2 * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 /* ====================================================================
11 * Copyright 2006 NTT (Nippon Telegraph and Telephone Corporation) .
12 * ALL RIGHTS RESERVED.
14 * Intellectual Property information for Camellia:
15 * http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html
17 * News Release for Announcement of Camellia open source:
18 * http://www.ntt.co.jp/news/news06e/0604/060413a.html
20 * The Camellia Code included herein is developed by
21 * NTT (Nippon Telegraph and Telephone Corporation), and is contributed
22 * to the OpenSSL project.
24 * The Camellia Code is licensed pursuant to the OpenSSL open source
25 * license provided below.
27 /* ====================================================================
28 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
30 * Redistribution and use in source and binary forms, with or without
31 * modification, are permitted provided that the following conditions
34 * 1. Redistributions of source code must retain the above copyright
35 * notice, this list of conditions and the following disclaimer.
37 * 2. Redistributions in binary form must reproduce the above copyright
38 * notice, this list of conditions and the following disclaimer in
39 * the documentation and/or other materials provided with the
42 * 3. All advertising materials mentioning features or use of this
43 * software must display the following acknowledgment:
44 * "This product includes software developed by the OpenSSL Project
45 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
47 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
48 * endorse or promote products derived from this software without
49 * prior written permission. For written permission, please contact
50 * openssl-core@openssl.org.
52 * 5. Products derived from this software may not be called "OpenSSL"
53 * nor may "OpenSSL" appear in their names without prior written
54 * permission of the OpenSSL Project.
56 * 6. Redistributions of any form whatsoever must retain the following
58 * "This product includes software developed by the OpenSSL Project
59 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
61 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
62 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
63 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
64 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
65 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
66 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
67 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
68 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
69 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
70 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
71 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
72 * OF THE POSSIBILITY OF SUCH DAMAGE.
73 * ====================================================================
77 * Algorithm Specification
78 * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
82 * This release balances code size and performance. In particular key
83 * schedule setup is fully unrolled, because doing so *significantly*
84 * reduces amount of instructions per setup round and code increase is
85 * justifiable. In block functions on the other hand only inner loops
86 * are unrolled, as full unroll gives only nominal performance boost,
