Botan  2.1.0
Crypto and TLS for C++11
misty1.cpp
Go to the documentation of this file.
1 /*
2 * MISTY1
3 * (C) 1999-2009 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/misty1.h>
9 #include <botan/loadstor.h>
10 #include <botan/parsing.h>
11 
12 namespace Botan {
13 
14 namespace {
15 
16 static const uint8_t MISTY1_SBOX_S7[128] = {
17  0x1B, 0x32, 0x33, 0x5A, 0x3B, 0x10, 0x17, 0x54, 0x5B, 0x1A, 0x72, 0x73,
18  0x6B, 0x2C, 0x66, 0x49, 0x1F, 0x24, 0x13, 0x6C, 0x37, 0x2E, 0x3F, 0x4A,
19  0x5D, 0x0F, 0x40, 0x56, 0x25, 0x51, 0x1C, 0x04, 0x0B, 0x46, 0x20, 0x0D,
20  0x7B, 0x35, 0x44, 0x42, 0x2B, 0x1E, 0x41, 0x14, 0x4B, 0x79, 0x15, 0x6F,
21  0x0E, 0x55, 0x09, 0x36, 0x74, 0x0C, 0x67, 0x53, 0x28, 0x0A, 0x7E, 0x38,
22  0x02, 0x07, 0x60, 0x29, 0x19, 0x12, 0x65, 0x2F, 0x30, 0x39, 0x08, 0x68,
23  0x5F, 0x78, 0x2A, 0x4C, 0x64, 0x45, 0x75, 0x3D, 0x59, 0x48, 0x03, 0x57,
24  0x7C, 0x4F, 0x62, 0x3C, 0x1D, 0x21, 0x5E, 0x27, 0x6A, 0x70, 0x4D, 0x3A,
25  0x01, 0x6D, 0x6E, 0x63, 0x18, 0x77, 0x23, 0x05, 0x26, 0x76, 0x00, 0x31,
26  0x2D, 0x7A, 0x7F, 0x61, 0x50, 0x22, 0x11, 0x06, 0x47, 0x16, 0x52, 0x4E,
27  0x71, 0x3E, 0x69, 0x43, 0x34, 0x5C, 0x58, 0x7D };
28 
29 static const uint16_t MISTY1_SBOX_S9[512] = {
30  0x01C3, 0x00CB, 0x0153, 0x019F, 0x01E3, 0x00E9, 0x00FB, 0x0035, 0x0181,
31  0x00B9, 0x0117, 0x01EB, 0x0133, 0x0009, 0x002D, 0x00D3, 0x00C7, 0x014A,
32  0x0037, 0x007E, 0x00EB, 0x0164, 0x0193, 0x01D8, 0x00A3, 0x011E, 0x0055,
33  0x002C, 0x001D, 0x01A2, 0x0163, 0x0118, 0x014B, 0x0152, 0x01D2, 0x000F,
34  0x002B, 0x0030, 0x013A, 0x00E5, 0x0111, 0x0138, 0x018E, 0x0063, 0x00E3,
35  0x00C8, 0x01F4, 0x001B, 0x0001, 0x009D, 0x00F8, 0x01A0, 0x016D, 0x01F3,
36  0x001C, 0x0146, 0x007D, 0x00D1, 0x0082, 0x01EA, 0x0183, 0x012D, 0x00F4,
37  0x019E, 0x01D3, 0x00DD, 0x01E2, 0x0128, 0x01E0, 0x00EC, 0x0059, 0x0091,
38  0x0011, 0x012F, 0x0026, 0x00DC, 0x00B0, 0x018C, 0x010F, 0x01F7, 0x00E7,
39  0x016C, 0x00B6, 0x00F9, 0x00D8, 0x0151, 0x0101, 0x014C, 0x0103, 0x00B8,
40  0x0154, 0x012B, 0x01AE, 0x0017, 0x0071, 0x000C, 0x0047, 0x0058, 0x007F,
41  0x01A4, 0x0134, 0x0129, 0x0084, 0x015D, 0x019D, 0x01B2, 0x01A3, 0x0048,
42  0x007C, 0x0051, 0x01CA, 0x0023, 0x013D, 0x01A7, 0x0165, 0x003B, 0x0042,
