Add implementation of Camellia #293
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sorairolake
force-pushed
the
feature/camellia
branch
8 times, most recently
from
8b4b032
to
9e332fc
Compare
sorairolake
force-pushed
the
feature/camellia
branch
3 times, most recently
from
cf49c80
to
1c24a92
Compare
|
Thank you for the PR! I will try review it after finishing #284. |
sorairolake
force-pushed
the
feature/camellia
branch
from
1c24a92
to
2fb8420
Compare
|
@newpavlov OK. |
|
@sorairolake sorry we haven't had time to review this. Lots of other things going on and I am not particularly familiar with this cipher. Also curious why you marked it a draft... are you planning on doing more work on it? |
|
@tarcieri Should I move this PR to cipher v0.4? |
|
Aah. Yeah let's circle back after |
sorairolake
force-pushed
the
feature/camellia
branch
from
2fb8420
to
888041f
Compare
|
@sorairolake |
sorairolake
force-pushed
the
feature/camellia
branch
from
888041f
to
ae34253
Compare
|
@tarcieri Migrated to @newpavlov Could you review this? |
tarcieri
reviewed
Mar 27, 2022
camellia/src/camellia.rs
Outdated
Comment on lines
251
to
352
| #[doc = $doc] | ||
| #[derive(Clone)] | ||
| pub struct $name { | ||
| /// Subkeys for key whitening. | ||
| kw: [u64; 4], | ||
| /// Round keys. | ||
| k: [u64; $rounds], | ||
| /// Subkeys for a logical transformation layer. | ||
| ke: [u64; $rounds / 3 - 2], | ||
| } | ||
|
|
||
| impl BlockCipher for $name {} | ||
|
|
||
| impl KeySizeUser for $name { | ||
| type KeySize = $key_size; | ||
| } | ||
|
|
||
| impl fmt::Debug for $name { | ||
| fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { | ||
| f.write_str(concat!(stringify!($name), " { ... }")) | ||
| } | ||
| } | ||
|
|
||
| impl AlgorithmName for $name { | ||
| fn write_alg_name(f: &mut fmt::Formatter<'_>) -> fmt::Result { | ||
| f.write_str(concat!(stringify!($name))) | ||
| } | ||
| } | ||
|
|
||
| #[cfg(feature = "zeroize")] | ||
| #[cfg_attr(docsrs, doc(cfg(feature = "zeroize")))] | ||
| impl Drop for $name { | ||
| fn drop(&mut self){ | ||
| self.kw.zeroize(); | ||
| self.k.zeroize(); | ||
| self.ke.zeroize(); | ||
| } | ||
| } | ||
|
|
||
| #[cfg(feature = "zeroize")] | ||
| #[cfg_attr(docsrs, doc(cfg(feature = "zeroize")))] | ||
| impl ZeroizeOnDrop for $name {} | ||
|
|
||
| cipher::impl_simple_block_encdec!( | ||
| $name, U16, cipher, block, | ||
| encrypt: { | ||
| let b = block.get_in(); | ||
| let mut d1 = u64::from_be_bytes(b[0..8].try_into().unwrap()); | ||
| let mut d2 = u64::from_be_bytes(b[8..16].try_into().unwrap()); | ||
|
|
||
| d1 ^= cipher.kw[0]; | ||
| d2 ^= cipher.kw[1]; | ||
|
|
||
| d2 ^= f(d1, cipher.k[0]); | ||
| d1 ^= f(d2, cipher.k[1]); | ||
| for round in (2..$rounds).step_by(2) { | ||
| if round % 6 == 0 { | ||
| d1 = fl(d1, cipher.ke[round / 3 - 2]); | ||
| d2 = flinv(d2, cipher.ke[round / 3 - 1]); | ||
| } | ||
| d2 ^= f(d1, cipher.k[round]); | ||
| d1 ^= f(d2, cipher.k[round + 1]); | ||
| } | ||
|
|
||
| d2 ^= cipher.kw[2]; | ||
| d1 ^= cipher.kw[3]; | ||
|
|
||
| BE::write_u64_into(&[d2, d1], block.get_out()); | ||
| } | ||
| decrypt: { | ||
| let b = block.get_in(); | ||
| let mut d1 = u64::from_be_bytes(b[0..8].try_into().unwrap()); | ||
| let mut d2 = u64::from_be_bytes(b[8..16].try_into().unwrap()); | ||
|
|
||
| d2 ^= cipher.kw[3]; | ||
| d1 ^= cipher.kw[2]; | ||
|
|
||
| d2 ^= f(d1, cipher.k[$rounds - 1]); | ||
| d1 ^= f(d2, cipher.k[$rounds - 2]); | ||
| for round in (0..$rounds - 2).rev().step_by(2) { | ||
| if (round + 1) % 6 == 0 { | ||
| d1 = fl(d1, cipher.ke[round / 3]); | ||
| d2 = flinv(d2, cipher.ke[round / 3 - 1]); | ||
| } | ||
| d2 ^= f(d1, cipher.k[round]); | ||
| d1 ^= f(d2, cipher.k[round - 1]); | ||
| } | ||
|
|
||
| d1 ^= cipher.kw[1]; | ||
| d2 ^= cipher.kw[0]; | ||
|
|
||
| BE::write_u64_into(&[d2, d1], block.get_out()); | ||
| } | ||
| ); | ||
| }; | ||
| } | ||
|
|
||
| impl_camellia!(Camellia128, 18, U16, "Camellia-128 block cipher instance."); | ||
| impl_camellia!(Camellia192, 24, U24, "Camellia-192 block cipher instance."); | ||
| impl_camellia!(Camellia256, 24, U32, "Camellia-256 block cipher instance."); |
There was a problem hiding this comment.
