Commit f441a523 authored by Niels Möller's avatar Niels Möller

* camellia.c: Rewrote to use 64-bit type for subkeys and use

64-bit operations throughout. Performance on x86_32, when compiled
with gcc-4.4.4, is reduced by roughly 15%, this should be fixed
later.

* camellia.h (struct camellia_ctx): Use type uint64_t for subkeys.

Rev: nettle/ChangeLog:1.93
Rev: nettle/camellia.c:1.3
Rev: nettle/camellia.h:1.3
parent 118e2618
2010-07-20 Niels Mller <nisse@lysator.liu.se>
* camellia.c: Rewrote to use 64-bit type for subkeys and use
64-bit operations throughout. Performance on x86_32, when compiled
with gcc-4.4.4, is reduced by roughly 15%, this should be fixed
later.
* camellia.h (struct camellia_ctx): Use type uint64_t for subkeys.
2010-07-07 Niels Mller <nisse@lysator.liu.se>
* aes.h (aes_encrypt, aes_decrypt): Declare ctx argument as const.
......
/* camellia.h ver 1.2.0
/* camellia.c
*
* Copyright (C) 2006,2007
* NTT (Nippon Telegraph and Telephone Corporation).
......@@ -40,127 +40,117 @@
/* key constants */
#define CAMELLIA_SIGMA1L (0xA09E667FL)
#define CAMELLIA_SIGMA1R (0x3BCC908BL)
#define CAMELLIA_SIGMA2L (0xB67AE858L)
#define CAMELLIA_SIGMA2R (0x4CAA73B2L)
#define CAMELLIA_SIGMA3L (0xC6EF372FL)
#define CAMELLIA_SIGMA3R (0xE94F82BEL)
#define CAMELLIA_SIGMA4L (0x54FF53A5L)
#define CAMELLIA_SIGMA4R (0xF1D36F1CL)
#define CAMELLIA_SIGMA5L (0x10E527FAL)
#define CAMELLIA_SIGMA5R (0xDE682D1DL)
#define CAMELLIA_SIGMA6L (0xB05688C2L)
#define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
#define SIGMA1 0xA09E667F3BCC908BULL
#define SIGMA2 0xB67AE8584CAA73B2ULL
#define SIGMA3 0xC6EF372FE94F82BEULL
#define SIGMA4 0x54FF53A5F1D36F1CULL
#define SIGMA5 0x10E527FADE682D1DULL
#define SIGMA6 0xB05688C2B3E6C1FDULL
/*
* macros
*/
#define CamelliaSubkeyL(INDEX) ((ctx)->keys[(INDEX)][0])
#define CamelliaSubkeyR(INDEX) ((ctx)->keys[(INDEX)][1])
/* rotation right shift 1byte */
#define CAMELLIA_RR8(x) (((x) >> 8) + ((x) << 24))
/* rotation left shift 1bit */
#define CAMELLIA_RL1(x) (((x) << 1) + ((x) >> 31))
/* rotation left shift 1byte */
#define CAMELLIA_RL8(x) (((x) << 8) + ((x) >> 24))
#define CAMELLIA_ROLDQ(ll, lr, rl, rr, w0, w1, bits) \
do { \
w0 = ll; \
ll = (ll << bits) + (lr >> (32 - bits)); \
lr = (lr << bits) + (rl >> (32 - bits)); \
rl = (rl << bits) + (rr >> (32 - bits)); \
rr = (rr << bits) + (w0 >> (32 - bits)); \
} while(0)
#define CAMELLIA_ROLDQo32(ll, lr, rl, rr, w0, w1, bits) \
do { \
w0 = ll; \
w1 = lr; \
ll = (lr << (bits - 32)) + (rl >> (64 - bits)); \
lr = (rl << (bits - 32)) + (rr >> (64 - bits)); \
rl = (rr << (bits - 32)) + (w0 >> (64 - bits)); \