43  0x00DA, 0x0192, 0x00CE, 0x00C1, 0x006B, 0x009F, 0x01F1, 0x012C, 0x0184,
44  0x00FA, 0x0196, 0x01E1, 0x0169, 0x017D, 0x0031, 0x0180, 0x010A, 0x0094,
45  0x01DA, 0x0186, 0x013E, 0x011C, 0x0060, 0x0175, 0x01CF, 0x0067, 0x0119,
46  0x0065, 0x0068, 0x0099, 0x0150, 0x0008, 0x0007, 0x017C, 0x00B7, 0x0024,
47  0x0019, 0x00DE, 0x0127, 0x00DB, 0x00E4, 0x01A9, 0x0052, 0x0109, 0x0090,
48  0x019C, 0x01C1, 0x0028, 0x01B3, 0x0135, 0x016A, 0x0176, 0x00DF, 0x01E5,
49  0x0188, 0x00C5, 0x016E, 0x01DE, 0x01B1, 0x00C3, 0x01DF, 0x0036, 0x00EE,
50  0x01EE, 0x00F0, 0x0093, 0x0049, 0x009A, 0x01B6, 0x0069, 0x0081, 0x0125,
51  0x000B, 0x005E, 0x00B4, 0x0149, 0x01C7, 0x0174, 0x003E, 0x013B, 0x01B7,
52  0x008E, 0x01C6, 0x00AE, 0x0010, 0x0095, 0x01EF, 0x004E, 0x00F2, 0x01FD,
53  0x0085, 0x00FD, 0x00F6, 0x00A0, 0x016F, 0x0083, 0x008A, 0x0156, 0x009B,
54  0x013C, 0x0107, 0x0167, 0x0098, 0x01D0, 0x01E9, 0x0003, 0x01FE, 0x00BD,
55  0x0122, 0x0089, 0x00D2, 0x018F, 0x0012, 0x0033, 0x006A, 0x0142, 0x00ED,
56  0x0170, 0x011B, 0x00E2, 0x014F, 0x0158, 0x0131, 0x0147, 0x005D, 0x0113,
57  0x01CD, 0x0079, 0x0161, 0x01A5, 0x0179, 0x009E, 0x01B4, 0x00CC, 0x0022,
58  0x0132, 0x001A, 0x00E8, 0x0004, 0x0187, 0x01ED, 0x0197, 0x0039, 0x01BF,
59  0x01D7, 0x0027, 0x018B, 0x00C6, 0x009C, 0x00D0, 0x014E, 0x006C, 0x0034,
60  0x01F2, 0x006E, 0x00CA, 0x0025, 0x00BA, 0x0191, 0x00FE, 0x0013, 0x0106,
61  0x002F, 0x01AD, 0x0172, 0x01DB, 0x00C0, 0x010B, 0x01D6, 0x00F5, 0x01EC,
62  0x010D, 0x0076, 0x0114, 0x01AB, 0x0075, 0x010C, 0x01E4, 0x0159, 0x0054,
63  0x011F, 0x004B, 0x00C4, 0x01BE, 0x00F7, 0x0029, 0x00A4, 0x000E, 0x01F0,
64  0x0077, 0x004D, 0x017A, 0x0086, 0x008B, 0x00B3, 0x0171, 0x00BF, 0x010E,
65  0x0104, 0x0097, 0x015B, 0x0160, 0x0168, 0x00D7, 0x00BB, 0x0066, 0x01CE,
66  0x00FC, 0x0092, 0x01C5, 0x006F, 0x0016, 0x004A, 0x00A1, 0x0139, 0x00AF,
67  0x00F1, 0x0190, 0x000A, 0x01AA, 0x0143, 0x017B, 0x0056, 0x018D, 0x0166,
68  0x00D4, 0x01FB, 0x014D, 0x0194, 0x019A, 0x0087, 0x01F8, 0x0123, 0x00A7,
69  0x01B8, 0x0141, 0x003C, 0x01F9, 0x0140, 0x002A, 0x0155, 0x011A, 0x01A1,
70  0x0198, 0x00D5, 0x0126, 0x01AF, 0x0061, 0x012E, 0x0157, 0x01DC, 0x0072,