It seems like this could be impl'd in terms of a generic core type with (const) generic parameters and type aliases for the specific key sizes, rather than using macros.
Likewise it seems like gen_subkeys! could potentially be a function (or rather, two functions) rather than macros.
There was a problem hiding this comment.
gen_subkeys! has been fixed.
tarcieri
reviewed
Mar 27, 2022
Comment on lines
+18
to
+103
| pub const SBOXES: [[u8; 256]; 4] = [ | ||
| // SBOX1 | ||
| [ | ||
| 0x70, 0x82, 0x2c, 0xec, 0xb3, 0x27, 0xc0, 0xe5, 0xe4, 0x85, 0x57, 0x35, 0xea, 0x0c, 0xae, | ||
| 0x41, 0x23, 0xef, 0x6b, 0x93, 0x45, 0x19, 0xa5, 0x21, 0xed, 0x0e, 0x4f, 0x4e, 0x1d, 0x65, | ||
| 0x92, 0xbd, 0x86, 0xb8, 0xaf, 0x8f, 0x7c, 0xeb, 0x1f, 0xce, 0x3e, 0x30, 0xdc, 0x5f, 0x5e, | ||
| 0xc5, 0x0b, 0x1a, 0xa6, 0xe1, 0x39, 0xca, 0xd5, 0x47, 0x5d, 0x3d, 0xd9, 0x01, 0x5a, 0xd6, | ||
| 0x51, 0x56, 0x6c, 0x4d, 0x8b, 0x0d, 0x9a, 0x66, 0xfb, 0xcc, 0xb0, 0x2d, 0x74, 0x12, 0x2b, | ||
| 0x20, 0xf0, 0xb1, 0x84, 0x99, 0xdf, 0x4c, 0xcb, 0xc2, 0x34, 0x7e, 0x76, 0x05, 0x6d, 0xb7, | ||
| 0xa9, 0x31, 0xd1, 0x17, 0x04, 0xd7, 0x14, 0x58, 0x3a, 0x61, 0xde, 0x1b, 0x11, 0x1c, 0x32, | ||
| 0x0f, 0x9c, 0x16, 0x53, 0x18, 0xf2, 0x22, 0xfe, 0x44, 0xcf, 0xb2, 0xc3, 0xb5, 0x7a, 0x91, | ||
| 0x24, 0x08, 0xe8, 0xa8, 0x60, 0xfc, 0x69, 0x50, 0xaa, 0xd0, 0xa0, 0x7d, 0xa1, 0x89, 0x62, | ||
| 0x97, 0x54, 0x5b, 0x1e, 0x95, 0xe0, 0xff, 0x64, 0xd2, 0x10, 0xc4, 0x00, 0x48, 0xa3, 0xf7, | ||
| 0x75, 0xdb, 0x8a, 0x03, 0xe6, 0xda, 0x09, 0x3f, 0xdd, 0x94, 0x87, 0x5c, 0x83, 0x02, 0xcd, | ||
| 0x4a, 0x90, 0x33, 0x73, 0x67, 0xf6, 0xf3, 0x9d, 0x7f, 0xbf, 0xe2, 0x52, 0x9b, 0xd8, 0x26, | ||
| 0xc8, 0x37, 0xc6, 0x3b, 0x81, 0x96, 0x6f, 0x4b, 0x13, 0xbe, 0x63, 0x2e, 0xe9, 0x79, 0xa7, | ||
| 0x8c, 0x9f, 0x6e, 0xbc, 0x8e, 0x29, 0xf5, 0xf9, 0xb6, 0x2f, 0xfd, 0xb4, 0x59, 0x78, 0x98, | ||
| 0x06, 0x6a, 0xe7, 0x46, 0x71, 0xba, 0xd4, 0x25, 0xab, 0x42, 0x88, 0xa2, 0x8d, 0xfa, 0x72, | ||
| 0x07, 0xb9, 0x55, 0xf8, 0xee, 0xac, 0x0a, 0x36, 0x49, 0x2a, 0x68, 0x3c, 0x38, 0xf1, 0xa4, | ||
