taigrr/arduinolibs
1
0
Fork 0
mirror of https://github.com/taigrr/arduinolibs synced 2025-01-18 04:33:12 -08:00
Code Issues Projects Releases Wiki Activity

XTS mode for disk sector encryption

Browse Source
This commit is contained in:
Rhys Weatherley 2016-02-20 16:12:32 +10:00
parent 4445547e1b
commit b078357392
7 changed files with 1098 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/crypto.dox
View File

@ -27,7 +27,7 @@
\section crypto_algorithms Supported Algorithms \section crypto_algorithms Supported Algorithms
\li Block ciphers: AES128, AES192, AES256, Speck \li Block ciphers: AES128, AES192, AES256, Speck
\li Block cipher modes: CTR, CFB, CBC, OFB, EAX, GCM \li Block cipher modes: CTR, CFB, CBC, OFB, EAX, GCM, XTS
\li Stream ciphers: ChaCha \li Stream ciphers: ChaCha
\li Authenticated encryption with associated data (AEAD): ChaChaPoly, EAX, GCM \li Authenticated encryption with associated data (AEAD): ChaChaPoly, EAX, GCM
\li Hash algorithms: SHA256, SHA512, SHA3_256, SHA3_512, BLAKE2s, BLAKE2b (regular and HMAC modes) \li Hash algorithms: SHA256, SHA512, SHA3_256, SHA3_512, BLAKE2s, BLAKE2b (regular and HMAC modes)

2
doc/mainpage.dox
View File

@ -92,7 +92,7 @@ realtime clock and the LCD library to implement an alarm clock.
\section main_Crypto Cryptographic Library \section main_Crypto Cryptographic Library
\li Block ciphers: AES128, AES192, AES256, Speck \li Block ciphers: AES128, AES192, AES256, Speck
\li Block cipher modes: CTR, CFB, CBC, OFB, EAX, GCM \li Block cipher modes: CTR, CFB, CBC, OFB, EAX, GCM, XTS
\li Stream ciphers: ChaCha \li Stream ciphers: ChaCha
\li Authenticated encryption with associated data (AEAD): ChaChaPoly, EAX, GCM \li Authenticated encryption with associated data (AEAD): ChaChaPoly, EAX, GCM
\li Hash algorithms: SHA256, SHA512, SHA3_256, SHA3_512, BLAKE2s, BLAKE2b (regular and HMAC modes) \li Hash algorithms: SHA256, SHA512, SHA3_256, SHA3_512, BLAKE2s, BLAKE2b (regular and HMAC modes)