71  0x018A, 0x00AA, 0x0096, 0x0115, 0x00EF, 0x0045, 0x007B, 0x008D, 0x0145,
72  0x0053, 0x005F, 0x0178, 0x00B2, 0x002E, 0x0020, 0x01D5, 0x003F, 0x01C9,
73  0x01E7, 0x01AC, 0x0044, 0x0038, 0x0014, 0x00B1, 0x016B, 0x00AB, 0x00B5,
74  0x005A, 0x0182, 0x01C8, 0x01D4, 0x0018, 0x0177, 0x0064, 0x00CF, 0x006D,
75  0x0100, 0x0199, 0x0130, 0x015A, 0x0005, 0x0120, 0x01BB, 0x01BD, 0x00E0,
76  0x004F, 0x00D6, 0x013F, 0x01C4, 0x012A, 0x0015, 0x0006, 0x00FF, 0x019B,
77  0x00A6, 0x0043, 0x0088, 0x0050, 0x015F, 0x01E8, 0x0121, 0x0073, 0x017E,
78  0x00BC, 0x00C2, 0x00C9, 0x0173, 0x0189, 0x01F5, 0x0074, 0x01CC, 0x01E6,
79  0x01A8, 0x0195, 0x001F, 0x0041, 0x000D, 0x01BA, 0x0032, 0x003D, 0x01D1,
80  0x0080, 0x00A8, 0x0057, 0x01B9, 0x0162, 0x0148, 0x00D9, 0x0105, 0x0062,
81  0x007A, 0x0021, 0x01FF, 0x0112, 0x0108, 0x01C0, 0x00A9, 0x011D, 0x01B0,
82  0x01A6, 0x00CD, 0x00F3, 0x005C, 0x0102, 0x005B, 0x01D9, 0x0144, 0x01F6,
83  0x00AD, 0x00A5, 0x003A, 0x01CB, 0x0136, 0x017F, 0x0046, 0x00E1, 0x001E,
84  0x01DD, 0x00E6, 0x0137, 0x01FA, 0x0185, 0x008C, 0x008F, 0x0040, 0x01B5,
85  0x00BE, 0x0078, 0x0000, 0x00AC, 0x0110, 0x015E, 0x0124, 0x0002, 0x01BC,
86  0x00A2, 0x00EA, 0x0070, 0x01FC, 0x0116, 0x015C, 0x004C, 0x01C2 };
87 
88 /*
89 * MISTY1 FI Function
90 */
91 uint16_t FI(uint16_t input, uint16_t key7, uint16_t key9)
92  {
93  uint16_t D9 = input >> 7, D7 = input & 0x7F;
94  D9 = MISTY1_SBOX_S9[D9] ^ D7;
95  D7 = (MISTY1_SBOX_S7[D7] ^ key7 ^ D9) & 0x7F;
96  D9 = MISTY1_SBOX_S9[D9 ^ key9] ^ D7;
97  return static_cast<uint16_t>((D7 << 9) | D9);
98  }
99 
100 }
101 
102 /*
103 * MISTY1 Encryption
104 */
105 void MISTY1::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
106  {
107  for(size_t i = 0; i != blocks; ++i)
108  {
109  uint16_t B0 = load_be<uint16_t>(in, 0);
110  uint16_t B1 = load_be<uint16_t>(in, 1);
111  uint16_t B2 = load_be<uint16_t>(in, 2);
112  uint16_t B3 = load_be<uint16_t>(in, 3);
113 
114  for(size_t j = 0; j != 12; j += 3)
115  {
116  const uint16_t* RK = &m_EK[8 * j];
117 
118  B1 ^= B0 & RK[0];
119  B0 ^= B1 | RK[1];
120  B3 ^= B2 & RK[2];
121  B2 ^= B3 | RK[3];
122 
123  uint32_t T0, T1;
124 
125  T0 = FI(B0 ^ RK[ 4], RK[ 5], RK[ 6]) ^ B1;
126  T1 = FI(B1 ^ RK[ 7], RK[ 8], RK[ 9]) ^ T0;