| 0x40, 0x28, 0xd3, 0x7b, 0xbb, 0xc9, 0x43, 0xc1, 0x15, 0xe3, 0xad, 0xf4, 0x77, 0xc7, 0x80, | ||
| 0x9e, | ||
| ], | ||
| // SBOX2 | ||
| [ | ||
| 0xe0, 0x05, 0x58, 0xd9, 0x67, 0x4e, 0x81, 0xcb, 0xc9, 0x0b, 0xae, 0x6a, 0xd5, 0x18, 0x5d, | ||
| 0x82, 0x46, 0xdf, 0xd6, 0x27, 0x8a, 0x32, 0x4b, 0x42, 0xdb, 0x1c, 0x9e, 0x9c, 0x3a, 0xca, | ||
| 0x25, 0x7b, 0x0d, 0x71, 0x5f, 0x1f, 0xf8, 0xd7, 0x3e, 0x9d, 0x7c, 0x60, 0xb9, 0xbe, 0xbc, | ||
| 0x8b, 0x16, 0x34, 0x4d, 0xc3, 0x72, 0x95, 0xab, 0x8e, 0xba, 0x7a, 0xb3, 0x02, 0xb4, 0xad, | ||
| 0xa2, 0xac, 0xd8, 0x9a, 0x17, 0x1a, 0x35, 0xcc, 0xf7, 0x99, 0x61, 0x5a, 0xe8, 0x24, 0x56, | ||
| 0x40, 0xe1, 0x63, 0x09, 0x33, 0xbf, 0x98, 0x97, 0x85, 0x68, 0xfc, 0xec, 0x0a, 0xda, 0x6f, | ||
| 0x53, 0x62, 0xa3, 0x2e, 0x08, 0xaf, 0x28, 0xb0, 0x74, 0xc2, 0xbd, 0x36, 0x22, 0x38, 0x64, | ||
| 0x1e, 0x39, 0x2c, 0xa6, 0x30, 0xe5, 0x44, 0xfd, 0x88, 0x9f, 0x65, 0x87, 0x6b, 0xf4, 0x23, | ||
| 0x48, 0x10, 0xd1, 0x51, 0xc0, 0xf9, 0xd2, 0xa0, 0x55, 0xa1, 0x41, 0xfa, 0x43, 0x13, 0xc4, | ||
| 0x2f, 0xa8, 0xb6, 0x3c, 0x2b, 0xc1, 0xff, 0xc8, 0xa5, 0x20, 0x89, 0x00, 0x90, 0x47, 0xef, | ||
| 0xea, 0xb7, 0x15, 0x06, 0xcd, 0xb5, 0x12, 0x7e, 0xbb, 0x29, 0x0f, 0xb8, 0x07, 0x04, 0x9b, | ||
| 0x94, 0x21, 0x66, 0xe6, 0xce, 0xed, 0xe7, 0x3b, 0xfe, 0x7f, 0xc5, 0xa4, 0x37, 0xb1, 0x4c, | ||
| 0x91, 0x6e, 0x8d, 0x76, 0x03, 0x2d, 0xde, 0x96, 0x26, 0x7d, 0xc6, 0x5c, 0xd3, 0xf2, 0x4f, | ||
| 0x19, 0x3f, 0xdc, 0x79, 0x1d, 0x52, 0xeb, 0xf3, 0x6d, 0x5e, 0xfb, 0x69, 0xb2, 0xf0, 0x31, | ||
| 0x0c, 0xd4, 0xcf, 0x8c, 0xe2, 0x75, 0xa9, 0x4a, 0x57, 0x84, 0x11, 0x45, 0x1b, 0xf5, 0xe4, | ||
| 0x0e, 0x73, 0xaa, 0xf1, 0xdd, 0x59, 0x14, 0x6c, 0x92, 0x54, 0xd0, 0x78, 0x70, 0xe3, 0x49, | ||
| 0x80, 0x50, 0xa7, 0xf6, 0x77, 0x93, 0x86, 0x83, 0x2a, 0xc7, 0x5b, 0xe9, 0xee, 0x8f, 0x01, | ||
| 0x3d, | ||
| ], | ||
| // SBOX3 | ||
| [ | ||
| 0x38, 0x41, 0x16, 0x76, 0xd9, 0x93, 0x60, 0xf2, 0x72, 0xc2, 0xab, 0x9a, 0x75, 0x06, 0x57, | ||
| 0xa0, 0x91, 0xf7, 0xb5, 0xc9, 0xa2, 0x8c, 0xd2, 0x90, 0xf6, 0x07, 0xa7, 0x27, 0x8e, 0xb2, | ||
