diff options
author | Niels Möller <nisse@lysator.liu.se> | 2010-07-25 10:22:07 +0200 |
---|---|---|
committer | Niels Möller <nisse@lysator.liu.se> | 2010-07-25 10:22:07 +0200 |
commit | beafb5f38bb51b2dfbd6c03a7e34f6c65cef12cf (patch) | |
tree | 18d0cb03312b8ac6a8cc397ae71e5fa70a262b43 | |
parent | 5535723634e1554c8f9c2517692cc0f491722095 (diff) | |
download | nettle-beafb5f38bb51b2dfbd6c03a7e34f6c65cef12cf.tar.gz |
(camellia_set_encrypt_key): Inline
the expansion of camellia_setup128 and camellia_setup256, keeping
the unexpanded key in scalar variables.
(camellia_setup128): Deleted.
(camellia_setup256): Deleted.
Rev: nettle/camellia-set-encrypt-key.c:1.3
-rw-r--r-- | camellia-set-encrypt-key.c | 316 |
1 files changed, 140 insertions, 176 deletions
diff --git a/camellia-set-encrypt-key.c b/camellia-set-encrypt-key.c index b6ea7b95..0fd0270d 100644 --- a/camellia-set-encrypt-key.c +++ b/camellia-set-encrypt-key.c @@ -82,208 +82,172 @@ (x) = ((uint64_t) __w << 32) | (__t ^ __w); \ } while (0) - -static void -camellia_setup128(uint64_t *subkey, const uint64_t *key) -{ - uint64_t k0, k1, w; - - /** - * k == k0 || k1 (|| is concatenation) - */ - k0 = key[0]; - k1 = key[1]; - - /** - * generate KL dependent subkeys - */ - subkey[0] = k0; subkey[1] = k1; - ROL128(15, k0, k1); - subkey[4] = k0; subkey[5] = k1; - ROL128(30, k0, k1); - subkey[10] = k0; subkey[11] = k1; - ROL128(15, k0, k1); - subkey[13] = k1; - ROL128(17, k0, k1); - subkey[16] = k0; subkey[17] = k1; - ROL128(17, k0, k1); - subkey[18] = k0; subkey[19] = k1; - ROL128(17, k0, k1); - subkey[22] = k0; subkey[23] = k1; - - /* generate KA. D1 is k0, d2 is k1. */ - /* FIXME: Make notation match the spec better. */ - /* For the 128-bit case, KR = 0, the construvtion of KA reduces to: - - D1 = KL >> 64; - W = KL & MASK64; - D2 = F(D1, Sigma1); - W = D2 ^ W - D1 = F(W, Sigma2) - D2 = D2 ^ F(D1, Sigma3); - D1 = D1 ^ F(D2, Sigma4); - KA = (D1 << 64) | D2; - */ - k0 = subkey[0]; w = subkey[1]; - CAMELLIA_F(k0, SIGMA1, k1); - w ^= k1; - CAMELLIA_F(w, SIGMA2, k0); - CAMELLIA_F(k0, SIGMA3, w); - k1 ^= w; - CAMELLIA_F(k1, SIGMA4, w); - k0 ^= w; - - /* generate KA dependent subkeys */ - subkey[2] = k0; subkey[3] = k1; - ROL128(15, k0, k1); - subkey[6] = k0; subkey[7] = k1; - ROL128(15, k0, k1); - subkey[8] = k0; subkey[9] = k1; - ROL128(15, k0, k1); - subkey[12] = k0; - ROL128(15, k0, k1); - subkey[14] = k0; subkey[15] = k1; - ROL128(34, k0, k1); - subkey[20] = k0; subkey[21] = k1; - ROL128(17, k0, k1); - subkey[24] = k0; subkey[25] = k1; - - return; -} - -static void -camellia_setup256(uint64_t *subkey, const uint64_t *key) -{ - uint64_t k0, k1, k2, k3; - uint64_t w; - - /** - * key = (kll || klr || krl || krr || krll || krlr || krrl || krrr) - * (|| is concatenation) - */ - - k0 = key[0]; - k1 = key[1]; - k2 = key[2]; - k3 = key[3]; - - /* generate KL dependent subkeys */ - subkey[0] = k0; subkey[1] = k1; - ROL128(45, k0, k1); - subkey[12] = k0; subkey[13] = k1; - ROL128(15, k0, k1); - subkey[16] = k0; subkey[17] = k1; - ROL128(17, k0, k1); - subkey[22] = k0; subkey[23] = k1; - ROL128(34, k0, k1); - subkey[30] = k0; subkey[31] = k1; - - /* generate KR dependent subkeys */ - ROL128(15, k2, k3); - subkey[4] = k2; subkey[5] = k3; - ROL128(15, k2, k3); - subkey[8] = k2; subkey[9] = k3; - ROL128(30, k2, k3); - subkey[18] = k2; subkey[19] = k3; - ROL128(34, k2, k3); - subkey[26] = k2; subkey[27] = k3; - ROL128(34, k2, k3); - - /* generate KA */ - /* The construction of KA is done as - - D1 = (KL ^ KR) >> 64 - D2 = (KL ^ KR) & MASK64 - W = F(D1, SIGMA1) - D2 = D2 ^ W - D1 = F(D2, SIGMA2) ^ (KR >> 64) - D2 = F(D1, SIGMA3) ^ W ^ (KR & MASK64) - D1 = D1 ^ F(W, SIGMA2) - D2 = D2 ^ F(D1, SIGMA3) - D1 = D1 ^ F(D2, SIGMA4) - */ - - k0 = subkey[0] ^ k2; - k1 = subkey[1] ^ k3; - - CAMELLIA_F(k0, SIGMA1, w); - k1 ^= w; - - CAMELLIA_F(k1, SIGMA2, k0); - k0 ^= k2; - - CAMELLIA_F(k0, SIGMA3, k1); - k1 ^= w ^ k3; - - CAMELLIA_F(k1, SIGMA4, w); - k0 ^= w; - - /* generate KB */ - k2 ^= k0; k3 ^= k1; - CAMELLIA_F(k2, SIGMA5, w); - k3 ^= w; - CAMELLIA_F(k3, SIGMA6, w); - k2 ^= w; - - /* generate KA dependent subkeys */ - ROL128(15, k0, k1); - subkey[6] = k0; subkey[7] = k1; - ROL128(30, k0, k1); - subkey[14] = k0; subkey[15] = k1; - ROL128(32, k0, k1); - subkey[24] = k0; subkey[25] = k1; - ROL128(17, k0, k1); - subkey[28] = k0; subkey[29] = k1; - - /* generate KB dependent subkeys */ - subkey[2] = k2; subkey[3] = k3; - ROL128(30, k2, k3); - subkey[10] = k2; subkey[11] = k3; - ROL128(30, k2, k3); - subkey[20] = k2; subkey[21] = k3; - ROL128(51, k2, k3); - subkey[32] = k2; subkey[33] = k3; - - return; -} - void camellia_set_encrypt_key(struct camellia_ctx *ctx, unsigned length, const uint8_t *key) { - uint64_t k[4]; + uint64_t k0, k1; - /* Subkeys according to the spec, 26 for short keys and 34 for large - keys */ uint64_t subkey[34]; - uint64_t kw2, kw4; + uint64_t w, kw2, kw4; uint32_t dw, tl, tr; unsigned i; - k[0] = READ_UINT64(key); - k[1] = READ_UINT64(key + 8); + k0 = READ_UINT64(key); + k1 = READ_UINT64(key + 8); if (length == 16) { ctx->nkeys = 26; - camellia_setup128(subkey, k); + /** + * generate KL dependent subkeys + */ + subkey[0] = k0; subkey[1] = k1; + ROL128(15, k0, k1); + subkey[4] = k0; subkey[5] = k1; + ROL128(30, k0, k1); + subkey[10] = k0; subkey[11] = k1; + ROL128(15, k0, k1); + subkey[13] = k1; + ROL128(17, k0, k1); + subkey[16] = k0; subkey[17] = k1; + ROL128(17, k0, k1); + subkey[18] = k0; subkey[19] = k1; + ROL128(17, k0, k1); + subkey[22] = k0; subkey[23] = k1; + + /* generate KA. D1 is k0, d2 is k1. */ + /* FIXME: Make notation match the spec better. */ + /* For the 128-bit case, KR = 0, the construction of KA reduces to: + + D1 = KL >> 64; + W = KL & MASK64; + D2 = F(D1, Sigma1); + W = D2 ^ W + D1 = F(W, Sigma2) + D2 = D2 ^ F(D1, Sigma3); + D1 = D1 ^ F(D2, Sigma4); + KA = (D1 << 64) | D2; + */ + k0 = subkey[0]; w = subkey[1]; + CAMELLIA_F(k0, SIGMA1, k1); + w ^= k1; + CAMELLIA_F(w, SIGMA2, k0); + CAMELLIA_F(k0, SIGMA3, w); + k1 ^= w; + CAMELLIA_F(k1, SIGMA4, w); + k0 ^= w; + + /* generate KA dependent subkeys */ + subkey[2] = k0; subkey[3] = k1; + ROL128(15, k0, k1); + subkey[6] = k0; subkey[7] = k1; + ROL128(15, k0, k1); + subkey[8] = k0; subkey[9] = k1; + ROL128(15, k0, k1); + subkey[12] = k0; + ROL128(15, k0, k1); + subkey[14] = k0; subkey[15] = k1; + ROL128(34, k0, k1); + subkey[20] = k0; subkey[21] = k1; + ROL128(17, k0, k1); + subkey[24] = k0; subkey[25] = k1; } else { + uint64_t k2, k3; ctx->nkeys = 34; - k[2] = READ_UINT64(key + 16); + k2 = READ_UINT64(key + 16); if (length == 24) - k[3] = ~k[2]; + k3 = ~k2; else { assert (length == 32); - k[3] = READ_UINT64(key + 24); + k3 = READ_UINT64(key + 24); } - camellia_setup256(subkey, k); + /* generate KL dependent subkeys */ + subkey[0] = k0; subkey[1] = k1; + ROL128(45, k0, k1); + subkey[12] = k0; subkey[13] = k1; + ROL128(15, k0, k1); + subkey[16] = k0; subkey[17] = k1; + ROL128(17, k0, k1); + subkey[22] = k0; subkey[23] = k1; + ROL128(34, k0, k1); + subkey[30] = k0; subkey[31] = k1; + + /* generate KR dependent subkeys */ + ROL128(15, k2, k3); + subkey[4] = k2; subkey[5] = k3; + ROL128(15, k2, k3); + subkey[8] = k2; subkey[9] = k3; + ROL128(30, k2, k3); + subkey[18] = k2; subkey[19] = k3; + ROL128(34, k2, k3); + subkey[26] = k2; subkey[27] = k3; + ROL128(34, k2, k3); + + /* generate KA */ + /* The construction of KA is done as + + D1 = (KL ^ KR) >> 64 + D2 = (KL ^ KR) & MASK64 + W = F(D1, SIGMA1) + D2 = D2 ^ W + D1 = F(D2, SIGMA2) ^ (KR >> 64) + D2 = F(D1, SIGMA3) ^ W ^ (KR & MASK64) + D1 = D1 ^ F(W, SIGMA2) + D2 = D2 ^ F(D1, SIGMA3) + D1 = D1 ^ F(D2, SIGMA4) + */ + + k0 = subkey[0] ^ k2; + k1 = subkey[1] ^ k3; + + CAMELLIA_F(k0, SIGMA1, w); + k1 ^= w; + + CAMELLIA_F(k1, SIGMA2, k0); + k0 ^= k2; + + CAMELLIA_F(k0, SIGMA3, k1); + k1 ^= w ^ k3; + + CAMELLIA_F(k1, SIGMA4, w); + k0 ^= w; + + /* generate KB */ + k2 ^= k0; k3 ^= k1; + CAMELLIA_F(k2, SIGMA5, w); + k3 ^= w; + CAMELLIA_F(k3, SIGMA6, w); + k2 ^= w; + + /* generate KA dependent subkeys */ + ROL128(15, k0, k1); + subkey[6] = k0; subkey[7] = k1; + ROL128(30, k0, k1); + subkey[14] = k0; subkey[15] = k1; + ROL128(32, k0, k1); + subkey[24] = k0; subkey[25] = k1; + ROL128(17, k0, k1); + subkey[28] = k0; subkey[29] = k1; + + /* generate KB dependent subkeys */ + subkey[2] = k2; subkey[3] = k3; + ROL128(30, k2, k3); + subkey[10] = k2; subkey[11] = k3; + ROL128(30, k2, k3); + subkey[20] = k2; subkey[21] = k3; + ROL128(51, k2, k3); + subkey[32] = k2; subkey[33] = k3; } + /* At this point, the subkey array contains the subkeys as described + in the spec, 26 for short keys and 34 for large keys. */ + /* absorb kw2 to other subkeys */ kw2 = subkey[1]; |