Crypto++  7.0
Free C++ class library of cryptographic schemes
poly1305.cpp
1 // poly1305.cpp - written and placed in the public domain by Jeffrey Walton and Jean-Pierre Munch
2 // Based on Andy Polyakov's Base-2^26 scalar multiplication implementation for OpenSSL.
3 
4 #include "pch.h"
5 #include "cryptlib.h"
6 #include "aes.h"
7 #include "cpu.h"
8 #include "poly1305.h"
9 
10 NAMESPACE_BEGIN(CryptoPP)
11 
12 #define CONSTANT_TIME_CARRY(a,b) ((a ^ ((a ^ b) | ((a - b) ^ b))) >> (sizeof(a) * 8 - 1))
13 
14 template <class T>
15 void Poly1305_Base<T>::UncheckedSetKey(const byte *key, unsigned int length, const NameValuePairs &params)
16 {
17  if (key && length)
18  {
19  // key is {k,r} pair, r is 16 bytes
20  length = SaturatingSubtract(length, (unsigned)BLOCKSIZE);
21  m_cipher.SetKey(key, length);
22  key += length;
23 
24  // Rbar is clamped and little endian
25  m_r[0] = GetWord<word32>(false, LITTLE_ENDIAN_ORDER, key + 0) & 0x0fffffff;
26  m_r[1] = GetWord<word32>(false, LITTLE_ENDIAN_ORDER, key + 4) & 0x0ffffffc;
27  m_r[2] = GetWord<word32>(false, LITTLE_ENDIAN_ORDER, key + 8) & 0x0ffffffc;
28  m_r[3] = GetWord<word32>(false, LITTLE_ENDIAN_ORDER, key + 12) & 0x0ffffffc;
29 
30  m_used = false;
31  }
32 
34  if (params.GetValue(Name::IV(), t) && t.begin() && t.size())
35  {
36  // Nonce key is a class member to avoid the zeroizer on a temporary
37  CRYPTOPP_ASSERT(t.size() == m_nk.size());
38  std::memcpy(m_nk.begin(), t.begin(), m_nk.size());
39  m_cipher.ProcessBlock(m_nk.begin());
40 
41  m_n[0] = GetWord<word32>(false, LITTLE_ENDIAN_ORDER, m_nk + 0);
42  m_n[1] = GetWord<word32>(false, LITTLE_ENDIAN_ORDER, m_nk + 4);
43  m_n[2] = GetWord<word32>(false, LITTLE_ENDIAN_ORDER, m_nk + 8);
44  m_n[3] = GetWord<word32>(false, LITTLE_ENDIAN_ORDER, m_nk + 12);
45 
46  m_used = false;
47  }
48 
49  Restart();
50 }
51 
52 template <class T>
53 void Poly1305_Base<T>::Update(const byte *input, size_t length)
54 {
55  CRYPTOPP_ASSERT((input && length) || !length);
56  if (!length) return;
57 
58  size_t rem, num = m_idx;
59  if (num)
60  {
61  rem = BLOCKSIZE - num;
62  if (length >= rem)
63  {
64  // Process
65  memcpy_s(m_acc + num, BLOCKSIZE - num, input, rem);
66  HashBlocks(m_acc, BLOCKSIZE, 1);
67  input += rem;
68  length -= rem;
69  }
70  else
71  {
72  // Accumulate
73  memcpy_s(m_acc + num, BLOCKSIZE - num, input, length);
74  m_idx = num + length;
75  return;
76  }
77  }
78 
79  rem = length % BLOCKSIZE;
80  length -= rem;
81 
82  if (length >= BLOCKSIZE) {
83  HashBlocks(input, length, 1);
84  input += length;
85  }
86 
87  if (rem)
88  memcpy(m_acc, input, rem);
89 
90  m_idx = rem;
91 }
92 
93 template <class T>
94 void Poly1305_Base<T>::HashBlocks(const byte *input, size_t length, word32 padbit)
95 {
96  word32 r0, r1, r2, r3;
97  word32 s1, s2, s3;
98  word32 h0, h1, h2, h3, h4, c;
99  word64 d0, d1, d2, d3;
100 
101  r0 = m_r[0]; r1 = m_r[1];
102  r2 = m_r[2]; r3 = m_r[3];
103 
104  s1 = r1 + (r1 >> 2);
105  s2 = r2 + (r2 >> 2);
106  s3 = r3 + (r3 >> 2);
107 
108  h0 = m_h[0]; h1 = m_h[1]; h2 = m_h[2];
109  h3 = m_h[3]; h4 = m_h[4];
110 
111  while (length >= BLOCKSIZE)
112  {
113  // h += m[i]
114  h0 = (word32)(d0 = (word64)h0 + GetWord<word32>(false, LITTLE_ENDIAN_ORDER, input + 0));
115  h1 = (word32)(d1 = (word64)h1 + (d0 >> 32) + GetWord<word32>(false, LITTLE_ENDIAN_ORDER, input + 4));