95
libraries/Crypto/GF128.cpp
View File

@ -309,7 +309,7 @@ void GF128::mul(uint32_t Y[4], const uint32_t H[4])
* block, the modes multiply the nonce by 2 in the GF(2^128) field every * block, the modes multiply the nonce by 2 in the GF(2^128) field every
* block. This function is provided to help with implementing such modes. * block. This function is provided to help with implementing such modes.
* *
* \sa dblEAX(), mul() * \sa dblEAX(), dblXTS(), mul()
*/ */
void GF128::dbl(uint32_t V[4]) void GF128::dbl(uint32_t V[4])
{ {
@ -401,7 +401,7 @@ void GF128::dbl(uint32_t V[4])
* References: https://en.wikipedia.org/wiki/EAX_mode, * References: https://en.wikipedia.org/wiki/EAX_mode,
* http://web.cs.ucdavis.edu/~rogaway/papers/eax.html * http://web.cs.ucdavis.edu/~rogaway/papers/eax.html
* *
* \sa dbl(), mul() * \sa dbl(), dblXTS(), mul()
*/ */
void GF128::dblEAX(uint32_t V[4]) void GF128::dblEAX(uint32_t V[4])
{ {
@ -478,3 +478,94 @@ void GF128::dblEAX(uint32_t V[4])
V[3] = htobe32(V3); V[3] = htobe32(V3);
#endif #endif
} }
/**
* \brief Doubles a value in the GF(2^128) field using XTS conventions.
*
* \param V The value to double, and the result. This array is
* assumed to be in littlen-endian order on entry and exit.
*
* This function differs from dbl() that it uses the conventions of XTS mode
* instead of those of NIST SP 800-38D (GCM). The two operations have
* equivalent security but the bits are ordered differently with the
* value shifted left instead of right.
*
* References: <a href="http://libeccio.di.unisa.it/Crypto14/Lab/p1619.pdf">IEEE Std. 1619-2007, XTS-AES</a>
*
* \sa dbl(), dblEAX(), mul()
*/
void GF128::dblXTS(uint32_t V[4])
{
#if defined(__AVR__)
__asm__ __volatile__ (
"ld r16,Z\n"
"ldd r17,Z+1\n"
"ldd r18,Z+2\n"
"ldd r19,Z+3\n"
"lsl r16\n"
"rol r17\n"
"rol r18\n"
"rol r19\n"
"std Z+1,r17\n"
"std Z+2,r18\n"
"std Z+3,r19\n"
"ldd r17,Z+4\n"
"ldd r18,Z+5\n"
"ldd r19,Z+6\n"
"ldd r20,Z+7\n"
"rol r17\n"
"rol r18\n"
"rol r19\n"
"rol r20\n"
"std Z+4,r17\n"
"std Z+5,r18\n"
"std Z+6,r19\n"
"std Z+7,r20\n"
"ldd r17,Z+8\n"
"ldd r18,Z+9\n"
"ldd r19,Z+10\n"
"ldd r20,Z+11\n"
"rol r17\n"
"rol r18\n"
"rol r19\n"
"rol r20\n"
"std Z+8,r17\n"
"std Z+9,r18\n"
"std Z+10,r19\n"
"std Z+11,r20\n"
"ldd r17,Z+12\n"
"ldd r18,Z+13\n"
"ldd r19,Z+14\n"
"ldd r20,Z+15\n"
"rol r17\n"
"rol r18\n"
"rol r19\n"
"rol r20\n"
"std Z+12,r17\n"
"std Z+13,r18\n"
"std Z+14,r19\n"
"std Z+15,r20\n"
"mov r17,__zero_reg__\n"
"sbc r17,__zero_reg__\n"
"andi r17,0x87\n"
"eor r16,r17\n"
"st Z,r16\n"
: : "z"(V)
: "r16", "r17", "r18", "r19", "r20"
);
#else
uint32_t V0 = le32toh(V[0]);
uint32_t V1 = le32toh(V[1]);
uint32_t V2 = le32toh(V[2]);
uint32_t V3 = le32toh(V[3]);
uint32_t mask = ((~(V3 >> 31)) + 1) & 0x00000087;
V3 = (V3 << 1) | (V2 >> 31);
V2 = (V2 << 1) | (V1 >> 31);
V1 = (V1 << 1) | (V0 >> 31);
V0 = (V0 << 1) ^ mask;
V[0] = htole32(V0);
V[1] = htole32(V1);
V[2] = htole32(V2);
V[3] = htole32(V3);
#endif
}

1
libraries/Crypto/GF128.h
View File

@ -36,6 +36,7 @@ public:
static void mul(uint32_t Y[4], const uint32_t H[4]); static void mul(uint32_t Y[4], const uint32_t H[4]);
static void dbl(uint32_t V[4]); static void dbl(uint32_t V[4]);
static void dblEAX(uint32_t V[4]); static void dblEAX(uint32_t V[4]);
static void dblXTS(uint32_t V[4]);
}; };
#endif #endif