| 0x49, 0xde, 0x43, 0x5c, 0xd7, 0xc7, 0x3e, 0xf5, 0x8f, 0x67, 0x1f, 0x18, 0x6e, 0xaf, 0x2f, | ||
| 0xe2, 0x85, 0x0d, 0x53, 0xf0, 0x9c, 0x65, 0xea, 0xa3, 0xae, 0x9e, 0xec, 0x80, 0x2d, 0x6b, | ||
| 0xa8, 0x2b, 0x36, 0xa6, 0xc5, 0x86, 0x4d, 0x33, 0xfd, 0x66, 0x58, 0x96, 0x3a, 0x09, 0x95, | ||
| 0x10, 0x78, 0xd8, 0x42, 0xcc, 0xef, 0x26, 0xe5, 0x61, 0x1a, 0x3f, 0x3b, 0x82, 0xb6, 0xdb, | ||
| 0xd4, 0x98, 0xe8, 0x8b, 0x02, 0xeb, 0x0a, 0x2c, 0x1d, 0xb0, 0x6f, 0x8d, 0x88, 0x0e, 0x19, | ||
| 0x87, 0x4e, 0x0b, 0xa9, 0x0c, 0x79, 0x11, 0x7f, 0x22, 0xe7, 0x59, 0xe1, 0xda, 0x3d, 0xc8, | ||
| 0x12, 0x04, 0x74, 0x54, 0x30, 0x7e, 0xb4, 0x28, 0x55, 0x68, 0x50, 0xbe, 0xd0, 0xc4, 0x31, | ||
| 0xcb, 0x2a, 0xad, 0x0f, 0xca, 0x70, 0xff, 0x32, 0x69, 0x08, 0x62, 0x00, 0x24, 0xd1, 0xfb, | ||
| 0xba, 0xed, 0x45, 0x81, 0x73, 0x6d, 0x84, 0x9f, 0xee, 0x4a, 0xc3, 0x2e, 0xc1, 0x01, 0xe6, | ||
| 0x25, 0x48, 0x99, 0xb9, 0xb3, 0x7b, 0xf9, 0xce, 0xbf, 0xdf, 0x71, 0x29, 0xcd, 0x6c, 0x13, | ||
| 0x64, 0x9b, 0x63, 0x9d, 0xc0, 0x4b, 0xb7, 0xa5, 0x89, 0x5f, 0xb1, 0x17, 0xf4, 0xbc, 0xd3, | ||
| 0x46, 0xcf, 0x37, 0x5e, 0x47, 0x94, 0xfa, 0xfc, 0x5b, 0x97, 0xfe, 0x5a, 0xac, 0x3c, 0x4c, | ||
| 0x03, 0x35, 0xf3, 0x23, 0xb8, 0x5d, 0x6a, 0x92, 0xd5, 0x21, 0x44, 0x51, 0xc6, 0x7d, 0x39, | ||
| 0x83, 0xdc, 0xaa, 0x7c, 0x77, 0x56, 0x05, 0x1b, 0xa4, 0x15, 0x34, 0x1e, 0x1c, 0xf8, 0x52, | ||
| 0x20, 0x14, 0xe9, 0xbd, 0xdd, 0xe4, 0xa1, 0xe0, 0x8a, 0xf1, 0xd6, 0x7a, 0xbb, 0xe3, 0x40, | ||
| 0x4f, | ||
| ], | ||
| // SBOX4 | ||
| [ | ||
| 0x70, 0x2c, 0xb3, 0xc0, 0xe4, 0x57, 0xea, 0xae, 0x23, 0x6b, 0x45, 0xa5, 0xed, 0x4f, 0x1d, | ||
| 0x92, 0x86, 0xaf, 0x7c, 0x1f, 0x3e, 0xdc, 0x5e, 0x0b, 0xa6, 0x39, 0xd5, 0x5d, 0xd9, 0x5a, | ||
| 0x51, 0x6c, 0x8b, 0x9a, 0xfb, 0xb0, 0x74, 0x2b, 0xf0, 0x84, 0xdf, 0xcb, 0x34, 0x76, 0x6d, | ||
| 0xa9, 0xd1, 0x04, 0x14, 0x3a, 0xde, 0x11, 0x32, 0x9c, 0x53, 0xf2, 0xfe, 0xcf, 0xc3, 0x7a, | ||
| 0x24, 0xe8, 0x60, 0x69, 0xaa, 0xa0, 0xa1, 0x62, 0x54, 0x1e, 0xe0, 0x64, 0x10, 0x00, 0xa3, | ||
| 0x75, 0x8a, 0xe6, 0x09, 0xdd, 0x87, 0x83, 0xcd, 0x90, 0x73, 0xf6, 0x9d, 0xbf, 0x52, 0xd8, | ||