rr = (w0 << (bits - 32)) + (w1 >> (64 - bits)); \
} while(0)
#define CAMELLIA_SP1110(INDEX) (camellia_sp1110[(INDEX)])
#define CAMELLIA_SP0222(INDEX) (camellia_sp0222[(INDEX)])
#define CAMELLIA_SP3033(INDEX) (camellia_sp3033[(INDEX)])
#define CAMELLIA_SP4404(INDEX) (camellia_sp4404[(INDEX)])
#define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) \
do { \
il = xl ^ kl; \
ir = xr ^ kr; \
t0 = il >> 16; \
t1 = ir >> 16; \
yl = CAMELLIA_SP1110(ir & 0xff) \
^ CAMELLIA_SP0222((t1 >> 8) & 0xff) \
^ CAMELLIA_SP3033(t1 & 0xff) \
^ CAMELLIA_SP4404((ir >> 8) & 0xff); \
yr = CAMELLIA_SP1110((t0 >> 8) & 0xff) \
^ CAMELLIA_SP0222(t0 & 0xff) \
^ CAMELLIA_SP3033((il >> 8) & 0xff) \
^ CAMELLIA_SP4404(il & 0xff); \
yl ^= yr; \
yr = CAMELLIA_RR8(yr); \
yr ^= yl; \
} while(0)
/* Rotation of 32-bit values. */
#define ROL32(bits, x) (((x) << (bits)) | ((x) >> (32 - (bits))))
/* Destructive rotation of 128 bit values. */
#define ROL128(bits, xl, xr) do { \
uint64_t __rol128_t = (xl); \
(xl) = ((xl) << (bits)) | ((xr) >> (64 - (bits))); \
(xr) = ((xr) << (bits)) | (__rol128_t >> (64 - (bits))); \
} while (0)
#define CAMELLIA_SP1110(INDEX) (camellia_sp1110[(int)(INDEX)])
#define CAMELLIA_SP0222(INDEX) (camellia_sp0222[(int)(INDEX)])
#define CAMELLIA_SP3033(INDEX) (camellia_sp3033[(int)(INDEX)])
#define CAMELLIA_SP4404(INDEX) (camellia_sp4404[(int)(INDEX)])
#define CAMELLIA_F(x, k, y) do { \
uint32_t __yl, __yr; \
uint64_t __i = (x) ^ (k); \
__yl \
= CAMELLIA_SP1110( __i & 0xff) \
^ CAMELLIA_SP0222((__i >> 24) & 0xff) \
^ CAMELLIA_SP3033((__i >> 16) & 0xff) \
^ CAMELLIA_SP4404((__i >> 8) & 0xff); \
__yr \
= CAMELLIA_SP1110( __i >> 56) \
^ CAMELLIA_SP0222((__i >> 48) & 0xff) \
^ CAMELLIA_SP3033((__i >> 40) & 0xff) \
^ CAMELLIA_SP4404((__i >> 32) & 0xff); \
__yl ^= __yr; \
__yr = ROL32(24, __yr); \
__yr ^= __yl; \
(y) = ((uint64_t) __yl << 32) | __yr; \
} while (0)
#define CAMELLIA_F_HALF_INV(x) do { \
uint32_t __t, __w; \
__t = (x) >> 32; \
__w = __t ^(x); \
__w = ROL32(8, __w); \
(x) = ((uint64_t) __w << 32) | (__t ^ __w); \
} while (0)
#define CAMELLIA_FL(x, k) do { \
uint32_t __xl, __xr, __kl, __kr, __t; \
__xl = (x) >> 32; \
__xr = (x) & 0xffffffff; \
__kl = (k) >> 32; \
__kr = (k) & 0xffffffff; \
__t = __xl & __kl; \
__xr ^= ROL32(1, __t); \
__xl ^= (__xr | __kr); \
(x) = ((uint64_t) __xl << 32) | __xr; \
} while (0)
#define CAMELLIA_FLINV(x, k) do { \
uint32_t __xl, __xr, __kl, __kr, __t; \
__xl = (x) >> 32; \
__xr = (x) & 0xffffffff; \
__kl = (k) >> 32; \
__kr = (k) & 0xffffffff; \
__xl ^= (__xr | __kr); \
__t = __xl & __kl; \
__xr ^= ROL32(1, __t); \
(x) = ((uint64_t) __xl << 32) | __xr; \