437
libraries/Crypto/XTS.cpp Normal file
View File

@ -0,0 +1,437 @@
/*
* Copyright (C) 2016 Southern Storm Software, Pty Ltd.
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
#include "XTS.h"
#include "Crypto.h"
#include "GF128.h"
#include <string.h>
/**
* \class XTSCommon XTS.h <XTS.h>
* \brief Concrete base class to assist with implementing XTS mode for
* 128-bit block ciphers.
*
* References: <a href="http://libeccio.di.unisa.it/Crypto14/Lab/p1619.pdf">IEEE Std. 1619-2007</a>, <a href="http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf">NIST SP 800-38E</a>, a href="http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf">XEX</a>.
*
* \sa XTS, XTSSingleKey
*/
/**
* \brief Constructs an XTS object with a default sector size of 512 bytes.
*/
XTSCommon::XTSCommon()
: sectSize(512)
{
}
/**
* \brief Clears all sensitive information and destroys this object.
*/
XTSCommon::~XTSCommon()
{
clean(twk);
}
/**
* \brief Gets the size of the key for XTS mode.
*
* The key size for XTS mode is twice the size of the underlying
* block cipher key size.
*
* \sa setKey(), tweakSize()
*/
size_t XTSCommon::keySize() const
{
return blockCipher1->keySize() * 2;
}
/**
* \brief Gets the maximum supported size for the tweak.
*
* This function returns 16, which indicates that any tweak up to 16 bytes
* in size can be specified via setTweak().
*/
size_t XTSCommon::tweakSize() const
{
return 16;
}
/**
* \fn size_t XTSCommon::sectorSize() const
* \brief Gets the size of sectors encrypted or decrypted by this class.
*
* The default value is 512 bytes.
*
* \sa setSectorSize()
*/
/**
* \brief Sets the size of sectors encrypted or decrypted by this class.
*
* \param size The sector size in bytes, which must be greater than or
* equal to 16.
*
* \return Returns false if \a size is less than 16.
*
* \sa sectorSize(), encryptSector()
*/
bool XTSCommon::setSectorSize(size_t size)
{
if (size < 16)
return false;
sectSize = size;
return true;
}
/**
* \brief Sets the key to use for XTS mode.
*
* \param key Points to the key.
* \param len The size of the key in bytes which must be twice the
* size of the underlying block cipher's key size.
*
* \return Returns true if the key was set or false if \a len was incorrect.
*
* This function should be followed by a call to setTweak() to specify
* the sector-specific tweak.
*
* \sa keySize(), setTweak(), encryptSector()
*/
bool XTSCommon::setKey(const uint8_t *key, size_t len)
{
if (!blockCipher1->setKey(key, len / 2))
return false;
return blockCipher2->setKey(key + len / 2, len - (len / 2));
}
/**
* \brief Sets the tweak value for the current sector to encrypt or decrypt.
*
* \param tweak Points to the tweak.
* \param len The length of the tweak which must be less than or equal to 16.
*
* \return Returns true if the tweak was set or false if \a len was incorrect.
*
* If \a len is less than 16, then the \a tweak will be zero-padded to
* 16 bytes.
*
* The \a tweak is encrypted with the second half of the XTS key to generate
* the actual tweak value for the sector.
*
* \sa tweakSize(), setKey(), encryptSector()
*/
bool XTSCommon::setTweak(const uint8_t *tweak, size_t len)
{
if (len > 16)
return false;
memcpy(twk, tweak, len);
memset(((uint8_t *)twk) + len, 0, 16 - len);
blockCipher2->encryptBlock((uint8_t *)twk, (uint8_t *)twk);
return true;
}
#define xorTweak(output, input, tweak) \
do { \
for (uint8_t i = 0; i < 16; ++i) \
(output)[i] = (input)[i] ^ ((const uint8_t *)(tweak))[i]; \
} while (0)
/**
* \brief Encrypts an entire sector of data.
*
* \param output The output buffer to write the ciphertext to, which can
* be the same as \a input.
* \param input The input buffer to read the plaintext from.
*
* The \a input and \a output buffers must be at least sectorSize()
* bytes in length.
*
* \sa decryptSector(), setKey(), setTweak()
*/
void XTSCommon::encryptSector(uint8_t *output, const uint8_t *input)
{
size_t sectLast = sectSize & ~15;
size_t posn = 0;
uint32_t t[4];
memcpy(t, twk, sizeof(t));
while (posn < sectLast) {
// Process all complete 16-byte blocks.
xorTweak(output, input, t);
blockCipher1->encryptBlock(output, output);
xorTweak(output, output, t);
GF128::dblXTS(t);
input += 16;
output += 16;
posn += 16;
}
if (posn < sectSize) {
// Perform ciphertext stealing on the final partial block.
uint8_t leftOver = sectSize - posn;
output -= 16;
while (leftOver > 0) {
// Swap the left-over bytes in the last two blocks.
--leftOver;
uint8_t temp = input[leftOver];
output[leftOver + 16] = output[leftOver];
output[leftOver] = temp;
}
xorTweak(output, output, t);
blockCipher1->encryptBlock(output, output);
xorTweak(output, output, t);
}
}
/**
* \brief Decrypts an entire sector of data.
*
* \param output The output buffer to write the plaintext to, which can
* be the same as \a input.
* \param input The input buffer to read the ciphertext from.
*
* The \a input and \a output buffers must be at least sectorSize()
* bytes in length.
*
* \sa encryptSector(), setKey(), setTweak()
*/
void XTSCommon::decryptSector(uint8_t *output, const uint8_t *input)
{
size_t sectLast = sectSize & ~15;
size_t posn = 0;
uint32_t t[4];
memcpy(t, twk, sizeof(t));
if (sectLast != sectSize)
sectLast -= 16;
while (posn < sectLast) {
// Process all complete 16-byte blocks.
xorTweak(output, input, t);
blockCipher1->decryptBlock(output, output);
xorTweak(output, output, t);
GF128::dblXTS(t);
input += 16;
output += 16;
posn += 16;
}
if (posn < sectSize) {
// Perform ciphertext stealing on the final two blocks.
uint8_t leftOver = sectSize - 16 - posn;
uint32_t u[4];
// Decrypt the second-last block of ciphertext to recover
// the last partial block of plaintext. We need to use
// dblXTS(t) as the tweak for this block. Save the current
// tweak in "u" for use later.
memcpy(u, t, sizeof(t));
GF128::dblXTS(t);
xorTweak(output, input, t);
blockCipher1->decryptBlock(output, output);
xorTweak(output, output, t);
// Swap the left-over bytes in the last two blocks.
while (leftOver > 0) {
--leftOver;
uint8_t temp = input[leftOver + 16];
output[leftOver + 16] = output[leftOver];
output[leftOver] = temp;
}
// Decrypt the second-last block using the second-last tweak.
xorTweak(output, output, u);
