1// mars.cpp - modified by Sean Woods from Brian Gladman's mars6.c for Crypto++
2// key setup updated by Wei Dai to reflect IBM's "tweak" proposed in August 1999
3
4/* This is an independent implementation of the MARS encryption         */
5/* algorithm designed by a team at IBM as a candidate for the US        */
6/* NIST Advanced Encryption Standard (AES) effort. The algorithm        */
7/* is subject to Patent action by IBM, who intend to offer royalty      */
8/* free use if a Patent is granted.                                     */
9/*                                                                      */
10/* Copyright in this implementation is held by Dr B R Gladman but       */
11/* I hereby give permission for its free direct or derivative use       */
12/* subject to acknowledgment of its origin and compliance with any      */
13/* constraints that IBM place on the use of the MARS algorithm.         */
14/*                                                                      */
15/* Dr Brian Gladman (gladman@seven77.demon.co.uk) 4th October 1998      */
16
17#include "pch.h"
18#include "mars.h"
19#include "misc.h"
20
21NAMESPACE_BEGIN(CryptoPP)
22
23ANONYMOUS_NAMESPACE_BEGIN
24static word32 gen_mask(word32 x)
25{
26	word32	m;
27
28	m = (~x ^ (x >> 1)) & 0x7fffffff;
29	m &= (m >> 1) & (m >> 2); m &= (m >> 3) & (m >> 6);
30
31	if(!m)
32		return 0;
33
34	m <<= 1; m |= (m << 1); m |= (m << 2); m |= (m << 4);
35	m |= (m << 1) & ~x & 0x80000000;
36
37	return m & 0xfffffffc;
38};
39NAMESPACE_END
40
41void MARS::Base::UncheckedSetKey(const byte *userKey, unsigned int length, const NameValuePairs &)
42{
43	AssertValidKeyLength(length);
44
45	// Initialize T[] with the key data
46	FixedSizeSecBlock<word32, 15> T;
47	GetUserKey(LITTLE_ENDIAN_ORDER, T.begin(), 15, userKey, length);
48	T[length/4] = length/4;
49
50	for (unsigned int j=0; j<4; j++)	// compute 10 words of K[] in each iteration
51	{
52		unsigned int i;
53		// Do linear transformation
54		for (i=0; i<15; i++)
55			T[i] = T[i] ^ rotlFixed(T[(i+8)%15] ^ T[(i+13)%15], 3) ^ (4*i+j);
56
57		// Do four rounds of stirring
58		for (unsigned int k=0; k<4; k++)
59			for (i=0; i<15; i++)
60			   T[i] = rotlFixed(T[i] + Sbox[T[(i+14)%15]%512], 9);
61
62		// Store next 10 key words into K[]
63		for (i=0; i<10; i++)
64			EK[10*j+i] = T[4*i%15];
65	}
66
67	// Modify multiplication key-words
68	for(unsigned int i = 5; i < 37; i += 2)
69	{
70		word32 w = EK[i] | 3;
71		word32 m = gen_mask(w);
72		if(m)
73			w ^= (rotlMod(Sbox[265 + (EK[i] & 3)], EK[i-1]) & m);
74		EK[i] = w;
75	}
76}
77
78#define f_mix(a,b,c,d)					\
79		r = rotrFixed(a, 8); 				\
80		b ^= Sbox[a & 255];				\
81		b += Sbox[(r & 255) + 256];		\
82		r = rotrFixed(a, 16);				\
83		a  = rotrFixed(a, 24);				\
84		c += Sbox[r & 255];				\
85		d ^= Sbox[(a & 255) + 256]
86
87#define b_mix(a,b,c,d)					\
88		r = rotlFixed(a, 8); 				\