87 * while code size grows 4 or 7 times. Also, unlike previous versions
88 * this one "encourages" compiler to keep intermediate variables in
89 * registers, which should give better "all round" results, in other
90 * words reasonable performance even with not so modern compilers.
93 #include <openssl/camellia.h>
94 #include "cmll_locl.h"
98 /* 32-bit rotations */
99 #if !defined(PEDANTIC) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
100 # if defined(_MSC_VER) && (defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64))
101 # define RightRotate(x, s) _lrotr(x, s)
102 # define LeftRotate(x, s) _lrotl(x, s)
103 # if _MSC_VER >= 1400
104 # define SWAP(x) _byteswap_ulong(x)
106 # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
108 # define GETU32(p) SWAP(*((u32 *)(p)))
109 # define PUTU32(p,v) (*((u32 *)(p)) = SWAP((v)))
110 # elif defined(__GNUC__) && __GNUC__>=2
111 # if defined(__i386) || defined(__x86_64)
112 # define RightRotate(x,s) ({u32 ret; asm ("rorl %1,%0":"=r"(ret):"I"(s),"0"(x):"cc"); ret; })
113 # define LeftRotate(x,s) ({u32 ret; asm ("roll %1,%0":"=r"(ret):"I"(s),"0"(x):"cc"); ret; })
114 # if defined(B_ENDIAN) /* stratus.com does it */
115 # define GETU32(p) (*(u32 *)(p))
116 # define PUTU32(p,v) (*(u32 *)(p)=(v))
118 # define GETU32(p) ({u32 r=*(const u32 *)(p); asm("bswapl %0":"=r"(r):"0"(r)); r; })
119 # define PUTU32(p,v) ({u32 r=(v); asm("bswapl %0":"=r"(r):"0"(r)); *(u32 *)(p)=r; })
121 # elif defined(_ARCH_PPC) || defined(_ARCH_PPC64) || \
122 defined(__powerpc) || defined(__ppc__) || defined(__powerpc64__)
123 # define LeftRotate(x,s) ({u32 ret; asm ("rlwinm %0,%1,%2,0,31":"=r"(ret):"r"(x),"I"(s)); ret; })
124 # define RightRotate(x,s) LeftRotate(x,(32-s))
125 # elif defined(__s390x__)
126 # define LeftRotate(x,s) ({u32 ret; asm ("rll %0,%1,%2":"=r"(ret):"r"(x),"I"(s)); ret; })
127 # define RightRotate(x,s) LeftRotate(x,(32-s))
128 # define GETU32(p) (*(u32 *)(p))
129 # define PUTU32(p,v) (*(u32 *)(p)=(v))
134 #if !defined(RightRotate) && !defined(LeftRotate)
135 # define RightRotate(x, s) ( ((x) >> (s)) + ((x) << (32 - s)) )
136 # define LeftRotate(x, s) ( ((x) << (s)) + ((x) >> (32 - s)) )
139 #if !defined(GETU32) && !defined(PUTU32)
140 # define GETU32(p) (((u32)(p)[0] << 24) ^ ((u32)(p)[1] << 16) ^ ((u32)(p)[2] << 8) ^ ((u32)(p)[3]))
141 # define PUTU32(p,v) ((p)[0] = (u8)((v) >> 24), (p)[1] = (u8)((v) >> 16), (p)[2] = (u8)((v) >> 8), (p)[3] = (u8)(v))
145 #define SBOX1_1110 Camellia_SBOX[0]
146 #define SBOX4_4404 Camellia_SBOX[1]
147 #define SBOX2_0222 Camellia_SBOX[2]
148 #define SBOX3_3033 Camellia_SBOX[3]
149 static const u32 Camellia_SBOX[][256] = {
150 {0x70707000, 0x82828200, 0x2c2c2c00, 0xececec00, 0xb3b3b300, 0x27272700,
151 0xc0c0c000, 0xe5e5e500, 0xe4e4e400, 0x85858500, 0x57575700, 0x35353500,
152 0xeaeaea00, 0x0c0c0c00, 0xaeaeae00, 0x41414100, 0x23232300, 0xefefef00,
153 0x6b6b6b00, 0x93939300, 0x45454500, 0x19191900, 0xa5a5a500, 0x21212100,
154 0xededed00, 0x0e0e0e00, 0x4f4f4f00, 0x4e4e4e00, 0x1d1d1d00, 0x65656500,
155 0x92929200, 0xbdbdbd00, 0x86868600, 0xb8b8b800, 0xafafaf00, 0x8f8f8f00,
156 0x7c7c7c00, 0xebebeb00, 0x1f1f1f00, 0xcecece00, 0x3e3e3e00, 0x30303000,
157 0xdcdcdc00, 0x5f5f5f00, 0x5e5e5e00, 0xc5c5c500, 0x0b0b0b00, 0x1a1a1a00,
158 0xa6a6a600, 0xe1e1e100, 0x39393900, 0xcacaca00, 0xd5d5d500, 0x47474700,
159 0x5d5d5d00, 0x3d3d3d00, 0xd9d9d900, 0x01010100, 0x5a5a5a00, 0xd6d6d600,