blockCipher1->decryptBlock(output, output);
xorTweak(output, output, u);
}
}
/**
* \brief Clears all security-sensitive state from this XTS object.
*/
void XTSCommon::clear()
{
clean(twk);
blockCipher1->clear();
blockCipher2->clear();
}
/**
* \fn void XTSCommon::setBlockCiphers(BlockCipher *cipher1, BlockCipher *cipher2)
* \brief Sets the two block ciphers to use for XTS mode.
*
* \param cipher1 Points to the first block cipher object, which must be
* capable of both encryption and decryption.
* \param cipher2 Points to the second block cipher object, which must be
* capable of both encryption but does not need to be capable of decryption.
*
* Both block ciphers must have a 128-bit block size.
*/
/**
* \class XTSSingleKeyCommon XTS.h <XTS.h>
* \brief Concrete base class to assist with implementing single-key XTS
* mode for 128-bit block ciphers.
*
* References: <a href="http://libeccio.di.unisa.it/Crypto14/Lab/p1619.pdf">IEEE Std. 1619-2007</a>, <a href="http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf">NIST SP 800-38E</a>, a href="http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf">XEX</a>.
*
* \sa XTSSingleKey, XTSCommon
*/
/**
* \fn XTSSingleKeyCommon::XTSSingleKeyCommon()
* \brief Constructs an XTS object with a default sector size of 512 bytes.
*/
/**
* \brief Clears all sensitive information and destroys this object.
*/
XTSSingleKeyCommon::~XTSSingleKeyCommon()
{
}
/**
* \brief Gets the size of the key for single-pkey XTS mode.
*
* The key size for single-key XTS mode is the same as the key size
* for the underlying block cipher.
*
* \sa setKey(), tweakSize()
*/
size_t XTSSingleKeyCommon::keySize() const
{
return blockCipher1->keySize();
}
/**
* \brief Sets the key to use for single-keyh XTS mode.
*
* \param key Points to the key.
* \param len The size of the key in bytes which must be same as the
* size of the underlying block cipher.
*
* \return Returns true if the key was set or false if \a len was incorrect.
*
* This function should be followed by a call to setTweak() to specify
* the sector-specific tweak.
*
* \sa keySize(), setTweak(), encryptSector()
*/
bool XTSSingleKeyCommon::setKey(const uint8_t *key, size_t len)
{
return blockCipher1->setKey(key, len);
}
/**
* \class XTS XTS.h <XTS.h>
* \brief Implementation of the XTS mode for 128-bit block ciphers.
*
* XTS mode implements the XEX tweakable block cipher mode with ciphertext
* stealing for data that isn't a multiple of the 128-bit block size.
*
* XTS was designed for use in disk encryption where a large number of
* equal-sized "sectors" need to be encrypted in a way that information
* from one sector cannot be used to decrypt the other sectors. The mode
* combines the key with a sector-specific "tweak" which is usually
* based on the sector number.
*
* Some Arduino systems have SD cards, but typically embedded systems
* do not have disk drives. However, XTS can still be useful on
* Arduino systems with lots of EEPROM or flash memory. If the application
* needs to store critical security parameters like private keys then
* XTS can be used to encrypt non-volatile memory to protect the parameters.
*
* The following example encrypts a sector using XTS mode:
*
* \code
* XTS<AES256> xts;
* xts.setSectorSize(520);
* xts.setKey(key, 64); // Twice the AES256 key size.
* xts.setTweak(sectorNumber, sizeof(sectorNumber));
* xts.encryptSector(output, input);
* \endcode
*
* XTS keys are twice the size of the underlying block cipher
* (AES256 in the above example). The XTS key is divided into two halves.
* The first half is used to encrypt the plaintext and the second half
* is used to encrypt the sector-specific tweak. The same key can be
* used for both, in which case XTS is equivalent to the original
* XEX design upon which XTS was based. The companion XTSSingleKey class
* can be used for single-key scenarios.
*
* The template parameter must be a concrete subclass of BlockCipher
* indicating the specific block cipher to use. The example above uses
* AES256 as the underlying cipher.
*
* It is also possible to specify two different block ciphers, as long as
* they have the same key size. Because the second half of the key is only
* used to encrypt tweaks and never decrypt, a reduced block cipher
* implementation like SpeckTiny that only supports encryption can be
* used for the second block cipher:
*
* \code
* XTS<SpeckSmall, SpeckTiny> xts;
* \endcode
*
* This might save some memory that would otherwise be needed for the
* decryption key schedule of the second block cipher. XTSSingleKey provides
* another method to save memory.
*
* References: <a href="http://libeccio.di.unisa.it/Crypto14/Lab/p1619.pdf">IEEE Std. 1619-2007</a>, <a href="http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf">NIST SP 800-38E</a>, a href="http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf">XEX</a>.
*
* \sa XTSSingleKey, XTSCommon
*/
/**
* \fn XTS::XTS()
* \brief Constructs an object for encrypting sectors in XTS mode.
*
* This constructor should be followed by a call to setSectorSize().
* The default sector size is 512 bytes.
*/
/**
* \fn XTS::~XTS()
* \brief Clears all sensitive information and destroys this object.
*/
/**
* \class XTSSingleKey XTS.h <XTS.h>
* \brief Implementation of the single-key XTS mode for 128-bit block ciphers.
*
* XTS mode normally uses two keys to encrypt plaintext and the
* sector-specific tweak values. This class uses the same key for
* both purposes, which can help save memory.
*
* References: <a href="http://libeccio.di.unisa.it/Crypto14/Lab/p1619.pdf">IEEE Std. 1619-2007</a>, <a href="http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf">NIST SP 800-38E</a>, a href="http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf">XEX</a>.
*
* \sa XTS, XTSSingleKeyCommon
*/
/**
* \fn XTSSingleKey::XTSSingleKey()
* \brief Constructs an object for encrypting sectors in XTS mode
* with a single key instead of two split keys.
*
* This constructor should be followed by a call to setSectorSize().
* The default sector size is 512 bytes.
*/
/**
* \fn XTSSingleKey::~XTSSingleKey()
* \brief Clears all sensitive information and destroys this object.
*/