} while (0)
/*
* for speed up
*
*/
#define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \
do { \
t0 = kll; \
t0 &= ll; \
lr ^= CAMELLIA_RL1(t0); \
t1 = klr; \
t1 |= lr; \
ll ^= t1; \
\
t2 = krr; \
t2 |= rr; \
rl ^= t2; \
t3 = krl; \
t3 &= rl; \
rr ^= CAMELLIA_RL1(t3); \
} while(0)
#define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) \
do { \
ir = CAMELLIA_SP1110(xr & 0xff) /* t8 */ \
^ CAMELLIA_SP0222((xr >> 24) & 0xff) /* t5 */ \
^ CAMELLIA_SP3033((xr >> 16) & 0xff) /* t6 */ \
^ CAMELLIA_SP4404((xr >> 8) & 0xff); /* t7 */ \
/* ir == (t6^t7^t8),(t5^t7^t8),(t5^t6^t8),(t5^t6^t7) */ \
il = CAMELLIA_SP1110((xl >> 24) & 0xff) /* t1 */ \
^ CAMELLIA_SP0222((xl >> 16) & 0xff) /* t2 */ \
^ CAMELLIA_SP3033((xl >> 8) & 0xff) /* t3 */ \
^ CAMELLIA_SP4404(xl & 0xff); /* t4 */ \
/* il == (t1^t3^t4),(t1^t2^t4),(t1^t2^t3),(t2^t3^t4) */ \
il ^= kl; \
ir ^= kr; \
ir ^= il; \
/* ir == (t1^t3^t4^t6^t7^t8),(t1^t2^t4^t5^t7^t8), \
(t1^t2^t3^t5^t6^t8),(t2^t3^t4^t5^t6^t7) \
== y1,y2,y3,y4 */ \
il = CAMELLIA_RR8(il); \
/* il == (t2^t3^t4),(t1^t3^t4),(t1^t2^t4),(t1^t2^t3) */ \
il ^= ir; \
/* il == (t1^t2^t6^t7^t8),(t2^t3^t5^t7^t8), \
(t3^t4^t5^t6^t8),(t1^t4^t5^t6^t7) \
== y5,y6,y7,y8 */ \
yl ^= ir; \
yr ^= il; \
} while(0)
#define CAMELLIA_ROUNDSM(x, k, y) do { \
uint32_t __il, __ir; \
__ir \
= CAMELLIA_SP1110( (x) & 0xff) \
^ CAMELLIA_SP0222(((x) >> 24) & 0xff) \
^ CAMELLIA_SP3033(((x) >> 16) & 0xff) \
^ CAMELLIA_SP4404(((x) >> 8) & 0xff); \
/* ir == (t6^t7^t8),(t5^t7^t8),(t5^t6^t8),(t5^t6^t7) */ \
__il \
= CAMELLIA_SP1110( (x) >> 56) \
^ CAMELLIA_SP0222(((x) >> 48) & 0xff) \
^ CAMELLIA_SP3033(((x) >> 40) & 0xff) \
^ CAMELLIA_SP4404(((x) >> 32) & 0xff); \
/* il == (t1^t3^t4),(t1^t2^t4),(t1^t2^t3),(t2^t3^t4) */ \
__il ^= (k) >> 32; \
__ir ^= (k) & 0xffffffff; \
__ir ^= __il; \
/* ir == (t1^t3^t4^t6^t7^t8),(t1^t2^t4^t5^t7^t8), \
(t1^t2^t3^t5^t6^t8),(t2^t3^t4^t5^t6^t7) \
== y1,y2,y3,y4 */ \
__il = ROL32(24, __il); \
/* il == (t2^t3^t4),(t1^t3^t4),(t1^t2^t4),(t1^t2^t3) */ \
__il ^= __ir; \
/* il == (t1^t2^t6^t7^t8),(t2^t3^t5^t7^t8), \
(t3^t4^t5^t6^t8),(t1^t4^t5^t6^t7) \
== y5,y6,y7,y8 */ \
y ^= ((uint64_t) __ir << 32) | __il; \
} while (0)
static const uint32_t camellia_sp1110[256] = {
0x70707000,0x82828200,0x2c2c2c00,0xececec00,
......@@ -434,507 +424,429 @@ static const uint32_t camellia_sp4404[256] = {
/**
* Stuff related to the Camellia key schedule
*/
#define subl(x) sub[(x)][0]
#define subr(x) sub[(x)][1]
static void
camellia_setup128(struct camellia_ctx *ctx, uint32_t *key)
