDSM(io[0],io[1],
1596                 CamelliaSubkeyL(27),CamelliaSubkeyR(27),
1597                 io[2],io[3],il,ir,t0,t1);
1598         CAMELLIA_ROUNDSM(io[2],io[3],
1599                 CamelliaSubkeyL(26),CamelliaSubkeyR(26),
1600                 io[0],io[1],il,ir,t0,t1);
1601
1602         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1603                 CamelliaSubkeyL(25),CamelliaSubkeyR(25),
1604                 CamelliaSubkeyL(24),CamelliaSubkeyR(24),
1605                 t0,t1,il,ir);
1606
1607         CAMELLIA_ROUNDSM(io[0],io[1],
1608                 CamelliaSubkeyL(23),CamelliaSubkeyR(23),
1609                 io[2],io[3],il,ir,t0,t1);
1610         CAMELLIA_ROUNDSM(io[2],io[3],
1611                 CamelliaSubkeyL(22),CamelliaSubkeyR(22),
1612                 io[0],io[1],il,ir,t0,t1);
1613         CAMELLIA_ROUNDSM(io[0],io[1],
1614                 CamelliaSubkeyL(21),CamelliaSubkeyR(21),
1615                 io[2],io[3],il,ir,t0,t1);
1616         CAMELLIA_ROUNDSM(io[2],io[3],
1617                 CamelliaSubkeyL(20),CamelliaSubkeyR(20),
1618                 io[0],io[1],il,ir,t0,t1);
1619         CAMELLIA_ROUNDSM(io[0],io[1],
1620                 CamelliaSubkeyL(19),CamelliaSubkeyR(19),
1621                 io[2],io[3],il,ir,t0,t1);
1622         CAMELLIA_ROUNDSM(io[2],io[3],
1623                 CamelliaSubkeyL(18),CamelliaSubkeyR(18),
1624                 io[0],io[1],il,ir,t0,t1);
1625
1626         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1627                 CamelliaSubkeyL(17),CamelliaSubkeyR(17),
1628                 CamelliaSubkeyL(16),CamelliaSubkeyR(16),
1629                 t0,t1,il,ir);
1630
1631         CAMELLIA_ROUNDSM(io[0],io[1],
1632                 CamelliaSubkeyL(15),CamelliaSubkeyR(15),
1633                 io[2],io[3],il,ir,t0,t1);
1634         CAMELLIA_ROUNDSM(io[2],io[3],
1635                 CamelliaSubkeyL(14),CamelliaSubkeyR(14),
1636                 io[0],io[1],il,ir,t0,t1);
1637         CAMELLIA_ROUNDSM(io[0],io[1],
1638                 CamelliaSubkeyL(13),CamelliaSubkeyR(13),
1639                 io[2],io[3],il,ir,t0,t1);
1640         CAMELLIA_ROUNDSM(io[2],io[3],
1641                 CamelliaSubkeyL(12),CamelliaSubkeyR(12),
1642                 io[0],io[1],il,ir,t0,t1);
1643         CAMELLIA_ROUNDSM(io[0],io[1],
1644                 CamelliaSubkeyL(11),CamelliaSubkeyR(11),
1645                 io[2],io[3],il,ir,t0,t1);
1646         CAMELLIA_ROUNDSM(io[2],io[3],
1647                 CamelliaSubkeyL(10),CamelliaSubkeyR(10),
1648                 io[0],io[1],il,ir,t0,t1);
1649
1650         CAMELLIA_FLS(io[0],io[1],io[2],io[3],
1651                 CamelliaSubkeyL(9),CamelliaSubkeyR(9),
1652                 CamelliaSubkeyL(8),CamelliaSubkeyR(8),
1653                 t0,t1,il,ir);
1654
1655         CAMELLIA_ROUNDSM(io[0],io[1],
1656                 CamelliaSubkeyL(7),CamelliaSubkeyR(7),
1657                 io[2],io[3],il,ir,t0,t1);
1658         CAMELLIA_ROUNDSM(io[2],io[3],
1659                 CamelliaSubkeyL(6),CamelliaSubkeyR(6),
1660                 io[0],io[1],il,ir,t0,t1);
1661         CAMELLIA_ROUNDSM(io[0],io[1],
1662                 CamelliaSubkeyL(5),CamelliaSubkeyR(5),
1663                 io[2],io[3],il,ir,t0,t1);
1664         CAMELLIA_ROUNDSM(io[2],io[3],
1665                 CamelliaSubkeyL(4),CamelliaSubkeyR(4),
1666                 io[0],io[1],il,ir,t0,t1);
1667         CAMELLIA_ROUNDSM(io[0],io[1],
1668                 CamelliaSubkeyL(3),CamelliaSubkeyR(3),
1669                 io[2],io[3],il,ir,t0,t1);
1670         CAMELLIA_ROUNDSM(io[2],io[3],
1671                 CamelliaSubkeyL(2),CamelliaSubkeyR(2),
1672                 io[0],io[1],il,ir,t0,t1);
1673
1674         /* post whitening but kw4 */
1675         io[2] ^= CamelliaSubkeyL(0);
1676         io[3] ^= CamelliaSubkeyR(0);
1677
1678         t0 = io[0];
1679         t1 = io[1];
1680         io[0] = io[2];
1681         io[1] = io[3];
1682         io[2] = t0;
1683         io[3] = t1;
1684         SWAP4WORD(io);
1685
1686         return;
1687         }
1688