| 0xc8, 0xc6, 0x81, 0x6f, 0x13, 0x63, 0xe9, 0xa7, 0x9f, 0xbc, 0x29, 0xf9, 0x2f, 0xb4, 0x78, | ||
| 0x06, 0xe7, 0x71, 0xd4, 0xab, 0x88, 0x8d, 0x72, 0xb9, 0xf8, 0xac, 0x36, 0x2a, 0x3c, 0xf1, | ||
| 0x40, 0xd3, 0xbb, 0x43, 0x15, 0xad, 0x77, 0x80, 0x82, 0xec, 0x27, 0xe5, 0x85, 0x35, 0x0c, | ||
| 0x41, 0xef, 0x93, 0x19, 0x21, 0x0e, 0x4e, 0x65, 0xbd, 0xb8, 0x8f, 0xeb, 0xce, 0x30, 0x5f, | ||
| 0xc5, 0x1a, 0xe1, 0xca, 0x47, 0x3d, 0x01, 0xd6, 0x56, 0x4d, 0x0d, 0x66, 0xcc, 0x2d, 0x12, | ||
| 0x20, 0xb1, 0x99, 0x4c, 0xc2, 0x7e, 0x05, 0xb7, 0x31, 0x17, 0xd7, 0x58, 0x61, 0x1b, 0x1c, | ||
| 0x0f, 0x16, 0x18, 0x22, 0x44, 0xb2, 0xb5, 0x91, 0x08, 0xa8, 0xfc, 0x50, 0xd0, 0x7d, 0x89, | ||
| 0x97, 0x5b, 0x95, 0xff, 0xd2, 0xc4, 0x48, 0xf7, 0xdb, 0x03, 0xda, 0x3f, 0x94, 0x5c, 0x02, | ||
| 0x4a, 0x33, 0x67, 0xf3, 0x7f, 0xe2, 0x9b, 0x26, 0x37, 0x3b, 0x96, 0x4b, 0xbe, 0x2e, 0x79, | ||
| 0x8c, 0x6e, 0x8e, 0xf5, 0xb6, 0xfd, 0x59, 0x98, 0x6a, 0x46, 0xba, 0x25, 0x42, 0xa2, 0xfa, | ||
| 0x07, 0x55, 0xee, 0x0a, 0x49, 0x68, 0x38, 0xa4, 0x28, 0x7b, 0xc9, 0xc1, 0xe3, 0xf4, 0xc7, | ||
| 0x9e, | ||
| ], | ||
| ]; |
There was a problem hiding this comment.
Since this is using lookup tables rather than bitslicing, it would probably be good to change the security warning language in README.md to note that it is NOT constant time because it's using LUTs.
|
Left a few notes. I think this is generally fine but this is not a cipher I'm particularly familiar with so take my review with a grain of salt. |
sorairolake
force-pushed
the
feature/camellia
branch
from
ae34253
to
f730dc4
Compare
|
Going to go ahead and merge this. I think it's acceptable as an initial spike. I can follow-up on some of my other comments. |
|
@newpavlov When will this be released? |
|
Oh, sorry. I haven't done the release for some reason after the merge... I will do it right away. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is implemented based on RFC 3713 and refer to Botan.
Test vectors are from NESSIE, and tested on all three key sizes of Camellia.
This partially solves #1.