taigrr/arduinolibs
1
0
Fork 0
mirror of https://github.com/taigrr/arduinolibs synced 2025-01-18 04:33:12 -08:00
Code Issues Projects Releases Wiki Activity

GHASH implementation

Browse Source
This commit is contained in:
Rhys Weatherley 2015-04-01 09:12:42 +10:00
parent 0c5b37098b
commit 1c77fdbcec
5 changed files with 462 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
doc/crypto.dox
View File

@ -28,10 +28,10 @@
\li Block ciphers: AES128, AES192, AES256
\li Block cipher modes: CTR, CFB, CBC, OFB
\li Stream ciphers: ChaCha
li Stream ciphers: ChaCha
\li Authenticated encryption with associated data (AEAD): ChaChaPoly
\li Hash algorithms: SHA1, SHA256, SHA512, SHA3_256, SHA3_512, BLAKE2s, BLAKE2b (regular and HMAC modes)
\li Message authenticators: Poly1305
\li Message authenticators: Poly1305, GHASH
\li Public key algorithms: Curve25519
\li Random number generation: \link RNGClass RNG\endlink, TransistorNoiseSource, RingOscillatorNoiseSource
@ -78,6 +78,7 @@ Ardunino Mega 2560 running at 16 MHz are similar:
<tr><td>BLAKE2s</td><td align="right">18.54us</td><td> </td><td align="right"> </td><td align="right">171</td></tr>
<tr><td>BLAKE2b</td><td align="right">50.58us</td><td> </td><td align="right"> </td><td align="right">339</td></tr>
<tr><td>Poly1305</td><td align="right">26.29us</td><td> </td><td align="right"> </td><td align="right">87</td></tr>
<tr><td>GHASH</td><td align="right">148.14us</td><td> </td><td align="right"> </td><td align="right">33</td></tr>
</table>
Where a cipher supports more than one key size (such as ChaCha), the values

2
doc/mainpage.dox
View File

@ -96,7 +96,7 @@ realtime clock and the LCD library to implement an alarm clock.
\li Stream ciphers: ChaCha
\li Authenticated encryption with associated data (AEAD): ChaChaPoly
\li Hash algorithms: SHA1, SHA256, SHA512, SHA3_256, SHA3_512, BLAKE2s, BLAKE2b (regular and HMAC modes)
\li Message authenticators: Poly1305
\li Message authenticators: Poly1305, GHASH
\li Public key algorithms: Curve25519
\li Random number generation: \link RNGClass RNG\endlink, TransistorNoiseSource, RingOscillatorNoiseSource