127  T0 = FI(T0 ^ RK[10], RK[11], RK[12]) ^ T1;
128 
129  B2 ^= T1 ^ RK[13];
130  B3 ^= T0;
131 
132  T0 = FI(B2 ^ RK[14], RK[15], RK[16]) ^ B3;
133  T1 = FI(B3 ^ RK[17], RK[18], RK[19]) ^ T0;
134  T0 = FI(T0 ^ RK[20], RK[21], RK[22]) ^ T1;
135 
136  B0 ^= T1 ^ RK[23];
137  B1 ^= T0;
138  }
139 
140  B1 ^= B0 & m_EK[96];
141  B0 ^= B1 | m_EK[97];
142  B3 ^= B2 & m_EK[98];
143  B2 ^= B3 | m_EK[99];
144 
145  store_be(out, B2, B3, B0, B1);
146 
147  in += BLOCK_SIZE;
148  out += BLOCK_SIZE;
149  }
150  }
151 
152 /*
153 * MISTY1 Decryption
154 */
155 void MISTY1::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
156  {
157  for(size_t i = 0; i != blocks; ++i)
158  {
159  uint16_t B0 = load_be<uint16_t>(in, 2);
160  uint16_t B1 = load_be<uint16_t>(in, 3);
161  uint16_t B2 = load_be<uint16_t>(in, 0);
162  uint16_t B3 = load_be<uint16_t>(in, 1);
163 
164  for(size_t j = 0; j != 12; j += 3)
165  {
166  const uint16_t* RK = &m_DK[8 * j];
167 
168  B2 ^= B3 | RK[0];
169  B3 ^= B2 & RK[1];
170  B0 ^= B1 | RK[2];
171  B1 ^= B0 & RK[3];
172 
173  uint32_t T0, T1;
174 
175  T0 = FI(B2 ^ RK[ 4], RK[ 5], RK[ 6]) ^ B3;
176  T1 = FI(B3 ^ RK[ 7], RK[ 8], RK[ 9]) ^ T0;
177  T0 = FI(T0 ^ RK[10], RK[11], RK[12]) ^ T1;
178 
179  B0 ^= T1 ^ RK[13];
180  B1 ^= T0;
181 
182  T0 = FI(B0 ^ RK[14], RK[15], RK[16]) ^ B1;
183  T1 = FI(B1 ^ RK[17], RK[18], RK[19]) ^ T0;
184  T0 = FI(T0 ^ RK[20], RK[21], RK[22]) ^ T1;
185 
186  B2 ^= T1 ^ RK[23];
187  B3 ^= T0;
188  }
189 
190  B2 ^= B3 | m_DK[96];
191  B3 ^= B2 & m_DK[97];
192  B0 ^= B1 | m_DK[98];
193  B1 ^= B0 & m_DK[99];
194 
195  store_be(out, B0, B1, B2, B3);
196 
197  in += BLOCK_SIZE;
198  out += BLOCK_SIZE;
199  }
200  }
201 
202 /*
203 * MISTY1 Key Schedule
204 */
205 void MISTY1::key_schedule(const uint8_t key[], size_t length)
206  {
208  for(size_t i = 0; i != length / 2; ++i)
209  KS[i] = load_be<uint16_t>(key, i);
210 
211  for(size_t i = 0; i != 8; ++i)
212  {
213  KS[i+ 8] = FI(KS[i], KS[(i+1) % 8] >> 9, KS[(i+1) % 8] & 0x1FF);
214  KS[i+16] = KS[i+8] >> 9;
215  KS[i+24] = KS[i+8] & 0x1FF;
216  }
217 
218  /*
219  * Precomputed indexes for the orderings of the subkeys (MISTY1 reuses