camellia_setup128(struct camellia_ctx *ctx, const uint64_t *key)
{
uint32_t kll, klr, krl, krr;
uint32_t il, ir, t0, t1, w0, w1;
uint32_t kw4l, kw4r, dw, tl, tr;
uint64_t k0, k1, w, kw4;
uint32_t dw, tl, tr;
/* Subkeys according to the spec. */
uint32_t sub[26][2];
uint64_t subkey[26];
/**
* k == k0 || klr || krl || krr (|| is concatination)
* k == k0 || k1 (|| is concatination)
*/
kll = key[0];
klr = key[1];
krl = key[2];
krr = key[3];
k0 = key[0];
k1 = key[1];
/**
* generate KL dependent subkeys
*/
subl(0) = kll; subr(0) = klr;
subl(1) = krl; subr(1) = krr;
CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
subl(4) = kll; subr(4) = klr;
subl(5) = krl; subr(5) = krr;
CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
subl(10) = kll; subr(10) = klr;
subl(11) = krl; subr(11) = krr;
CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
subl(13) = krl; subr(13) = krr;
CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
subl(16) = kll; subr(16) = klr;
subl(17) = krl; subr(17) = krr;
CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
subl(18) = kll; subr(18) = klr;
subl(19) = krl; subr(19) = krr;
CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
subl(22) = kll; subr(22) = klr;
subl(23) = krl; subr(23) = krr;
/* generate KA */
kll = subl(0); klr = subr(0);
krl = subl(1); krr = subr(1);
CAMELLIA_F(kll, klr,
CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
w0, w1, il, ir, t0, t1);
krl ^= w0; krr ^= w1;
CAMELLIA_F(krl, krr,
CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
kll, klr, il, ir, t0, t1);
CAMELLIA_F(kll, klr,
CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
krl, krr, il, ir, t0, t1);
krl ^= w0; krr ^= w1;
CAMELLIA_F(krl, krr,
CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
w0, w1, il, ir, t0, t1);
kll ^= w0; klr ^= w1;
subkey[0] = k0; subkey[1] = k1;
ROL128(15, k0, k1);
subkey[4] = k0; subkey[5] = k1;
ROL128(30, k0, k1);
subkey[10] = k0; subkey[11] = k1;
ROL128(15, k0, k1);
subkey[13] = k1;
ROL128(17, k0, k1);
subkey[16] = k0; subkey[17] = k1;
ROL128(17, k0, k1);
subkey[18] = k0; subkey[19] = k1;
ROL128(17, k0, k1);
subkey[22] = k0; subkey[23] = k1;
/* generate KA. D1 is k0, d2 is k1. */
/* FIXME: Make notation match the spec better. */
/* For the 128-bit case, KR = 0, the construvtion of KA reduces to:
D1 = KL >> 64;
W = KL & MASK64;
D2 = F(D1, Sigma1);
W = D2 ^ W
D1 = F(W, Sigma2)
D2 = D2 ^ F(D1, Sigma3);
D1 = D1 ^ F(D2, Sigma4);
KA = (D1 << 64) | D2;
*/
k0 = subkey[0]; w = subkey[1];
CAMELLIA_F(k0, SIGMA1, k1);
w ^= k1;
CAMELLIA_F(w, SIGMA2, k0);
CAMELLIA_F(k0, SIGMA3, w);
k1 ^= w;
CAMELLIA_F(k1, SIGMA4, w);
k0 ^= w;