160 0x51515100, 0x56565600, 0x6c6c6c00, 0x4d4d4d00, 0x8b8b8b00, 0x0d0d0d00,
161 0x9a9a9a00, 0x66666600, 0xfbfbfb00, 0xcccccc00, 0xb0b0b000, 0x2d2d2d00,
162 0x74747400, 0x12121200, 0x2b2b2b00, 0x20202000, 0xf0f0f000, 0xb1b1b100,
163 0x84848400, 0x99999900, 0xdfdfdf00, 0x4c4c4c00, 0xcbcbcb00, 0xc2c2c200,
164 0x34343400, 0x7e7e7e00, 0x76767600, 0x05050500, 0x6d6d6d00, 0xb7b7b700,
165 0xa9a9a900, 0x31313100, 0xd1d1d100, 0x17171700, 0x04040400, 0xd7d7d700,
166 0x14141400, 0x58585800, 0x3a3a3a00, 0x61616100, 0xdedede00, 0x1b1b1b00,
167 0x11111100, 0x1c1c1c00, 0x32323200, 0x0f0f0f00, 0x9c9c9c00, 0x16161600,
168 0x53535300, 0x18181800, 0xf2f2f200, 0x22222200, 0xfefefe00, 0x44444400,
169 0xcfcfcf00, 0xb2b2b200, 0xc3c3c300, 0xb5b5b500, 0x7a7a7a00, 0x91919100,
170 0x24242400, 0x08080800, 0xe8e8e800, 0xa8a8a800, 0x60606000, 0xfcfcfc00,
171 0x69696900, 0x50505000, 0xaaaaaa00, 0xd0d0d000, 0xa0a0a000, 0x7d7d7d00,
172 0xa1a1a100, 0x89898900, 0x62626200, 0x97979700, 0x54545400, 0x5b5b5b00,
173 0x1e1e1e00, 0x95959500, 0xe0e0e000, 0xffffff00, 0x64646400, 0xd2d2d200,
174 0x10101000, 0xc4c4c400, 0x00000000, 0x48484800, 0xa3a3a300, 0xf7f7f700,
175 0x75757500, 0xdbdbdb00, 0x8a8a8a00, 0x03030300, 0xe6e6e600, 0xdadada00,
176 0x09090900, 0x3f3f3f00, 0xdddddd00, 0x94949400, 0x87878700, 0x5c5c5c00,
177 0x83838300, 0x02020200, 0xcdcdcd00, 0x4a4a4a00, 0x90909000, 0x33333300,
178 0x73737300, 0x67676700, 0xf6f6f600, 0xf3f3f300, 0x9d9d9d00, 0x7f7f7f00,
179 0xbfbfbf00, 0xe2e2e200, 0x52525200, 0x9b9b9b00, 0xd8d8d800, 0x26262600,
180 0xc8c8c800, 0x37373700, 0xc6c6c600, 0x3b3b3b00, 0x81818100, 0x96969600,
181 0x6f6f6f00, 0x4b4b4b00, 0x13131300, 0xbebebe00, 0x63636300, 0x2e2e2e00,
182 0xe9e9e900, 0x79797900, 0xa7a7a700, 0x8c8c8c00, 0x9f9f9f00, 0x6e6e6e00,
183 0xbcbcbc00, 0x8e8e8e00, 0x29292900, 0xf5f5f500, 0xf9f9f900, 0xb6b6b600,
184 0x2f2f2f00, 0xfdfdfd00, 0xb4b4b400, 0x59595900, 0x78787800, 0x98989800,
185 0x06060600, 0x6a6a6a00, 0xe7e7e700, 0x46464600, 0x71717100, 0xbababa00,
186 0xd4d4d400, 0x25252500, 0xababab00, 0x42424200, 0x88888800, 0xa2a2a200,
187 0x8d8d8d00, 0xfafafa00, 0x72727200, 0x07070700, 0xb9b9b900, 0x55555500,
188 0xf8f8f800, 0xeeeeee00, 0xacacac00, 0x0a0a0a00, 0x36363600, 0x49494900,
189 0x2a2a2a00, 0x68686800, 0x3c3c3c00, 0x38383800, 0xf1f1f100, 0xa4a4a400,
190 0x40404000, 0x28282800, 0xd3d3d300, 0x7b7b7b00, 0xbbbbbb00, 0xc9c9c900,
191 0x43434300, 0xc1c1c100, 0x15151500, 0xe3e3e300, 0xadadad00, 0xf4f4f400,
192 0x77777700, 0xc7c7c700, 0x80808000, 0x9e9e9e00},
193 {0x70700070, 0x2c2c002c, 0xb3b300b3, 0xc0c000c0, 0xe4e400e4, 0x57570057,
194 0xeaea00ea, 0xaeae00ae, 0x23230023, 0x6b6b006b, 0x45450045, 0xa5a500a5,
195 0xeded00ed, 0x4f4f004f, 0x1d1d001d, 0x92920092, 0x86860086, 0xafaf00af,
196 0x7c7c007c, 0x1f1f001f, 0x3e3e003e, 0xdcdc00dc, 0x5e5e005e, 0x0b0b000b,
197 0xa6a600a6, 0x39390039, 0xd5d500d5, 0x5d5d005d, 0xd9d900d9, 0x5a5a005a,
198 0x51510051, 0x6c6c006c, 0x8b8b008b, 0x9a9a009a, 0xfbfb00fb, 0xb0b000b0,
199 0x74740074, 0x2b2b002b, 0xf0f000f0, 0x84840084, 0xdfdf00df, 0xcbcb00cb,
200 0x34340034, 0x76760076, 0x6d6d006d, 0xa9a900a9, 0xd1d100d1, 0x04040004,
201 0x14140014, 0x3a3a003a, 0xdede00de, 0x11110011, 0x32320032, 0x9c9c009c,
202 0x53530053, 0xf2f200f2, 0xfefe00fe, 0xcfcf00cf, 0xc3c300c3, 0x7a7a007a,
203 0x24240024, 0xe8e800e8, 0x60600060, 0x69690069, 0xaaaa00aa, 0xa0a000a0,
204 0xa1a100a1, 0x62620062, 0x54540054, 0x1e1e001e, 0xe0e000e0, 0x64640064,