101
libraries/Crypto/XTS.h Normal file
View File

@ -0,0 +1,101 @@
/*
* Copyright (C) 2016 Southern Storm Software, Pty Ltd.
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
#ifndef CRYPTO_XTS_h
#define CRYPTO_XTS_h
#include "BlockCipher.h"
class XTSSingleKeyCommon;
class XTSCommon
{
public:
virtual ~XTSCommon();
virtual size_t keySize() const;
size_t tweakSize() const;
size_t sectorSize() const { return sectSize; }
bool setSectorSize(size_t size);
virtual bool setKey(const uint8_t *key, size_t len);
bool setTweak(const uint8_t *tweak, size_t len);
void encryptSector(uint8_t *output, const uint8_t *input);
void decryptSector(uint8_t *output, const uint8_t *input);
void clear();
protected:
XTSCommon();
void setBlockCiphers(BlockCipher *cipher1, BlockCipher *cipher2)
{
blockCipher1 = cipher1;
blockCipher2 = cipher2;
}
private:
BlockCipher *blockCipher1;
BlockCipher *blockCipher2;
uint32_t twk[4];
size_t sectSize;
friend class XTSSingleKeyCommon;
};
class XTSSingleKeyCommon : public XTSCommon
{
public:
virtual ~XTSSingleKeyCommon();
size_t keySize() const;
bool setKey(const uint8_t *key, size_t len);
protected:
XTSSingleKeyCommon() : XTSCommon() {}
};
template <typename T1, typename T2 = T1>
class XTS : public XTSCommon
{
public:
XTS() { setBlockCiphers(&cipher1, &cipher2); }
~XTS() {}
private:
T1 cipher1;
T2 cipher2;
};
template <typename T>
class XTSSingleKey : public XTSSingleKeyCommon
{
public:
XTSSingleKey() { setBlockCiphers(&cipher, &cipher); }
~XTSSingleKey() {}
private:
T cipher;
};
#endif

