Botan  2.1.0
Crypto and TLS for C++11
idea.cpp
Go to the documentation of this file.
1 /*
2 * IDEA
3 * (C) 1999-2010,2015 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/idea.h>
9 #include <botan/loadstor.h>
10 #include <botan/cpuid.h>
11 #include <botan/internal/ct_utils.h>
12 
13 namespace Botan {
14 
15 namespace {
16 
17 /*
18 * Multiplication modulo 65537
19 */
20 inline uint16_t mul(uint16_t x, uint16_t y)
21  {
22  const uint32_t P = static_cast<uint32_t>(x) * y;
23 
24  const uint16_t Z_mask = static_cast<uint16_t>(CT::expand_mask(P) & 0xFFFF);
25 
26  const uint32_t P_hi = P >> 16;
27  const uint32_t P_lo = P & 0xFFFF;
28 
29  const uint16_t r_1 = (P_lo - P_hi) + (P_lo < P_hi);
30  const uint16_t r_2 = 1 - x - y;
31 
32  return CT::select(Z_mask, r_1, r_2);
33  }
34 
35 /*
36 * Find multiplicative inverses modulo 65537
37 *
38 * 65537 is prime; thus Fermat's little theorem tells us that
39 * x^65537 == x modulo 65537, which means
40 * x^(65537-2) == x^-1 modulo 65537 since
41 * x^(65537-2) * x == 1 mod 65537
42 *
43 * Do the exponentiation with a basic square and multiply: all bits are
44 * of exponent are 1 so we always multiply
45 */
46 uint16_t mul_inv(uint16_t x)
47  {
48  uint16_t y = x;
49 
50  for(size_t i = 0; i != 15; ++i)
51  {
52  y = mul(y, y); // square
53  y = mul(y, x);
54  }
55 
56  return y;
57  }
58 
59 /**
60 * IDEA is involutional, depending only on the key schedule
61 */
62 void idea_op(const uint8_t in[], uint8_t out[], size_t blocks, const uint16_t K[52])
63  {
64  const size_t BLOCK_SIZE = 8;
65 
66  CT::poison(in, blocks * 8);
67  CT::poison(out, blocks * 8);
68  CT::poison(K, 52);
69 
70  BOTAN_PARALLEL_FOR(size_t i = 0; i < blocks; ++i)
71  {
72  uint16_t X1, X2, X3, X4;
73  load_be(in + BLOCK_SIZE*i, X1, X2, X3, X4);
74 
75  for(size_t j = 0; j != 8; ++j)
76  {
77  X1 = mul(X1, K[6*j+0]);
78  X2 += K[6*j+1];
79  X3 += K[6*j+2];
80  X4 = mul(X4, K[6*j+3]);
81 
82  uint16_t T0 = X3;
83  X3 = mul(X3 ^ X1, K[6*j+4]);
84 
85  uint16_t T1 = X2;
86  X2 = mul((X2 ^ X4) + X3, K[6*j+5]);
87  X3 += X2;
88 
89  X1 ^= X2;
90  X4 ^= X3;
91  X2 ^= T0;
92  X3 ^= T1;
93  }
94 
95  X1 = mul(X1, K[48]);
96  X2 += K[50];
97  X3 += K[49];
98  X4 = mul(X4, K[51]);
99 
100  store_be(out + BLOCK_SIZE*i, X1, X3, X2, X4);
101  }
102 
103  CT::unpoison(in, blocks * 8);
104  CT::unpoison(out, blocks * 8);
105  CT::unpoison(K, 52);
106  }
107 
108 }
109 
110 std::string IDEA::provider() const
111  {
112 #if defined(BOTAN_HAS_IDEA_SSE2)
113  if(CPUID::has_sse2())
114  {
115  return "sse2";
116  }
117 #endif
118 
119  return "base";
120  }
121 
122 /*
123 * IDEA Encryption
124 */
125 void IDEA::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
126  {
127 #if defined(BOTAN_HAS_IDEA_SSE2)
128  if(CPUID::has_sse2())
129  {
130  while(blocks >= 8)
131  {