205 0x10100010, 0x00000000, 0xa3a300a3, 0x75750075, 0x8a8a008a, 0xe6e600e6,
206 0x09090009, 0xdddd00dd, 0x87870087, 0x83830083, 0xcdcd00cd, 0x90900090,
207 0x73730073, 0xf6f600f6, 0x9d9d009d, 0xbfbf00bf, 0x52520052, 0xd8d800d8,
208 0xc8c800c8, 0xc6c600c6, 0x81810081, 0x6f6f006f, 0x13130013, 0x63630063,
209 0xe9e900e9, 0xa7a700a7, 0x9f9f009f, 0xbcbc00bc, 0x29290029, 0xf9f900f9,
210 0x2f2f002f, 0xb4b400b4, 0x78780078, 0x06060006, 0xe7e700e7, 0x71710071,
211 0xd4d400d4, 0xabab00ab, 0x88880088, 0x8d8d008d, 0x72720072, 0xb9b900b9,
212 0xf8f800f8, 0xacac00ac, 0x36360036, 0x2a2a002a, 0x3c3c003c, 0xf1f100f1,
213 0x40400040, 0xd3d300d3, 0xbbbb00bb, 0x43430043, 0x15150015, 0xadad00ad,
214 0x77770077, 0x80800080, 0x82820082, 0xecec00ec, 0x27270027, 0xe5e500e5,
215 0x85850085, 0x35350035, 0x0c0c000c, 0x41410041, 0xefef00ef, 0x93930093,
216 0x19190019, 0x21210021, 0x0e0e000e, 0x4e4e004e, 0x65650065, 0xbdbd00bd,
217 0xb8b800b8, 0x8f8f008f, 0xebeb00eb, 0xcece00ce, 0x30300030, 0x5f5f005f,
218 0xc5c500c5, 0x1a1a001a, 0xe1e100e1, 0xcaca00ca, 0x47470047, 0x3d3d003d,
219 0x01010001, 0xd6d600d6, 0x56560056, 0x4d4d004d, 0x0d0d000d, 0x66660066,
220 0xcccc00cc, 0x2d2d002d, 0x12120012, 0x20200020, 0xb1b100b1, 0x99990099,
221 0x4c4c004c, 0xc2c200c2, 0x7e7e007e, 0x05050005, 0xb7b700b7, 0x31310031,
222 0x17170017, 0xd7d700d7, 0x58580058, 0x61610061, 0x1b1b001b, 0x1c1c001c,
223 0x0f0f000f, 0x16160016, 0x18180018, 0x22220022, 0x44440044, 0xb2b200b2,
224 0xb5b500b5, 0x91910091, 0x08080008, 0xa8a800a8, 0xfcfc00fc, 0x50500050,
225 0xd0d000d0, 0x7d7d007d, 0x89890089, 0x97970097, 0x5b5b005b, 0x95950095,
226 0xffff00ff, 0xd2d200d2, 0xc4c400c4, 0x48480048, 0xf7f700f7, 0xdbdb00db,
227 0x03030003, 0xdada00da, 0x3f3f003f, 0x94940094, 0x5c5c005c, 0x02020002,
228 0x4a4a004a, 0x33330033, 0x67670067, 0xf3f300f3, 0x7f7f007f, 0xe2e200e2,
229 0x9b9b009b, 0x26260026, 0x37370037, 0x3b3b003b, 0x96960096, 0x4b4b004b,
230 0xbebe00be, 0x2e2e002e, 0x79790079, 0x8c8c008c, 0x6e6e006e, 0x8e8e008e,
231 0xf5f500f5, 0xb6b600b6, 0xfdfd00fd, 0x59590059, 0x98980098, 0x6a6a006a,
232 0x46460046, 0xbaba00ba, 0x25250025, 0x42420042, 0xa2a200a2, 0xfafa00fa,
233 0x07070007, 0x55550055, 0xeeee00ee, 0x0a0a000a, 0x49490049, 0x68680068,
234 0x38380038, 0xa4a400a4, 0x28280028, 0x7b7b007b, 0xc9c900c9, 0xc1c100c1,
235 0xe3e300e3, 0xf4f400f4, 0xc7c700c7, 0x9e9e009e},
236 {0x00e0e0e0, 0x00050505, 0x00585858, 0x00d9d9d9, 0x00676767, 0x004e4e4e,
237 0x00818181, 0x00cbcbcb, 0x00c9c9c9, 0x000b0b0b, 0x00aeaeae, 0x006a6a6a,
238 0x00d5d5d5, 0x00181818, 0x005d5d5d, 0x00828282, 0x00464646, 0x00dfdfdf,
239 0x00d6d6d6, 0x00272727, 0x008a8a8a, 0x00323232, 0x004b4b4b, 0x00424242,
240 0x00dbdbdb, 0x001c1c1c, 0x009e9e9e, 0x009c9c9c, 0x003a3a3a, 0x00cacaca,
241 0x00252525, 0x007b7b7b, 0x000d0d0d, 0x00717171, 0x005f5f5f, 0x001f1f1f,
242 0x00f8f8f8, 0x00d7d7d7, 0x003e3e3e, 0x009d9d9d, 0x007c7c7c, 0x00606060,
243 0x00b9b9b9, 0x00bebebe, 0x00bcbcbc, 0x008b8b8b, 0x00161616, 0x00343434,
244 0x004d4d4d, 0x00c3c3c3, 0x00727272, 0x00959595, 0x00ababab, 0x008e8e8e,
245 0x00bababa, 0x007a7a7a, 0x00b3b3b3, 0x00020202, 0x00b4b4b4, 0x00adadad,
246 0x00a2a2a2, 0x00acacac, 0x00d8d8d8, 0x009a9a9a, 0x00171717, 0x001a1a1a,
247 0x00353535, 0x00cccccc, 0x00f7f7f7, 0x00999999, 0x00616161, 0x005a5a5a,
248 0x00e8e8e8, 0x00242424, 0x00565656, 0x00404040, 0x00e1e1e1, 0x00636363,
249 0x00090909, 0x00333333, 0x00bfbfbf, 0x00989898, 0x00979797, 0x00858585,