204
libraries/Crypto/GHASH.cpp Normal file
View File

@ -0,0 +1,204 @@
/*
* Copyright (C) 2015 Southern Storm Software, Pty Ltd.
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
#include "GHASH.h"
#include "Crypto.h"
#include "utility/EndianUtil.h"
#include <string.h>
/**
* \class GHASH GHASH.h <GHASH.h>
* \brief Implementation of the GHASH message authenticator.
*
* GHASH is the message authentication part of Galois Counter Mode (GCM).
*
* \note GHASH is not the same as GMAC. GHASH implements the low level
* hashing primitive that is used by both GCM and GMAC. GMAC can be
* simulated using GCM and an empty plaintext/ciphertext.
*
* References: <a href="http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf">NIST SP 800-38D</a>,
* http://en.wikipedia.org/wiki/Galois/Counter_Mode
*
* \sa GCM
*/
/**
* \brief Constructs a new GHASH message authenticator.
*/
GHASH::GHASH()
{
state.posn = 0;
}
/**
* \brief Destroys this GHASH message authenticator.
*/
GHASH::~GHASH()
{
clean(state);
}
/**
* \brief Resets the GHASH message authenticator for a new session.
*
* \param key Points to the 16 byte authentication key.
*
* \sa update(), finalize()
*/
void GHASH::reset(const void *key)
{
// Copy the key into H and convert from big endian to host order.
memcpy(state.H, key, 16);
#if defined(CRYPTO_LITTLE_ENDIAN)
state.H[0] = be32toh(state.H[0]);
state.H[1] = be32toh(state.H[1]);
state.H[2] = be32toh(state.H[2]);
state.H[3] = be32toh(state.H[3]);
#endif
// Reset the hash.
memset(state.Y, 0, sizeof(state.Y));
state.posn = 0;
}
/**
* \brief Updates the message authenticator with more data.
*
* \param data Data to be hashed.
* \param len Number of bytes of data to be hashed.
*
* If finalize() has already been called, then the behavior of update() will
* be undefined. Call reset() first to start a new authentication process.
*
* \sa pad(), reset(), finalize()
*/
void GHASH::update(const void *data, size_t len)
{
// XOR the input with state.Y in 128-bit chunks and process them.
const uint8_t *d = (const uint8_t *)data;
while (len > 0) {
uint8_t size = 16 - state.posn;
if (size > len)
size = len;
uint8_t *y = ((uint8_t *)state.Y) + state.posn;
for (uint8_t i = 0; i < size; ++i)
y[i] ^= d[i];
state.posn += size;
len -= size;
d += size;
if (state.posn == 16) {
processChunk();
state.posn = 0;
}
}
}
/**
* \brief Finalizes the authentication process and returns the token.
*
* \param token The buffer to return the token value in.
* \param len The length of the \a token buffer between 0 and 16.
*
* If \a len is less than 16, then the token value will be truncated to
* the first \a len bytes. If \a len is greater than 16, then the remaining
* bytes will left unchanged.
*
* If finalize() is called again, then the returned \a token value is
* undefined. Call reset() first to start a new authentication process.
*
* \sa reset(), update()
*/
void GHASH::finalize(void *token, size_t len)
{
// Pad with zeroes to a multiple of 16 bytes.
pad();
// The token is the current value of Y.
if (len > 16)
len = 16;
memcpy(token, state.Y, len);
}
/**
* \brief Pads the input stream with zero bytes to a multiple of 16.
*
* \sa update()
*/
void GHASH::pad()
{
if (state.posn != 0) {
// Padding involves XOR'ing the rest of state.Y with zeroes,
// which does nothing. Immediately process the next chunk.
processChunk();
state.posn = 0;
}
}
/**
* \brief Clears the authenticator's state, removing all sensitive data.
*/
void GHASH::clear()
{
clean(state);
}
void GHASH::processChunk()
{
uint32_t Z0 = 0; // Z = 0
uint32_t Z1 = 0;
uint32_t Z2 = 0;
uint32_t Z3 = 0;
uint32_t V0 = state.H[0]; // V = H
uint32_t V1 = state.H[1];
uint32_t V2 = state.H[2];
uint32_t V3 = state.H[3];
// Multiply Z by V for the set bits in Y, starting at the top.
// This is a very simple bit by bit version that may not be very
// fast but it should be resistant to cache timing attacks.
for (uint8_t posn = 0; posn < 16; ++posn) {
uint8_t value = ((const uint8_t *)state.Y)[posn];
for (uint8_t bit = 0; bit < 8; ++bit, value <<= 1) {
// Extract the high bit of "value" and turn it into a mask.
uint32_t mask = (~((uint32_t)(value >> 7))) + 1;
// XOR V with Z if the bit is 1.
Z0 ^= (V0 & mask);
Z1 ^= (V1 & mask);
Z2 ^= (V2 & mask);
Z3 ^= (V3 & mask);
// Rotate V right by 1 bit.
mask = ((~(V3 & 0x01)) + 1) & 0xE1000000;
V3 = (V3 >> 1) | (V2 << 31);
V2 = (V2 >> 1) | (V1 << 31);
V1 = (V1 >> 1) | (V0 << 31);
V0 = (V0 >> 1) ^ mask;
}
}
// We have finished the block so copy Z into Y and byte-swap.
state.Y[0] = htobe32(Z0);
state.Y[1] = htobe32(Z1);
state.Y[2] = htobe32(Z2);
state.Y[3] = htobe32(Z3);
}

53
libraries/Crypto/GHASH.h Normal file
View File

@ -0,0 +1,53 @@
/*
* Copyright (C) 2015 Southern Storm Software, Pty Ltd.
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
#ifndef CRYPTO_GHASH_h
#define CRYPTO_GHASH_h
#include <inttypes.h>
#include <stddef.h>
class GHASH
{
public:
GHASH();
~GHASH();
void reset(const void *key);
void update(const void *data, size_t len);
void finalize(void *token, size_t len);
void pad();
void clear();
private:
struct {
uint32_t H[4];
uint32_t Y[4];
uint8_t posn;
} state;
void processChunk();
};
#endif