/* generate KA dependent subkeys */
subl(2) = kll; subr(2) = klr;
subl(3) = krl; subr(3) = krr;
CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
subl(6) = kll; subr(6) = klr;
subl(7) = krl; subr(7) = krr;
CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
subl(8) = kll; subr(8) = klr;
subl(9) = krl; subr(9) = krr;
CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
subl(12) = kll; subr(12) = klr;
CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
subl(14) = kll; subr(14) = klr;
subl(15) = krl; subr(15) = krr;
CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
subl(20) = kll; subr(20) = klr;
subl(21) = krl; subr(21) = krr;
CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
subl(24) = kll; subr(24) = klr;
subl(25) = krl; subr(25) = krr;
subkey[2] = k0; subkey[3] = k1;
ROL128(15, k0, k1);
subkey[6] = k0; subkey[7] = k1;
ROL128(15, k0, k1);
subkey[8] = k0; subkey[9] = k1;
ROL128(15, k0, k1);
subkey[12] = k0;
ROL128(15, k0, k1);
subkey[14] = k0; subkey[15] = k1;
ROL128(34, k0, k1);
subkey[20] = k0; subkey[21] = k1;
ROL128(17, k0, k1);
subkey[24] = k0; subkey[25] = k1;
/* absorb kw2 to other subkeys */
subl(3) ^= subl(1); subr(3) ^= subr(1);
subl(5) ^= subl(1); subr(5) ^= subr(1);
subl(7) ^= subl(1); subr(7) ^= subr(1);
subl(1) ^= subr(1) & ~subr(9);
dw = subl(1) & subl(9), subr(1) ^= CAMELLIA_RL1(dw);
subl(11) ^= subl(1); subr(11) ^= subr(1);
subl(13) ^= subl(1); subr(13) ^= subr(1);
subl(15) ^= subl(1); subr(15) ^= subr(1);
subl(1) ^= subr(1) & ~subr(17);
dw = subl(1) & subl(17), subr(1) ^= CAMELLIA_RL1(dw);
subl(19) ^= subl(1); subr(19) ^= subr(1);
subl(21) ^= subl(1); subr(21) ^= subr(1);
subl(23) ^= subl(1); subr(23) ^= subr(1);
subl(24) ^= subl(1); subr(24) ^= subr(1);
subkey[3] ^= subkey[1];
subkey[5] ^= subkey[1];
subkey[7] ^= subkey[1];
/* FIXME: Is the compiler smart enough to fetch the 32 low bits
and xor the result into the 32 high bits? */
subkey[1] ^= (subkey[1] & ~subkey[9]) << 32;
dw = (subkey[1] & subkey[9]) >> 32; subkey[1] ^= ROL32(1, dw);
subkey[11] ^= subkey[1];
subkey[13] ^= subkey[1];
subkey[15] ^= subkey[1];
subkey[1] ^= (subkey[1] & ~subkey[17]) << 32;
dw = (subkey[1] & subkey[17]) >> 32; subkey[1] ^= ROL32(1, dw);
subkey[19] ^= subkey[1];
subkey[21] ^= subkey[1];
subkey[23] ^= subkey[1];
subkey[24] ^= subkey[1];
/* absorb kw4 to other subkeys */
kw4l = subl(25); kw4r = subr(25);
subl(22) ^= kw4l; subr(22) ^= kw4r;
subl(20) ^= kw4l; subr(20) ^= kw4r;
subl(18) ^= kw4l; subr(18) ^= kw4r;
kw4l ^= kw4r & ~subr(16);
dw = kw4l & subl(16), kw4r ^= CAMELLIA_RL1(dw);
subl(14) ^= kw4l; subr(14) ^= kw4r;