250 0x00686868, 0x00fcfcfc, 0x00ececec, 0x000a0a0a, 0x00dadada, 0x006f6f6f,
251 0x00535353, 0x00626262, 0x00a3a3a3, 0x002e2e2e, 0x00080808, 0x00afafaf,
252 0x00282828, 0x00b0b0b0, 0x00747474, 0x00c2c2c2, 0x00bdbdbd, 0x00363636,
253 0x00222222, 0x00383838, 0x00646464, 0x001e1e1e, 0x00393939, 0x002c2c2c,
254 0x00a6a6a6, 0x00303030, 0x00e5e5e5, 0x00444444, 0x00fdfdfd, 0x00888888,
255 0x009f9f9f, 0x00656565, 0x00878787, 0x006b6b6b, 0x00f4f4f4, 0x00232323,
256 0x00484848, 0x00101010, 0x00d1d1d1, 0x00515151, 0x00c0c0c0, 0x00f9f9f9,
257 0x00d2d2d2, 0x00a0a0a0, 0x00555555, 0x00a1a1a1, 0x00414141, 0x00fafafa,
258 0x00434343, 0x00131313, 0x00c4c4c4, 0x002f2f2f, 0x00a8a8a8, 0x00b6b6b6,
259 0x003c3c3c, 0x002b2b2b, 0x00c1c1c1, 0x00ffffff, 0x00c8c8c8, 0x00a5a5a5,
260 0x00202020, 0x00898989, 0x00000000, 0x00909090, 0x00474747, 0x00efefef,
261 0x00eaeaea, 0x00b7b7b7, 0x00151515, 0x00060606, 0x00cdcdcd, 0x00b5b5b5,
262 0x00121212, 0x007e7e7e, 0x00bbbbbb, 0x00292929, 0x000f0f0f, 0x00b8b8b8,
263 0x00070707, 0x00040404, 0x009b9b9b, 0x00949494, 0x00212121, 0x00666666,
264 0x00e6e6e6, 0x00cecece, 0x00ededed, 0x00e7e7e7, 0x003b3b3b, 0x00fefefe,
265 0x007f7f7f, 0x00c5c5c5, 0x00a4a4a4, 0x00373737, 0x00b1b1b1, 0x004c4c4c,
266 0x00919191, 0x006e6e6e, 0x008d8d8d, 0x00767676, 0x00030303, 0x002d2d2d,
267 0x00dedede, 0x00969696, 0x00262626, 0x007d7d7d, 0x00c6c6c6, 0x005c5c5c,
268 0x00d3d3d3, 0x00f2f2f2, 0x004f4f4f, 0x00191919, 0x003f3f3f, 0x00dcdcdc,
269 0x00797979, 0x001d1d1d, 0x00525252, 0x00ebebeb, 0x00f3f3f3, 0x006d6d6d,
270 0x005e5e5e, 0x00fbfbfb, 0x00696969, 0x00b2b2b2, 0x00f0f0f0, 0x00313131,
271 0x000c0c0c, 0x00d4d4d4, 0x00cfcfcf, 0x008c8c8c, 0x00e2e2e2, 0x00757575,
272 0x00a9a9a9, 0x004a4a4a, 0x00575757, 0x00848484, 0x00111111, 0x00454545,
273 0x001b1b1b, 0x00f5f5f5, 0x00e4e4e4, 0x000e0e0e, 0x00737373, 0x00aaaaaa,
274 0x00f1f1f1, 0x00dddddd, 0x00595959, 0x00141414, 0x006c6c6c, 0x00929292,
275 0x00545454, 0x00d0d0d0, 0x00787878, 0x00707070, 0x00e3e3e3, 0x00494949,
276 0x00808080, 0x00505050, 0x00a7a7a7, 0x00f6f6f6, 0x00777777, 0x00939393,
277 0x00868686, 0x00838383, 0x002a2a2a, 0x00c7c7c7, 0x005b5b5b, 0x00e9e9e9,
278 0x00eeeeee, 0x008f8f8f, 0x00010101, 0x003d3d3d},
279 {0x38003838, 0x41004141, 0x16001616, 0x76007676, 0xd900d9d9, 0x93009393,
280 0x60006060, 0xf200f2f2, 0x72007272, 0xc200c2c2, 0xab00abab, 0x9a009a9a,
281 0x75007575, 0x06000606, 0x57005757, 0xa000a0a0, 0x91009191, 0xf700f7f7,
282 0xb500b5b5, 0xc900c9c9, 0xa200a2a2, 0x8c008c8c, 0xd200d2d2, 0x90009090,
283 0xf600f6f6, 0x07000707, 0xa700a7a7, 0x27002727, 0x8e008e8e, 0xb200b2b2,
284 0x49004949, 0xde00dede, 0x43004343, 0x5c005c5c, 0xd700d7d7, 0xc700c7c7,
285 0x3e003e3e, 0xf500f5f5, 0x8f008f8f, 0x67006767, 0x1f001f1f, 0x18001818,
286 0x6e006e6e, 0xaf00afaf, 0x2f002f2f, 0xe200e2e2, 0x85008585, 0x0d000d0d,
287 0x53005353, 0xf000f0f0, 0x9c009c9c, 0x65006565, 0xea00eaea, 0xa300a3a3,
288 0xae00aeae, 0x9e009e9e, 0xec00ecec, 0x80008080, 0x2d002d2d, 0x6b006b6b,
289 0xa800a8a8, 0x2b002b2b, 0x36003636, 0xa600a6a6, 0xc500c5c5, 0x86008686,
290 0x4d004d4d, 0x33003333, 0xfd00fdfd, 0x66006666, 0x58005858, 0x96009696,
291 0x3a003a3a, 0x09000909, 0x95009595, 0x10001010, 0x78007878, 0xd800d8d8,
292 0x42004242, 0xcc00cccc, 0xef00efef, 0x26002626, 0xe500e5e5, 0x61006161,
293 0x1a001a1a, 0x3f003f3f, 0x3b003b3b, 0x82008282, 0xb600b6b6, 0xdb00dbdb,
294 0xd400d4d4, 0x98009898, 0xe800e8e8, 0x8b008b8b, 0x02000202, 0xeb00ebeb,