464
libraries/Crypto/examples/TestXTS/TestXTS.ino Normal file
View File

@ -0,0 +1,464 @@
/*
* Copyright (C) 2016 Southern Storm Software, Pty Ltd.
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
/*
This example runs tests on the XTS implementation to verify correct behaviour.
*/
#include <Crypto.h>
#include <AES.h>
#include <Speck.h>
#include <SpeckSmall.h>
#include <SpeckTiny.h>
#include <XTS.h>
#include <string.h>
#define MAX_SECTOR_SIZE 64
struct TestVector
{
const char *name;
byte key1[16];
byte key2[16];
byte plaintext[MAX_SECTOR_SIZE];
byte ciphertext[MAX_SECTOR_SIZE];
byte tweak[16];
size_t sectorSize;
};
// Selected test vectors for XTS-AES-128 from:
// http://libeccio.di.unisa.it/Crypto14/Lab/p1619.pdf
static TestVector const testVectorXTSAES128_1 PROGMEM = {
.name = "XTS-AES-128 #1",
.key1 = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
.key2 = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
.plaintext = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
.ciphertext = {0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e},
.tweak = {0x00},
.sectorSize = 32
};
static TestVector const testVectorXTSAES128_2 PROGMEM = {
.name = "XTS-AES-128 #2",
.key1 = {0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11},
.key2 = {0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22},
.plaintext = {0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44},
.ciphertext = {0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0},
.tweak = {0x33, 0x33, 0x33, 0x33, 0x33},
.sectorSize = 32
};
static TestVector const testVectorXTSAES128_3 PROGMEM = {
.name = "XTS-AES-128 #3",
.key1 = {0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0},
.key2 = {0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22},
.plaintext = {0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44},
.ciphertext = {0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89},
.tweak = {0x33, 0x33, 0x33, 0x33, 0x33},
.sectorSize = 32
};
static TestVector const testVectorXTSAES128_4 PROGMEM = {
// 512 byte test vector from the spec truncated to the first 64 bytes.
.name = "XTS-AES-128 #4",
.key1 = {0x27, 0x18, 0x28, 0x18, 0x28, 0x45, 0x90, 0x45,
0x23, 0x53, 0x60, 0x28, 0x74, 0x71, 0x35, 0x26},
.key2 = {0x31, 0x41, 0x59, 0x26, 0x53, 0x58, 0x97, 0x93,
0x23, 0x84, 0x62, 0x64, 0x33, 0x83, 0x27, 0x95},
.plaintext = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f},
.ciphertext = {0x27, 0xa7, 0x47, 0x9b, 0xef, 0xa1, 0xd4, 0x76,
0x48, 0x9f, 0x30, 0x8c, 0xd4, 0xcf, 0xa6, 0xe2,
0xa9, 0x6e, 0x4b, 0xbe, 0x32, 0x08, 0xff, 0x25,
0x28, 0x7d, 0xd3, 0x81, 0x96, 0x16, 0xe8, 0x9c,
0xc7, 0x8c, 0xf7, 0xf5, 0xe5, 0x43, 0x44, 0x5f,
0x83, 0x33, 0xd8, 0xfa, 0x7f, 0x56, 0x00, 0x00,
0x05, 0x27, 0x9f, 0xa5, 0xd8, 0xb5, 0xe4, 0xad,
0x40, 0xe7, 0x36, 0xdd, 0xb4, 0xd3, 0x54, 0x12},
.tweak = {0x00},
.sectorSize = 64
};
static TestVector const testVectorXTSAES128_15 PROGMEM = {
.name = "XTS-AES-128 #15",
.key1 = {0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0},
.key2 = {0xbf, 0xbe, 0xbd, 0xbc, 0xbb, 0xba, 0xb9, 0xb8,
0xb7, 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1, 0xb0},
.plaintext = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
0x10},
.ciphertext = {0x6c, 0x16, 0x25, 0xdb, 0x46, 0x71, 0x52, 0x2d,
0x3d, 0x75, 0x99, 0x60, 0x1d, 0xe7, 0xca, 0x09,
0xed},
.tweak = {0x9a, 0x78, 0x56, 0x34, 0x12},
.sectorSize = 17
};
// This test vector is from:
// https://github.com/heisencoder/XTS-AES/blob/master/testvals/xts.4
// We use this one because the main specification doesn't have an odd
// block size greater than 32 bytes but less than 64 bytes.
static TestVector const testVectorXTSAES128_16 PROGMEM = {