201
libraries/Crypto/examples/TestGHASH/TestGHASH.ino Normal file
View File

@ -0,0 +1,201 @@
/*
* Copyright (C) 2015 Southern Storm Software, Pty Ltd.
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
/*
This example runs tests on the GHASH implementation to verify correct behaviour.
*/
#include <Crypto.h>
#include <GHASH.h>
#include <string.h>
// Test vectors from Appendix B of:
// http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
struct TestVector
{
const char *name;
uint8_t key[16];
uint8_t data[112];
size_t dataLen;
uint8_t hash[16];
};
static TestVector const testVectorGHASH_1 = {
.name = "GHASH #1",
.key = {0x66, 0xe9, 0x4b, 0xd4, 0xef, 0x8a, 0x2c, 0x3b,
0x88, 0x4c, 0xfa, 0x59, 0xca, 0x34, 0x2b, 0x2e},
.data = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
.dataLen = 16,
.hash = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
};
static TestVector const testVectorGHASH_2 = {
.name = "GHASH #2",
.key = {0x66, 0xe9, 0x4b, 0xd4, 0xef, 0x8a, 0x2c, 0x3b,
0x88, 0x4c, 0xfa, 0x59, 0xca, 0x34, 0x2b, 0x2e},
.data = {0x03, 0x88, 0xda, 0xce, 0x60, 0xb6, 0xa3, 0x92,
0xf3, 0x28, 0xc2, 0xb9, 0x71, 0xb2, 0xfe, 0x78,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
.dataLen = 32,
.hash = {0xf3, 0x8c, 0xbb, 0x1a, 0xd6, 0x92, 0x23, 0xdc,
0xc3, 0x45, 0x7a, 0xe5, 0xb6, 0xb0, 0xf8, 0x85}
};
static TestVector const testVectorGHASH_3 = {
.name = "GHASH #3",
.key = {0xb8, 0x3b, 0x53, 0x37, 0x08, 0xbf, 0x53, 0x5d,
0x0a, 0xa6, 0xe5, 0x29, 0x80, 0xd5, 0x3b, 0x78},
.data = {0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00},
.dataLen = 80,
.hash = {0x7f, 0x1b, 0x32, 0xb8, 0x1b, 0x82, 0x0d, 0x02,
0x61, 0x4f, 0x88, 0x95, 0xac, 0x1d, 0x4e, 0xac}
};
static TestVector const testVectorGHASH_4 = {
.name = "GHASH #4",
.key = {0xb8, 0x3b, 0x53, 0x37, 0x08, 0xbf, 0x53, 0x5d,
0x0a, 0xa6, 0xe5, 0x29, 0x80, 0xd5, 0x3b, 0x78},
.data = {0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
0xab, 0xad, 0xda, 0xd2, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
0x3d, 0x58, 0xe0, 0x91, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa0,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xe0},
.dataLen = 112,
.hash = {0x69, 0x8e, 0x57, 0xf7, 0x0e, 0x6e, 0xcc, 0x7f,
0xd9, 0x46, 0x3b, 0x72, 0x60, 0xa9, 0xae, 0x5f}
};
GHASH ghash;
byte buffer[128];
bool testGHASH_N(GHASH *hash, const struct TestVector *test, size_t inc)
{
size_t size = test->dataLen;
size_t posn, len;
hash->reset(test->key);
for (posn = 0; posn < size; posn += inc) {
len = size - posn;
if (len > inc)
len = inc;
hash->update(test->data + posn, len);
}
hash->finalize(buffer, 16);
return !memcmp(buffer, test->hash, 16);
}
void testGHASH(GHASH *hash, const struct TestVector *test)
{
bool ok;
Serial.print(test->name);
Serial.print(" ... ");
ok = testGHASH_N(hash, test, test->dataLen);
ok &= testGHASH_N(hash, test, 1);
ok &= testGHASH_N(hash, test, 2);
ok &= testGHASH_N(hash, test, 5);
ok &= testGHASH_N(hash, test, 8);
ok &= testGHASH_N(hash, test, 13);
ok &= testGHASH_N(hash, test, 16);
ok &= testGHASH_N(hash, test, 24);
ok &= testGHASH_N(hash, test, 63);
ok &= testGHASH_N(hash, test, 64);
if (ok)
Serial.println("Passed");
else
Serial.println("Failed");
}
void perfGHASH(GHASH *hash)
{
unsigned long start;
unsigned long elapsed;
int count;
Serial.print("Hashing ... ");
for (size_t posn = 0; posn < sizeof(buffer); ++posn)
buffer[posn] = (uint8_t)posn;
hash->reset(testVectorGHASH_1.key);
start = micros();
for (count = 0; count < 200; ++count) {
hash->update(buffer, sizeof(buffer));
}
elapsed = micros() - start;
Serial.print(elapsed / (sizeof(buffer) * 200.0));
Serial.print("us per byte, ");
Serial.print((sizeof(buffer) * 200.0 * 1000000.0) / elapsed);
Serial.println(" bytes per second");
}
void setup()
{
Serial.begin(9600);
Serial.println();
Serial.print("State Size ... ");
Serial.println(sizeof(GHASH));
Serial.println();
Serial.println("Test Vectors:");
testGHASH(&ghash, &testVectorGHASH_1);
testGHASH(&ghash, &testVectorGHASH_2);
testGHASH(&ghash, &testVectorGHASH_3);
testGHASH(&ghash, &testVectorGHASH_4);
Serial.println();
Serial.println("Performance Tests:");
perfGHASH(&ghash);
}
void loop()
{
}