295 0x0a000a0a, 0x2c002c2c, 0x1d001d1d, 0xb000b0b0, 0x6f006f6f, 0x8d008d8d,
296 0x88008888, 0x0e000e0e, 0x19001919, 0x87008787, 0x4e004e4e, 0x0b000b0b,
297 0xa900a9a9, 0x0c000c0c, 0x79007979, 0x11001111, 0x7f007f7f, 0x22002222,
298 0xe700e7e7, 0x59005959, 0xe100e1e1, 0xda00dada, 0x3d003d3d, 0xc800c8c8,
299 0x12001212, 0x04000404, 0x74007474, 0x54005454, 0x30003030, 0x7e007e7e,
300 0xb400b4b4, 0x28002828, 0x55005555, 0x68006868, 0x50005050, 0xbe00bebe,
301 0xd000d0d0, 0xc400c4c4, 0x31003131, 0xcb00cbcb, 0x2a002a2a, 0xad00adad,
302 0x0f000f0f, 0xca00caca, 0x70007070, 0xff00ffff, 0x32003232, 0x69006969,
303 0x08000808, 0x62006262, 0x00000000, 0x24002424, 0xd100d1d1, 0xfb00fbfb,
304 0xba00baba, 0xed00eded, 0x45004545, 0x81008181, 0x73007373, 0x6d006d6d,
305 0x84008484, 0x9f009f9f, 0xee00eeee, 0x4a004a4a, 0xc300c3c3, 0x2e002e2e,
306 0xc100c1c1, 0x01000101, 0xe600e6e6, 0x25002525, 0x48004848, 0x99009999,
307 0xb900b9b9, 0xb300b3b3, 0x7b007b7b, 0xf900f9f9, 0xce00cece, 0xbf00bfbf,
308 0xdf00dfdf, 0x71007171, 0x29002929, 0xcd00cdcd, 0x6c006c6c, 0x13001313,
309 0x64006464, 0x9b009b9b, 0x63006363, 0x9d009d9d, 0xc000c0c0, 0x4b004b4b,
310 0xb700b7b7, 0xa500a5a5, 0x89008989, 0x5f005f5f, 0xb100b1b1, 0x17001717,
311 0xf400f4f4, 0xbc00bcbc, 0xd300d3d3, 0x46004646, 0xcf00cfcf, 0x37003737,
312 0x5e005e5e, 0x47004747, 0x94009494, 0xfa00fafa, 0xfc00fcfc, 0x5b005b5b,
313 0x97009797, 0xfe00fefe, 0x5a005a5a, 0xac00acac, 0x3c003c3c, 0x4c004c4c,
314 0x03000303, 0x35003535, 0xf300f3f3, 0x23002323, 0xb800b8b8, 0x5d005d5d,
315 0x6a006a6a, 0x92009292, 0xd500d5d5, 0x21002121, 0x44004444, 0x51005151,
316 0xc600c6c6, 0x7d007d7d, 0x39003939, 0x83008383, 0xdc00dcdc, 0xaa00aaaa,
317 0x7c007c7c, 0x77007777, 0x56005656, 0x05000505, 0x1b001b1b, 0xa400a4a4,
318 0x15001515, 0x34003434, 0x1e001e1e, 0x1c001c1c, 0xf800f8f8, 0x52005252,
319 0x20002020, 0x14001414, 0xe900e9e9, 0xbd00bdbd, 0xdd00dddd, 0xe400e4e4,
320 0xa100a1a1, 0xe000e0e0, 0x8a008a8a, 0xf100f1f1, 0xd600d6d6, 0x7a007a7a,
321 0xbb00bbbb, 0xe300e3e3, 0x40004040, 0x4f004f4f}
324 /* Key generation constants */
325 static const u32 SIGMA[] = {
326 0xa09e667f, 0x3bcc908b, 0xb67ae858, 0x4caa73b2, 0xc6ef372f, 0xe94f82be,
327 0x54ff53a5, 0xf1d36f1c, 0x10e527fa, 0xde682d1d, 0xb05688c2, 0xb3e6c1fd
330 /* The phi algorithm given in C.2.7 of the Camellia spec document. */
332 * This version does not attempt to minimize amount of temporary
333 * variables, but instead explicitly exposes algorithm's parallelism.
334 * It is therefore most appropriate for platforms with not less than
335 * ~16 registers. For platforms with less registers [well, x86 to be
336 * specific] assembler version should be/is provided anyway...
338 #define Camellia_Feistel(_s0,_s1,_s2,_s3,_key) do {\
339 register u32 _t0,_t1,_t2,_t3;\
341 _t0 = _s0 ^ (_key)[0];\
342 _t3 = SBOX4_4404[_t0&0xff];\
343 _t1 = _s1 ^ (_key)[1];\
344 _t3 ^= SBOX3_3033[(_t0 >> 8)&0xff];\
345 _t2 = SBOX1_1110[_t1&0xff];\
346 _t3 ^= SBOX2_0222[(_t0 >> 16)&0xff];\
347 _t2 ^= SBOX4_4404[(_t1 >> 8)&0xff];\
348 _t3 ^= SBOX1_1110[(_t0 >> 24)];\
350 _t3 = RightRotate(_t3,8);\
351 _t2 ^= SBOX3_3033[(_t1 >> 16)&0xff];\
353 _t2 ^= SBOX2_0222[(_t1 >> 24)];\
359 * Note that n has to be less than 32. Rotations for larger amount
360 * of bits are achieved by "rotating" order of s-elements and
361 * adjusting n accordingly, e.g. RotLeft128(s1,s2,s3,s0,n-32).