.name = "XTS-AES-128 #16",
.key1 = {0x27, 0x18, 0x28, 0x18, 0x28, 0x45, 0x90, 0x45,
0x23, 0x53, 0x60, 0x28, 0x74, 0x71, 0x35, 0x26},
.key2 = {0x31, 0x41, 0x59, 0x26, 0x53, 0x58, 0x97, 0x93,
0x23, 0x84, 0x62, 0x64, 0x33, 0x83, 0x27, 0x95},
.plaintext = {0x50, 0x00, 0xec, 0xa5, 0xa1, 0xf6, 0xa4, 0x93,
0x78, 0x03, 0x0d, 0x9e, 0xe8, 0x05, 0xac, 0xef,
0x46, 0x0f, 0x31, 0x4e, 0xe0, 0x4b, 0xb5, 0x14,
0x03, 0x4e, 0xb2, 0x7f, 0xb8, 0xdf, 0x2b, 0xc8,
0x12, 0xae, 0x5b, 0xdf, 0x8c},
.ciphertext = {0xe5, 0x9e, 0x6f, 0x23, 0x3b, 0xe0, 0xe0, 0x83,
0x04, 0x83, 0xc6, 0xbd, 0x4e, 0x82, 0xf4, 0xc3,
0x95, 0x43, 0x55, 0x8a, 0x25, 0xe3, 0xdb, 0x60,
0xa5, 0x53, 0xa5, 0x94, 0x81, 0x45, 0xa6, 0xff,
0xb5, 0xe6, 0xbe, 0x1d, 0xb5},
.tweak = {0x33, 0x22, 0x11, 0x00},
.sectorSize = 37
};
XTS<AES128> *xtsaes128;
TestVector testVector;
byte buffer[MAX_SECTOR_SIZE];
#if defined(__AVR__)
void _printProgMem(const char *str)
{
for (;;) {
uint8_t ch = pgm_read_byte((const uint8_t *)str);
if (!ch)
break;
Serial.write(ch);
++str;
}
}
#define printProgMem(str) \
do { \
static char const temp_str[] PROGMEM = str; \
_printProgMem(temp_str); \
} while (0)
#define printlnProgMem(str) \
do { \
static char const temp_str[] PROGMEM = str; \
_printProgMem(temp_str); \
Serial.println(); \
} while (0)
#else
#define printProgMem(str) \
Serial.print(str)
#define printlnProgMem(str) \
Serial.println(str)
#endif
void testXTS(XTSCommon *cipher, const struct TestVector *test)
{
memcpy_P(&testVector, test, sizeof(testVector));
Serial.print(testVector.name);
printProgMem(" Encrypt ... ");
cipher->setSectorSize(testVector.sectorSize);
cipher->setKey(testVector.key1, 32);
cipher->setTweak(testVector.tweak, sizeof(testVector.tweak));
cipher->encryptSector(buffer, testVector.plaintext);
if (!memcmp(buffer, testVector.ciphertext, testVector.sectorSize))
printlnProgMem("Passed");
else
printlnProgMem("Failed");
Serial.print(testVector.name);
printProgMem(" Decrypt ... ");
cipher->decryptSector(buffer, testVector.ciphertext);
if (!memcmp(buffer, testVector.plaintext, testVector.sectorSize))
printlnProgMem("Passed");
else
printlnProgMem("Failed");
Serial.print(testVector.name);
printProgMem(" Encrypt In-Place ... ");
memcpy(buffer, testVector.plaintext, testVector.sectorSize);
cipher->encryptSector(buffer, buffer);
if (!memcmp(buffer, testVector.ciphertext, testVector.sectorSize))
printlnProgMem("Passed");
else
printlnProgMem("Failed");
Serial.print(testVector.name);
printProgMem(" Decrypt In-Place ... ");
memcpy(buffer, testVector.ciphertext, testVector.sectorSize);
cipher->decryptSector(buffer, buffer);
if (!memcmp(buffer, testVector.plaintext, testVector.sectorSize))
printlnProgMem("Passed");
else
printlnProgMem("Failed");
}
void perfEncrypt(const char *name, XTSCommon *cipher, const struct TestVector *test, size_t keySize = 32)
{
unsigned long start;
unsigned long elapsed;
int count;
memcpy_P(&testVector, test, sizeof(testVector));
Serial.print(name);
printProgMem(" ... ");
cipher->setSectorSize(sizeof(buffer));
cipher->setKey(testVector.key1, keySize);
cipher->setTweak(testVector.tweak, sizeof(testVector.tweak));
memset(buffer, 0xAA, sizeof(buffer));
start = micros();
for (count = 0; count < 500; ++count) {
cipher->encryptSector(buffer, buffer);
}
elapsed = micros() - start;
Serial.print(elapsed / (sizeof(buffer) * 500.0));
printProgMem("us per byte, ");
Serial.print((sizeof(buffer) * 500.0 * 1000000.0) / elapsed);
printlnProgMem(" bytes per second");
}
void perfDecrypt(const char *name, XTSCommon *cipher, const struct TestVector *test, size_t keySize = 32)
{
unsigned long start;
unsigned long elapsed;
int count;
memcpy_P(&testVector, test, sizeof(testVector));