subl(12) ^= kw4l; subr(12) ^= kw4r;
subl(10) ^= kw4l; subr(10) ^= kw4r;
kw4l ^= kw4r & ~subr(8);
dw = kw4l & subl(8), kw4r ^= CAMELLIA_RL1(dw);
subl(6) ^= kw4l; subr(6) ^= kw4r;
subl(4) ^= kw4l; subr(4) ^= kw4r;
subl(2) ^= kw4l; subr(2) ^= kw4r;
subl(0) ^= kw4l; subr(0) ^= kw4r;
kw4 = subkey[25];
subkey[22] ^= kw4;
subkey[20] ^= kw4;
subkey[18] ^= kw4;
kw4 ^= (kw4 & ~subkey[16]) << 32;
dw = (kw4 & subkey[16]) >> 32; kw4 ^= ROL32(1, dw);
subkey[14] ^= kw4;
subkey[12] ^= kw4;
subkey[10] ^= kw4;
kw4 ^= (kw4 & ~subkey[8]) << 32;
dw = (kw4 & subkey[8]) >> 32; kw4 ^= ROL32(1, dw);
subkey[6] ^= kw4;
subkey[4] ^= kw4;
subkey[2] ^= kw4;
subkey[0] ^= kw4;
/* key XOR is end of F-function */
CamelliaSubkeyL(0) = subl(0) ^ subl(2);
CamelliaSubkeyR(0) = subr(0) ^ subr(2);
CamelliaSubkeyL(2) = subl(3);
CamelliaSubkeyR(2) = subr(3);
CamelliaSubkeyL(3) = subl(2) ^ subl(4);
CamelliaSubkeyR(3) = subr(2) ^ subr(4);
CamelliaSubkeyL(4) = subl(3) ^ subl(5);
CamelliaSubkeyR(4) = subr(3) ^ subr(5);
CamelliaSubkeyL(5) = subl(4) ^ subl(6);
CamelliaSubkeyR(5) = subr(4) ^ subr(6);
CamelliaSubkeyL(6) = subl(5) ^ subl(7);
CamelliaSubkeyR(6) = subr(5) ^ subr(7);
tl = subl(10) ^ (subr(10) & ~subr(8));
dw = tl & subl(8), tr = subr(10) ^ CAMELLIA_RL1(dw);
CamelliaSubkeyL(7) = subl(6) ^ tl;
CamelliaSubkeyR(7) = subr(6) ^ tr;
CamelliaSubkeyL(8) = subl(8);
CamelliaSubkeyR(8) = subr(8);
CamelliaSubkeyL(9) = subl(9);
CamelliaSubkeyR(9) = subr(9);
tl = subl(7) ^ (subr(7) & ~subr(9));
dw = tl & subl(9), tr = subr(7) ^ CAMELLIA_RL1(dw);
CamelliaSubkeyL(10) = tl ^ subl(11);
CamelliaSubkeyR(10) = tr ^ subr(11);
CamelliaSubkeyL(11) = subl(10) ^ subl(12);
CamelliaSubkeyR(11) = subr(10) ^ subr(12);
CamelliaSubkeyL(12) = subl(11) ^ subl(13);
CamelliaSubkeyR(12) = subr(11) ^ subr(13);
CamelliaSubkeyL(13) = subl(12) ^ subl(14);
CamelliaSubkeyR(13) = subr(12) ^ subr(14);
CamelliaSubkeyL(14) = subl(13) ^ subl(15);
CamelliaSubkeyR(14) = subr(13) ^ subr(15);
tl = subl(18) ^ (subr(18) & ~subr(16));
dw = tl & subl(16), tr = subr(18) ^ CAMELLIA_RL1(dw);
CamelliaSubkeyL(15) = subl(14) ^ tl;
CamelliaSubkeyR(15) = subr(14) ^ tr;
CamelliaSubkeyL(16) = subl(16);
CamelliaSubkeyR(16) = subr(16);
CamelliaSubkeyL(17) = subl(17);
CamelliaSubkeyR(17) = subr(17);
tl = subl(15) ^ (subr(15) & ~subr(17));
dw = tl & subl(17), tr = subr(15) ^ CAMELLIA_RL1(dw);
CamelliaSubkeyL(18) = tl ^ subl(19);
CamelliaSubkeyR(18) = tr ^ subr(19);
CamelliaSubkeyL(19) = subl(18) ^ subl(20);
CamelliaSubkeyR(19) = subr(18) ^ subr(20);
CamelliaSubkeyL(20) = subl(19) ^ subl(21);
CamelliaSubkeyR(20) = subr(19) ^ subr(21);
CamelliaSubkeyL(21) = subl(20) ^ subl(22);