363 #define RotLeft128(_s0,_s1,_s2,_s3,_n) do {\
364 u32 _t0=_s0>>(32-_n);\
365 _s0 = (_s0<<_n) | (_s1>>(32-_n));\
366 _s1 = (_s1<<_n) | (_s2>>(32-_n));\
367 _s2 = (_s2<<_n) | (_s3>>(32-_n));\
368 _s3 = (_s3<<_n) | _t0;\
371 int Camellia_Ekeygen(int keyBitLength, const u8 *rawKey, KEY_TABLE_TYPE k)
373 register u32 s0, s1, s2, s3;
375 k[0] = s0 = GETU32(rawKey);
376 k[1] = s1 = GETU32(rawKey + 4);
377 k[2] = s2 = GETU32(rawKey + 8);
378 k[3] = s3 = GETU32(rawKey + 12);
380 if (keyBitLength != 128) {
381 k[8] = s0 = GETU32(rawKey + 16);
382 k[9] = s1 = GETU32(rawKey + 20);
383 if (keyBitLength == 192) {
387 k[10] = s2 = GETU32(rawKey + 24);
388 k[11] = s3 = GETU32(rawKey + 28);
390 s0 ^= k[0], s1 ^= k[1], s2 ^= k[2], s3 ^= k[3];
393 /* Use the Feistel routine to scramble the key material */
394 Camellia_Feistel(s0, s1, s2, s3, SIGMA + 0);
395 Camellia_Feistel(s2, s3, s0, s1, SIGMA + 2);
397 s0 ^= k[0], s1 ^= k[1], s2 ^= k[2], s3 ^= k[3];
398 Camellia_Feistel(s0, s1, s2, s3, SIGMA + 4);
399 Camellia_Feistel(s2, s3, s0, s1, SIGMA + 6);
401 /* Fill the keyTable. Requires many block rotations. */
402 if (keyBitLength == 128) {
403 k[4] = s0, k[5] = s1, k[6] = s2, k[7] = s3;
404 RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 15 */
405 k[12] = s0, k[13] = s1, k[14] = s2, k[15] = s3;
406 RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 30 */
407 k[16] = s0, k[17] = s1, k[18] = s2, k[19] = s3;
408 RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 45 */
409 k[24] = s0, k[25] = s1;
410 RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 60 */
411 k[28] = s0, k[29] = s1, k[30] = s2, k[31] = s3;
412 RotLeft128(s1, s2, s3, s0, 2); /* KA <<< 94 */
413 k[40] = s1, k[41] = s2, k[42] = s3, k[43] = s0;
414 RotLeft128(s1, s2, s3, s0, 17); /* KA <<<111 */
415 k[48] = s1, k[49] = s2, k[50] = s3, k[51] = s0;
417 s0 = k[0], s1 = k[1], s2 = k[2], s3 = k[3];
418 RotLeft128(s0, s1, s2, s3, 15); /* KL <<< 15 */
419 k[8] = s0, k[9] = s1, k[10] = s2, k[11] = s3;
420 RotLeft128(s0, s1, s2, s3, 30); /* KL <<< 45 */
421 k[20] = s0, k[21] = s1, k[22] = s2, k[23] = s3;
422 RotLeft128(s0, s1, s2, s3, 15); /* KL <<< 60 */
423 k[26] = s2, k[27] = s3;
424 RotLeft128(s0, s1, s2, s3, 17); /* KL <<< 77 */
425 k[32] = s0, k[33] = s1, k[34] = s2, k[35] = s3;
426 RotLeft128(s0, s1, s2, s3, 17); /* KL <<< 94 */
427 k[36] = s0, k[37] = s1, k[38] = s2, k[39] = s3;
428 RotLeft128(s0, s1, s2, s3, 17); /* KL <<<111 */
429 k[44] = s0, k[45] = s1, k[46] = s2, k[47] = s3;
431 return 3; /* grand rounds */
433 k[12] = s0, k[13] = s1, k[14] = s2, k[15] = s3;
434 s0 ^= k[8], s1 ^= k[9], s2 ^= k[10], s3 ^= k[11];
435 Camellia_Feistel(s0, s1, s2, s3, (SIGMA + 8));
436 Camellia_Feistel(s2, s3, s0, s1, (SIGMA + 10));
438 k[4] = s0, k[5] = s1, k[6] = s2, k[7] = s3;
439 RotLeft128(s0, s1, s2, s3, 30); /* KB <<< 30 */
440 k[20] = s0, k[21] = s1, k[22] = s2, k[23] = s3;
441 RotLeft128(s0, s1, s2, s3, 30); /* KB <<< 60 */
442 k[40] = s0, k[41] = s1, k[42] = s2, k[43] = s3;
443 RotLeft128(s1, s2, s3, s0, 19); /* KB <<<111 */
444 k[64] = s1, k[65] = s2, k[66] = s3, k[67] = s0;
446 s0 = k[8], s1 = k[9], s2 = k[10], s3 = k[11];
447 RotLeft128(s0, s1, s2, s3, 15); /* KR <<< 15 */
448 k[8] = s0, k[9] = s1, k[10] = s2, k[11] = s3;
449 RotLeft128(s0, s1, s2, s3, 15); /* KR <<< 30 */
450 k[16] = s0, k[17] = s1, k[18] = s2, k[19] = s3;
451 RotLeft128(s0, s1, s2, s3, 30); /* KR <<< 60 */
452 k[36] = s0, k[37] = s1, k[38] = s2, k[39] = s3;
453 RotLeft128(s1, s2, s3, s0, 2); /* KR <<< 94 */
454 k[52] = s1, k[53] = s2, k[54] = s3, k[55] = s0;
456 s0 = k[12], s1 = k[13], s2 = k[14], s3 = k[15];
457 RotLeft128(s0, s1, s2, s3, 15); /* KA <<< 15 */