116  h2 = (word32)(d2 = (word64)h2 + (d1 >> 32) + GetWord<word32>(false, LITTLE_ENDIAN_ORDER, input + 8));
117  h3 = (word32)(d3 = (word64)h3 + (d2 >> 32) + GetWord<word32>(false, LITTLE_ENDIAN_ORDER, input + 12));
118  h4 += (word32)(d3 >> 32) + padbit;
119 
120  // h *= r "%" p
121  d0 = ((word64)h0 * r0) +
122  ((word64)h1 * s3) +
123  ((word64)h2 * s2) +
124  ((word64)h3 * s1);
125  d1 = ((word64)h0 * r1) +
126  ((word64)h1 * r0) +
127  ((word64)h2 * s3) +
128  ((word64)h3 * s2) +
129  (h4 * s1);
130  d2 = ((word64)h0 * r2) +
131  ((word64)h1 * r1) +
132  ((word64)h2 * r0) +
133  ((word64)h3 * s3) +
134  (h4 * s2);
135  d3 = ((word64)h0 * r3) +
136  ((word64)h1 * r2) +
137  ((word64)h2 * r1) +
138  ((word64)h3 * r0) +
139  (h4 * s3);
140  h4 = (h4 * r0);
141 
142  // a) h4:h0 = h4<<128 + d3<<96 + d2<<64 + d1<<32 + d0
143  h0 = (word32)d0;
144  h1 = (word32)(d1 += d0 >> 32);
145  h2 = (word32)(d2 += d1 >> 32);
146  h3 = (word32)(d3 += d2 >> 32);
147  h4 += (word32)(d3 >> 32);
148 
149  // b) (h4:h0 += (h4:h0>>130) * 5) %= 2^130
150  c = (h4 >> 2) + (h4 & ~3U);
151  h4 &= 3;
152  h0 += c;
153  h1 += (c = CONSTANT_TIME_CARRY(h0,c));
154  h2 += (c = CONSTANT_TIME_CARRY(h1,c));
155  h3 += (c = CONSTANT_TIME_CARRY(h2,c));
156  h4 += CONSTANT_TIME_CARRY(h3,c);
157 
158  input += BLOCKSIZE;
159  length -= BLOCKSIZE;
160  }
161 
162  m_h[0] = h0; m_h[1] = h1; m_h[2] = h2;
163  m_h[3] = h3; m_h[4] = h4;
164 }
165 
166 template <class T>
167 void Poly1305_Base<T>::TruncatedFinal(byte *mac, size_t size)
168 {
169  CRYPTOPP_ASSERT(mac); // Pointer is valid
170  CRYPTOPP_ASSERT(!m_used); // Nonce is fresh
171 
172  ThrowIfInvalidTruncatedSize(size);
173 
174  size_t num = m_idx;
175  if (num)
176  {
177  m_acc[num++] = 1; /* pad bit */
178  while (num < BLOCKSIZE)
179  m_acc[num++] = 0;
180  HashBlocks(m_acc, BLOCKSIZE, 0);
181  }
182 
183  HashFinal(mac, size);
184 
185  // Restart
186  m_used = true;
187  Restart();
188 }
189 
190 template <class T>
191 void Poly1305_Base<T>::HashFinal(byte *mac, size_t size)
192 {
193  word32 h0, h1, h2, h3, h4;
194  word32 g0, g1, g2, g3, g4;
195  word32 mask;
196  word64 t;
197 
198  h0 = m_h[0];
199  h1 = m_h[1];
200  h2 = m_h[2];
201  h3 = m_h[3];
202  h4 = m_h[4];
203 
204  // compare to modulus by computing h + -p
205  g0 = (word32)(t = (word64)h0 + 5);
206  g1 = (word32)(t = (word64)h1 + (t >> 32));
207  g2 = (word32)(t = (word64)h2 + (t >> 32));
208  g3 = (word32)(t = (word64)h3 + (t >> 32));
209  g4 = h4 + (word32)(t >> 32);
210 
211  // if there was carry into 131st bit, h3:h0 = g3:g0
212  mask = 0 - (g4 >> 2);
213  g0 &= mask; g1 &= mask;
214  g2 &= mask; g3 &= mask;
215  mask = ~mask;
216  h0 = (h0 & mask) | g0; h1 = (h1 & mask) | g1;
217  h2 = (h2 & mask) | g2; h3 = (h3 & mask) | g3;
218 
219  // mac = (h + nonce) % (2^128)
220  h0 = (word32)(t = (word64)h0 + m_n[0]);
221  h1 = (word32)(t = (word64)h1 + (t >> 32) + m_n[1]);
222  h2 = (word32)(t = (word64)h2 + (t >> 32) + m_n[2]);
223  h3 = (word32)(t = (word64)h3 + (t >> 32) + m_n[3]);
224 
225  if (size >= BLOCKSIZE)
226  {
227  PutWord<word32>(false, LITTLE_ENDIAN_ORDER, mac + 0, h0);
228  PutWord<word32>(false, LITTLE_ENDIAN_ORDER, mac + 4, h1);
229  PutWord<word32>(false, LITTLE_ENDIAN_ORDER, mac + 8, h2);
230  PutWord<word32>(false, LITTLE_ENDIAN_ORDER, mac + 12, h3);
231  }
232  else
233  {
235  PutWord<word32>(false, LITTLE_ENDIAN_ORDER, m + 0, h0);