CamelliaSubkeyR(21) = subr(20) ^ subr(22);
CamelliaSubkeyL(22) = subl(21) ^ subl(23);
CamelliaSubkeyR(22) = subr(21) ^ subr(23);
CamelliaSubkeyL(23) = subl(22);
CamelliaSubkeyR(23) = subr(22);
CamelliaSubkeyL(24) = subl(24) ^ subl(23);
CamelliaSubkeyR(24) = subr(24) ^ subr(23);
/* apply the inverse of the last half of P-function */
dw = CamelliaSubkeyL(2) ^ CamelliaSubkeyR(2), dw = CAMELLIA_RL8(dw);
CamelliaSubkeyR(2) = CamelliaSubkeyL(2) ^ dw, CamelliaSubkeyL(2) = dw;
dw = CamelliaSubkeyL(3) ^ CamelliaSubkeyR(3), dw = CAMELLIA_RL8(dw);
CamelliaSubkeyR(3) = CamelliaSubkeyL(3) ^ dw, CamelliaSubkeyL(3) = dw;
dw = CamelliaSubkeyL(4) ^ CamelliaSubkeyR(4), dw = CAMELLIA_RL8(dw);
CamelliaSubkeyR(4) = CamelliaSubkeyL(4) ^ dw, CamelliaSubkeyL(4) = dw;
dw = CamelliaSubkeyL(5) ^ CamelliaSubkeyR(5), dw = CAMELLIA_RL8(dw);
CamelliaSubkeyR(5) = CamelliaSubkeyL(5) ^ dw, CamelliaSubkeyL(5) = dw;
dw = CamelliaSubkeyL(6) ^ CamelliaSubkeyR(6), dw = CAMELLIA_RL8(dw);
CamelliaSubkeyR(6) = CamelliaSubkeyL(6) ^ dw, CamelliaSubkeyL(6) = dw;
dw = CamelliaSubkeyL(7) ^ CamelliaSubkeyR(7), dw = CAMELLIA_RL8(dw);
CamelliaSubkeyR(7) = CamelliaSubkeyL(7) ^ dw, CamelliaSubkeyL(7) = dw;
dw = CamelliaSubkeyL(10) ^ CamelliaSubkeyR(10), dw = CAMELLIA_RL8(dw);
CamelliaSubkeyR(10) = CamelliaSubkeyL(10) ^ dw, CamelliaSubkeyL(10) = dw;
dw = CamelliaSubkeyL(11) ^ CamelliaSubkeyR(11), dw = CAMELLIA_RL8(dw);
CamelliaSubkeyR(11) = CamelliaSubkeyL(11) ^ dw, CamelliaSubkeyL(11) = dw;
dw = CamelliaSubkeyL(12) ^ CamelliaSubkeyR(12), dw = CAMELLIA_RL8(dw);
CamelliaSubkeyR(12) = CamelliaSubkeyL(12) ^ dw, CamelliaSubkeyL(12) = dw;
dw = CamelliaSubkeyL(13) ^ CamelliaSubkeyR(13), dw = CAMELLIA_RL8(dw);
CamelliaSubkeyR(13) = CamelliaSubkeyL(13) ^ dw, CamelliaSubkeyL(13) = dw;
dw = CamelliaSubkeyL(14) ^ CamelliaSubkeyR(14), dw = CAMELLIA_RL8(dw);
CamelliaSubkeyR(14) = CamelliaSubkeyL(14) ^ dw, CamelliaSubkeyL(14) = dw;
dw = CamelliaSubkeyL(15) ^ CamelliaSubkeyR(15), dw = CAMELLIA_RL8(dw);
CamelliaSubkeyR(15) = CamelliaSubkeyL(15) ^ dw, CamelliaSubkeyL(15) = dw;
dw = CamelliaSubkeyL(18) ^ CamelliaSubkeyR(18), dw = CAMELLIA_RL8(dw);
CamelliaSubkeyR(18) = CamelliaSubkeyL(18) ^ dw, CamelliaSubkeyL(18) = dw;
dw = CamelliaSubkeyL(19) ^ CamelliaSubkeyR(19), dw = CAMELLIA_RL8(dw);
CamelliaSubkeyR(19) = CamelliaSubkeyL(19) ^ dw, CamelliaSubkeyL(19) = dw;
dw = CamelliaSubkeyL(20) ^ CamelliaSubkeyR(20), dw = CAMELLIA_RL8(dw);
CamelliaSubkeyR(20) = CamelliaSubkeyL(20) ^ dw, CamelliaSubkeyL(20) = dw;
dw = CamelliaSubkeyL(21) ^ CamelliaSubkeyR(21), dw = CAMELLIA_RL8(dw);