132  sse2_idea_op_8(in, out, m_EK.data());
133  in += 8 * BLOCK_SIZE;
134  out += 8 * BLOCK_SIZE;
135  blocks -= 8;
136  }
137  }
138 #endif
139 
140  idea_op(in, out, blocks, m_EK.data());
141  }
142 
143 /*
144 * IDEA Decryption
145 */
146 void IDEA::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
147  {
148 #if defined(BOTAN_HAS_IDEA_SSE2)
149  if(CPUID::has_sse2())
150  {
151  while(blocks >= 8)
152  {
153  sse2_idea_op_8(in, out, m_DK.data());
154  in += 8 * BLOCK_SIZE;
155  out += 8 * BLOCK_SIZE;
156  blocks -= 8;
157  }
158  }
159 #endif
160 
161  idea_op(in, out, blocks, m_DK.data());
162  }
163 
164 /*
165 * IDEA Key Schedule
166 */
167 void IDEA::key_schedule(const uint8_t key[], size_t)
168  {
169  m_EK.resize(52);
170  m_DK.resize(52);
171 
172  CT::poison(key, 16);
173  CT::poison(m_EK.data(), 52);
174  CT::poison(m_DK.data(), 52);
175 
176  for(size_t i = 0; i != 8; ++i)
177  m_EK[i] = load_be<uint16_t>(key, i);
178 
179  for(size_t i = 1, j = 8, offset = 0; j != 52; i %= 8, ++i, ++j)
180  {
181  m_EK[i+7+offset] = static_cast<uint16_t>((m_EK[(i % 8) + offset] << 9) |
182  (m_EK[((i+1) % 8) + offset] >> 7));
183  offset += (i == 8) ? 8 : 0;
184  }
185 
186  m_DK[51] = mul_inv(m_EK[3]);
187  m_DK[50] = -m_EK[2];
188  m_DK[49] = -m_EK[1];
189  m_DK[48] = mul_inv(m_EK[0]);
190 
191  for(size_t i = 1, j = 4, counter = 47; i != 8; ++i, j += 6)
192  {
193  m_DK[counter--] = m_EK[j+1];
194  m_DK[counter--] = m_EK[j];
195  m_DK[counter--] = mul_inv(m_EK[j+5]);
196  m_DK[counter--] = -m_EK[j+3];
197  m_DK[counter--] = -m_EK[j+4];
198  m_DK[counter--] = mul_inv(m_EK[j+2]);
199  }
200 
201  m_DK[5] = m_EK[47];
202  m_DK[4] = m_EK[46];
203  m_DK[3] = mul_inv(m_EK[51]);
204  m_DK[2] = -m_EK[50];
205  m_DK[1] = -m_EK[49];
206  m_DK[0] = mul_inv(m_EK[48]);
207 
208  CT::unpoison(key, 16);
209  CT::unpoison(m_EK.data(), 52);
210  CT::unpoison(m_DK.data(), 52);
211  }
212 
214  {
215  zap(m_EK);
216  zap(m_DK);
217  }
218 
219 }
void clear() override
Definition: idea.cpp:213
void zap(std::vector< T, Alloc > &vec)
Definition: secmem.h:221
void store_be(uint16_t in, uint8_t out[2])
Definition: loadstor.h:441
uint16_t load_be< uint16_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:145
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition: idea.cpp:125
std::string provider() const override
Definition: idea.cpp:110
void poison(const T *p, size_t n)
Definition: ct_utils.h:46
#define BOTAN_PARALLEL_FOR
Definition: compiler.h:129
T expand_mask(T x)
Definition: ct_utils.h:86
T load_be(const uint8_t in[], size_t off)
Definition: loadstor.h:113
T select(T mask, T from0, T from1)
Definition: ct_utils.h:98
Definition: alg_id.cpp:13
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition: idea.cpp:146
void unpoison(const T *p, size_t n)
Definition: ct_utils.h:57