236  PutWord<word32>(false, LITTLE_ENDIAN_ORDER, m + 4, h1);
237  PutWord<word32>(false, LITTLE_ENDIAN_ORDER, m + 8, h2);
238  PutWord<word32>(false, LITTLE_ENDIAN_ORDER, m + 12, h3);
239  memcpy(mac, m, size);
240  }
241 }
242 
243 template <class T>
244 void Poly1305_Base<T>::Resynchronize(const byte *nonce, int nonceLength)
245 {
246  CRYPTOPP_ASSERT(nonceLength == -1 || nonceLength == (int)BLOCKSIZE);
247  nonceLength == -1 ? nonceLength = BLOCKSIZE : nonceLength;
248  this->UncheckedSetKey(NULLPTR, 0, MakeParameters(Name::IV(), ConstByteArrayParameter(nonce, nonceLength)));
249 }
250 
251 template <class T>
253 {
254  rng.GenerateBlock(iv, BLOCKSIZE);
255 }
256 
257 template <class T>
259 {
260  m_h[0] = m_h[1] = m_h[2] = m_h[3] = m_h[4] = 0;
261  // m_r[0] = m_r[1] = m_r[2] = m_r[3] = 0;
262  m_idx = 0;
263 }
264 
265 template class Poly1305_Base<AES>;
266 template class Poly1305<AES>;
267 
268 NAMESPACE_END
Used to pass byte array input as part of a NameValuePairs object.
Definition: algparam.h:20
Poly1305 message authentication code base class.
Definition: poly1305.h:59
virtual void GenerateBlock(byte *output, size_t size)
Generate random array of bytes.
Definition: cryptlib.cpp:317
size_t size() const
Length of the memory block.
Definition: algparam.h:84
Abstract base classes that provide a uniform interface to this library.
void memcpy_s(void *dest, size_t sizeInBytes, const void *src, size_t count)
Bounds checking replacement for memcpy()
Definition: misc.h:383
void UncheckedSetKey(const byte *key, unsigned int length, const NameValuePairs &params)
Sets the key for this object without performing parameter validation.
Definition: poly1305.cpp:15
Interface for random number generators.
Definition: cryptlib.h:1330
byte order is little-endian
Definition: cryptlib.h:142
void TruncatedFinal(byte *mac, size_t size)
Computes the hash of the current message.
Definition: poly1305.cpp:167
const byte * begin() const
Pointer to the first byte in the memory block.
Definition: algparam.h:80
AlgorithmParameters MakeParameters(const char *name, const T &value, bool throwIfNotUsed=true)
Create an object that implements NameValuePairs.
Definition: algparam.h:502
Class file for the AES cipher (Rijndael)
Precompiled header file.
T1 SaturatingSubtract(const T1 &a, const T2 &b)
Performs a saturating subtract clamped at 0.
Definition: misc.h:890
void Resynchronize(const byte *iv, int ivLength=-1)
Resynchronize with an IV.
Definition: poly1305.cpp:244
Poly1305 message authentication code.
Definition: poly1305.h:144
void GetNextIV(RandomNumberGenerator &rng, byte *iv)
Retrieves a secure IV for the next message.
Definition: poly1305.cpp:252
#define CRYPTOPP_ASSERT(exp)
Debugging and diagnostic assertion.
Definition: trap.h:60
Functions for CPU features and intrinsics.
const char * IV()
ConstByteArrayParameter, also accepts const byte * for backwards compatibility.
Definition: argnames.h:21
Crypto++ library namespace.
Classes for Poly1305 message authentication code.
bool GetValue(const char *name, T &value) const
Get a named value.
Definition: cryptlib.h:347
void Update(const byte *input, size_t length)
Updates a hash with additional input.
Definition: poly1305.cpp:53
void Restart()
Restart the hash.
Definition: poly1305.cpp:258
Interface for retrieving values given their names.
Definition: cryptlib.h:290