CamelliaSubkeyR(21) = CamelliaSubkeyL(21) ^ dw, CamelliaSubkeyL(21) = dw;
dw = CamelliaSubkeyL(22) ^ CamelliaSubkeyR(22), dw = CAMELLIA_RL8(dw);
CamelliaSubkeyR(22) = CamelliaSubkeyL(22) ^ dw, CamelliaSubkeyL(22) = dw;
dw = CamelliaSubkeyL(23) ^ CamelliaSubkeyR(23), dw = CAMELLIA_RL8(dw);
CamelliaSubkeyR(23) = CamelliaSubkeyL(23) ^ dw, CamelliaSubkeyL(23) = dw;
ctx->keys[0] = subkey[0] ^subkey[2];
ctx->keys[2] = subkey[3];
ctx->keys[3] = subkey[2] ^ subkey[4];
ctx->keys[4] = subkey[3] ^ subkey[5];
ctx->keys[5] = subkey[4] ^ subkey[6];
ctx->keys[6] = subkey[5] ^ subkey[7];
tl = (subkey[10] >> 32) ^ (subkey[10] & ~subkey[8]);
dw = tl & (subkey[8] >> 32);
tr = subkey[10] ^ROL32(1, dw);
ctx->keys[7] = subkey[6] ^ ( ((uint64_t) tl << 32) | tr);
ctx->keys[8] = subkey[8];
ctx->keys[9] = subkey[9];
tl = (subkey[7] >> 32) ^ (subkey[7] & ~subkey[9]);
dw = tl & (subkey[9] >> 32);
tr = subkey[7] ^ ROL32(1, dw);
ctx->keys[10] = subkey[11] ^ ( ((uint64_t) tl << 32) | tr);
ctx->keys[11] = subkey[10] ^ subkey[12];
ctx->keys[12] = subkey[11] ^ subkey[13];
ctx->keys[13] = subkey[12] ^ subkey[14];
ctx->keys[14] = subkey[13] ^ subkey[15];
tl = (subkey[18] >> 32) ^ (subkey[18] & ~subkey[16]);
dw = tl & (subkey[16] >> 32);
tr = subkey[18] ^ ROL32(1, dw);
ctx->keys[15] = subkey[14] ^ ( ((uint64_t) tl << 32) | tr);
ctx->keys[16] = subkey[16];
ctx->keys[17] = subkey[17];
tl = (subkey[15] >> 32) ^ (subkey[15] & ~subkey[17]);
dw = tl & (subkey[17] >> 32);
tr = subkey[15] ^ ROL32(1, dw);
ctx->keys[18] = subkey[19] ^ ( ((uint64_t) tl << 32) | tr);
ctx->keys[19] = subkey[18] ^ subkey[20];
ctx->keys[20] = subkey[19] ^ subkey[21];
ctx->keys[21] = subkey[20] ^ subkey[22];
ctx->keys[22] = subkey[21] ^ subkey[23];
ctx->keys[23] = subkey[22];
ctx->keys[24] = subkey[24] ^ subkey[23];
/* apply the inverse of the last half of F-function */
CAMELLIA_F_HALF_INV(ctx->keys[2]);
CAMELLIA_F_HALF_INV(ctx->keys[3]);
CAMELLIA_F_HALF_INV(ctx->keys[4]);
CAMELLIA_F_HALF_INV(ctx->keys[5]);
CAMELLIA_F_HALF_INV(ctx->keys[6]);
CAMELLIA_F_HALF_INV(ctx->keys[7]);
CAMELLIA_F_HALF_INV(ctx->keys[10]);
CAMELLIA_F_HALF_INV(ctx->keys[11]);
CAMELLIA_F_HALF_INV(ctx->keys[12]);
CAMELLIA_F_HALF_INV(ctx->keys[13]);
CAMELLIA_F_HALF_INV(ctx->keys[14]);
CAMELLIA_F_HALF_INV(ctx->keys[15]);
CAMELLIA_F_HALF_INV(ctx->keys[18]);
CAMELLIA_F_HALF_INV(ctx->keys[19]);
CAMELLIA_F_HALF_INV(ctx->keys[20]);
CAMELLIA_F_HALF_INV(ctx->keys[21]);
CAMELLIA_F_HALF_INV(ctx->keys[22]);
CAMELLIA_F_HALF_INV(ctx->keys[23]);
return;
}
static void
camellia_setup256(struct camellia_ctx *ctx, uint32_t *key)
camellia_setup256(struct camellia_ctx *ctx, uint64_t *key)