458 k[12] = s0, k[13] = s1, k[14] = s2, k[15] = s3;
459 RotLeft128(s0, s1, s2, s3, 30); /* KA <<< 45 */
460 k[28] = s0, k[29] = s1, k[30] = s2, k[31] = s3;
462 k[48] = s1, k[49] = s2, k[50] = s3, k[51] = s0;
463 RotLeft128(s1, s2, s3, s0, 17); /* KA <<< 94 */
464 k[56] = s1, k[57] = s2, k[58] = s3, k[59] = s0;
466 s0 = k[0], s1 = k[1], s2 = k[2], s3 = k[3];
467 RotLeft128(s1, s2, s3, s0, 13); /* KL <<< 45 */
468 k[24] = s1, k[25] = s2, k[26] = s3, k[27] = s0;
469 RotLeft128(s1, s2, s3, s0, 15); /* KL <<< 60 */
470 k[32] = s1, k[33] = s2, k[34] = s3, k[35] = s0;
471 RotLeft128(s1, s2, s3, s0, 17); /* KL <<< 77 */
472 k[44] = s1, k[45] = s2, k[46] = s3, k[47] = s0;
473 RotLeft128(s2, s3, s0, s1, 2); /* KL <<<111 */
474 k[60] = s2, k[61] = s3, k[62] = s0, k[63] = s1;
476 return 4; /* grand rounds */
479 * It is possible to perform certain precalculations, which
480 * would spare few cycles in block procedure. It's not done,
481 * because it upsets the performance balance between key
482 * setup and block procedures, negatively affecting overall
483 * throughput in applications operating on short messages
488 void Camellia_EncryptBlock_Rounds(int grandRounds, const u8 plaintext[],
489 const KEY_TABLE_TYPE keyTable,
492 register u32 s0, s1, s2, s3;
493 const u32 *k = keyTable, *kend = keyTable + grandRounds * 16;
495 s0 = GETU32(plaintext) ^ k[0];
496 s1 = GETU32(plaintext + 4) ^ k[1];
497 s2 = GETU32(plaintext + 8) ^ k[2];
498 s3 = GETU32(plaintext + 12) ^ k[3];
502 /* Camellia makes 6 Feistel rounds */
503 Camellia_Feistel(s0, s1, s2, s3, k + 0);
504 Camellia_Feistel(s2, s3, s0, s1, k + 2);
505 Camellia_Feistel(s0, s1, s2, s3, k + 4);
506 Camellia_Feistel(s2, s3, s0, s1, k + 6);
507 Camellia_Feistel(s0, s1, s2, s3, k + 8);
508 Camellia_Feistel(s2, s3, s0, s1, k + 10);
515 * This is the same function as the diffusion function D of the
516 * accompanying documentation. See section 3.2 for properties of the
519 s1 ^= LeftRotate(s0 & k[0], 1);
522 s3 ^= LeftRotate(s2 & k[2], 1);
526 s2 ^= k[0], s3 ^= k[1], s0 ^= k[2], s1 ^= k[3];
528 PUTU32(ciphertext, s2);
529 PUTU32(ciphertext + 4, s3);
530 PUTU32(ciphertext + 8, s0);
531 PUTU32(ciphertext + 12, s1);
534 void Camellia_EncryptBlock(int keyBitLength, const u8 plaintext[],
535 const KEY_TABLE_TYPE keyTable, u8 ciphertext[])
537 Camellia_EncryptBlock_Rounds(keyBitLength == 128 ? 3 : 4,
538 plaintext, keyTable, ciphertext);
541 void Camellia_DecryptBlock_Rounds(int grandRounds, const u8 ciphertext[],
542 const KEY_TABLE_TYPE keyTable,
546 const u32 *k = keyTable + grandRounds * 16, *kend = keyTable + 4;
548 s0 = GETU32(ciphertext) ^ k[0];
549 s1 = GETU32(ciphertext + 4) ^ k[1];
550 s2 = GETU32(ciphertext + 8) ^ k[2];
551 s3 = GETU32(ciphertext + 12) ^ k[3];
554 /* Camellia makes 6 Feistel rounds */
556 Camellia_Feistel(s0, s1, s2, s3, k + 10);
557 Camellia_Feistel(s2, s3, s0, s1, k + 8);
558 Camellia_Feistel(s0, s1, s2, s3, k + 6);
559 Camellia_Feistel(s2, s3, s0, s1, k + 4);
560 Camellia_Feistel(s0, s1, s2, s3, k + 2);
561 Camellia_Feistel(s2, s3, s0, s1, k + 0);
567 * This is the same function as the diffusion function D of the
568 * accompanying documentation. See section 3.2 for properties of the
572 s1 ^= LeftRotate(s0 & k[2], 1);
575 s3 ^= LeftRotate(s2 & k[0], 1);
579 s2 ^= k[0], s3 ^= k[1], s0 ^= k[2], s1 ^= k[3];
581 PUTU32(plaintext, s2);
582 PUTU32(plaintext + 4, s3);
583 PUTU32(plaintext + 8, s0);
584 PUTU32(plaintext + 12, s1);
587 void Camellia_DecryptBlock(int keyBitLength, const u8 plaintext[],
588 const KEY_TABLE_TYPE keyTable, u8 ciphertext[])
590 Camellia_DecryptBlock_Rounds(keyBitLength == 128 ? 3 : 4,
591 plaintext, keyTable, ciphertext);
projects / openssl.git / blob