89		b ^= Sbox[(a & 255) + 256];		\
90		c -= Sbox[r & 255];				\
91		r = rotlFixed(a, 16);				\
92		a  = rotlFixed(a, 24);				\
93		d -= Sbox[(r & 255) + 256];		\
94		d ^= Sbox[a & 255]
95
96#define f_ktr(a,b,c,d,i)	\
97	m = a + EK[i];			\
98	a = rotlFixed(a, 13);		\
99	r = a * EK[i + 1];		\
100	l = Sbox[m & 511]; 		\
101	r = rotlFixed(r, 5); 		\
102	l ^= r; 				\
103	c += rotlMod(m, r);		\
104	r = rotlFixed(r, 5); 		\
105	l ^= r; 				\
106	d ^= r; 				\
107	b += rotlMod(l, r)
108
109#define r_ktr(a,b,c,d,i)	\
110	r = a * EK[i + 1];		\
111	a = rotrFixed(a, 13);		\
112	m = a + EK[i];			\
113	l = Sbox[m & 511]; 		\
114	r = rotlFixed(r, 5); 		\
115	l ^= r; 				\
116	c -= rotlMod(m, r);		\
117	r = rotlFixed(r, 5); 		\
118	l ^= r; 				\
119	d ^= r; 				\
120	b -= rotlMod(l, r)
121
122typedef BlockGetAndPut<word32, LittleEndian> Block;
123
124void MARS::Enc::ProcessAndXorBlock(const byte *inBlock, const byte *xorBlock, byte *outBlock) const
125{
126	word32 a, b, c, d, l, m, r;
127
128	Block::Get(inBlock)(a)(b)(c)(d);
129
130	a += EK[0];
131	b += EK[1];
132	c += EK[2];
133	d += EK[3];
134
135	int i;
136	for (i = 0; i < 2; i++) {
137		f_mix(a,b,c,d);
138		a += d;
139		f_mix(b,c,d,a);
140		b += c;
141		f_mix(c,d,a,b);
142		f_mix(d,a,b,c);
143	}
144
145	f_ktr(a,b,c,d, 4); f_ktr(b,c,d,a, 6); f_ktr(c,d,a,b, 8); f_ktr(d,a,b,c,10);
146	f_ktr(a,b,c,d,12); f_ktr(b,c,d,a,14); f_ktr(c,d,a,b,16); f_ktr(d,a,b,c,18);
147	f_ktr(a,d,c,b,20); f_ktr(b,a,d,c,22); f_ktr(c,b,a,d,24); f_ktr(d,c,b,a,26);
148	f_ktr(a,d,c,b,28); f_ktr(b,a,d,c,30); f_ktr(c,b,a,d,32); f_ktr(d,c,b,a,34);
149
150	for (i = 0; i < 2; i++) {
151		b_mix(a,b,c,d);
152		b_mix(b,c,d,a);
153		c -= b;
154		b_mix(c,d,a,b);
155		d -= a;
156		b_mix(d,a,b,c);
157	}
158
159	a -= EK[36];
160	b -= EK[37];
161	c -= EK[38];
162	d -= EK[39];
163
164	Block::Put(xorBlock, outBlock)(a)(b)(c)(d);
165}
166
167void MARS::Dec::ProcessAndXorBlock(const byte *inBlock, const byte *xorBlock, byte *outBlock) const
168{
169	word32 a, b, c, d, l, m, r;
170
171	Block::Get(inBlock)(d)(c)(b)(a);
172
173	d += EK[36];
174	c += EK[37];
175	b += EK[38];
176	a += EK[39];
177
178	int i;
179	for (i = 0; i < 2; i++) {
180		f_mix(a,b,c,d);
181		a += d;
182		f_mix(b,c,d,a);
183		b += c;
184		f_mix(c,d,a,b);
185		f_mix(d,a,b,c);
186	}
187
188	r_ktr(a,b,c,d,34); r_ktr(b,c,d,a,32); r_ktr(c,d,a,b,30); r_ktr(d,a,b,c,28);
189	r_ktr(a,b,c,d,26); r_ktr(b,c,d,a,24); r_ktr(c,d,a,b,22); r_ktr(d,a,b,c,20);
190	r_ktr(a,d,c,b,18); r_ktr(b,a,d,c,16); r_ktr(c,b,a,d,14); r_ktr(d,c,b,a,12);
191	r_ktr(a,d,c,b,10); r_ktr(b,a,d,c, 8); r_ktr(c,b,a,d, 6); r_ktr(d,c,b,a, 4);
192
193	for (i = 0; i < 2; i++) {
194		b_mix(a,b,c,d);
195		b_mix(b,c,d,a);
196		c -= b;
197		b_mix(c,d,a,b);
198		d -= a;
199		b_mix(d,a,b,c);
200	}
201
202	d -= EK[0];
203	c -= EK[1];
204	b -= EK[2];
205	a -= EK[3];
206
207	Block::Put(xorBlock, outBlock)(d)(c)(b)(a);
208}
209
210NAMESPACE_END
211