220  * values)
221  */
222  static const uint8_t EK_ORDER[100] = {
223  0x00, 0x0E, 0x0A, 0x04, 0x00, 0x15, 0x1D, 0x02, 0x11, 0x19, 0x07, 0x13,
224  0x1B, 0x04, 0x01, 0x16, 0x1E, 0x03, 0x12, 0x1A, 0x00, 0x14, 0x1C, 0x05,
225  0x01, 0x0F, 0x0B, 0x05, 0x02, 0x17, 0x1F, 0x04, 0x13, 0x1B, 0x01, 0x15,
226  0x1D, 0x06, 0x03, 0x10, 0x18, 0x05, 0x14, 0x1C, 0x02, 0x16, 0x1E, 0x07,
227  0x02, 0x08, 0x0C, 0x06, 0x04, 0x11, 0x19, 0x06, 0x15, 0x1D, 0x03, 0x17,
228  0x1F, 0x00, 0x05, 0x12, 0x1A, 0x07, 0x16, 0x1E, 0x04, 0x10, 0x18, 0x01,
229  0x03, 0x09, 0x0D, 0x07, 0x06, 0x13, 0x1B, 0x00, 0x17, 0x1F, 0x05, 0x11,
230  0x19, 0x02, 0x07, 0x14, 0x1C, 0x01, 0x10, 0x18, 0x06, 0x12, 0x1A, 0x03,
231  0x04, 0x0A, 0x0E, 0x00 };
232 
233  static const uint8_t DK_ORDER[100] = {
234  0x00, 0x0E, 0x0A, 0x04, 0x07, 0x14, 0x1C, 0x01, 0x10, 0x18, 0x06, 0x12,
235  0x1A, 0x03, 0x06, 0x13, 0x1B, 0x00, 0x17, 0x1F, 0x05, 0x11, 0x19, 0x02,
236  0x07, 0x0D, 0x09, 0x03, 0x05, 0x12, 0x1A, 0x07, 0x16, 0x1E, 0x04, 0x10,
237  0x18, 0x01, 0x04, 0x11, 0x19, 0x06, 0x15, 0x1D, 0x03, 0x17, 0x1F, 0x00,
238  0x06, 0x0C, 0x08, 0x02, 0x03, 0x10, 0x18, 0x05, 0x14, 0x1C, 0x02, 0x16,
239  0x1E, 0x07, 0x02, 0x17, 0x1F, 0x04, 0x13, 0x1B, 0x01, 0x15, 0x1D, 0x06,
240  0x05, 0x0B, 0x0F, 0x01, 0x01, 0x16, 0x1E, 0x03, 0x12, 0x1A, 0x00, 0x14,
241  0x1C, 0x05, 0x00, 0x15, 0x1D, 0x02, 0x11, 0x19, 0x07, 0x13, 0x1B, 0x04,
242  0x04, 0x0A, 0x0E, 0x00 };
243 
244  m_EK.resize(100);
245  m_DK.resize(100);
246 
247  for(size_t i = 0; i != 100; ++i)
248  {
249  m_EK[i] = KS[EK_ORDER[i]];
250  m_DK[i] = KS[DK_ORDER[i]];
251  }
252  }
253 
255  {
256  zap(m_EK);
257  zap(m_DK);
258  }
259 
260 }
void zap(std::vector< T, Alloc > &vec)
Definition: secmem.h:221
void clear() override
Definition: misty1.cpp:254
void store_be(uint16_t in, uint8_t out[2])
Definition: loadstor.h:441
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition: misty1.cpp:155
uint16_t load_be< uint16_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:145
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition: misty1.cpp:105
std::vector< T, secure_allocator< T >> secure_vector
Definition: secmem.h:121
Definition: alg_id.cpp:13