Serial.print(name);
printProgMem(" ... ");
cipher->setSectorSize(sizeof(buffer));
cipher->setKey(testVector.key1, keySize);
cipher->setTweak(testVector.tweak, sizeof(testVector.tweak));
start = micros();
for (count = 0; count < 500; ++count) {
cipher->decryptSector(buffer, buffer);
}
elapsed = micros() - start;
Serial.print(elapsed / (sizeof(buffer) * 500.0));
printProgMem("us per byte, ");
Serial.print((sizeof(buffer) * 500.0 * 1000000.0) / elapsed);
printlnProgMem(" bytes per second");
}
void perfSetKey(const char *name, XTSCommon *cipher, const struct TestVector *test, size_t keySize = 32)
{
unsigned long start;
unsigned long elapsed;
int count;
memcpy_P(&testVector, test, sizeof(testVector));
Serial.print(name);
printProgMem(" ... ");
start = micros();
for (count = 0; count < 2000; ++count) {
cipher->setKey(testVector.key1, keySize);
}
elapsed = micros() - start;
Serial.print(elapsed / 2000.0);
printProgMem("us per operation, ");
Serial.print((2000.0 * 1000000.0) / elapsed);
printlnProgMem(" operations per second");
}
void perfSetTweak(const char *name, XTSCommon *cipher, const struct TestVector *test)
{
unsigned long start;
unsigned long elapsed;
int count;
memcpy_P(&testVector, test, sizeof(testVector));
Serial.print(name);
printProgMem(" ... ");
start = micros();
for (count = 0; count < 2000; ++count) {
cipher->setTweak(testVector.tweak, sizeof(testVector.tweak));
}
elapsed = micros() - start;
Serial.print(elapsed / 2000.0);
printProgMem("us per operation, ");
Serial.print((2000.0 * 1000000.0) / elapsed);
printlnProgMem(" operations per second");
}
void setup()
{
Serial.begin(9600);
Serial.println();
xtsaes128 = new XTS<AES128>();
printlnProgMem("State Sizes:");
printProgMem("XTS<AES128> ... ");
Serial.println(sizeof(*xtsaes128));
printProgMem("XTS<AES256> ... ");
Serial.println(sizeof(XTS<AES256>));
printProgMem("XTS<Speck> ... ");
Serial.println(sizeof(XTS<Speck>));
printProgMem("XTS<SpeckSmall> ... ");
Serial.println(sizeof(XTS<SpeckSmall>));
printProgMem("XTS<SpeckSmall, SpeckTiny> ... ");
Serial.println(sizeof(XTS<SpeckSmall, SpeckTiny>));
printProgMem("XTSSingleKey<AES128> ... ");
Serial.println(sizeof(XTSSingleKey<AES128>));
printProgMem("XTSSingleKey<AES256> ... ");
Serial.println(sizeof(XTSSingleKey<AES256>));
printProgMem("XTSSingleKey<Speck> ... ");
Serial.println(sizeof(XTSSingleKey<Speck>));
printProgMem("XTSSingleKey<SpeckSmall> ... ");
Serial.println(sizeof(XTSSingleKey<SpeckSmall>));
Serial.println();
printlnProgMem("Test Vectors:");
testXTS(xtsaes128, &testVectorXTSAES128_1);
testXTS(xtsaes128, &testVectorXTSAES128_2);
testXTS(xtsaes128, &testVectorXTSAES128_3);
testXTS(xtsaes128, &testVectorXTSAES128_4);
testXTS(xtsaes128, &testVectorXTSAES128_15);
testXTS(xtsaes128, &testVectorXTSAES128_16);
Serial.println();
printlnProgMem("Performance Tests:");
Serial.println();
printlnProgMem("XTS-AES-128:");
perfEncrypt("Encrypt", xtsaes128, &testVectorXTSAES128_4);
perfDecrypt("Decrypt", xtsaes128, &testVectorXTSAES128_4);
perfSetKey("Set Key", xtsaes128, &testVectorXTSAES128_4);
perfSetTweak("Set Tweak", xtsaes128, &testVectorXTSAES128_4);
delete xtsaes128;
Serial.println();
printlnProgMem("XTS-AES-128 Single Key:");
XTSSingleKey<AES128> *singleaes128 = new XTSSingleKey<AES128>();
perfEncrypt("Encrypt", singleaes128, &testVectorXTSAES128_4, 16);
perfDecrypt("Decrypt", singleaes128, &testVectorXTSAES128_4, 16);
perfSetKey("Set Key", singleaes128, &testVectorXTSAES128_4, 16);
perfSetTweak("Set Tweak", singleaes128, &testVectorXTSAES128_4);
delete singleaes128;
Serial.println();
printlnProgMem("XTS-AES-256 Single Key:");
XTSSingleKey<AES256> *xtsaes256 = new XTSSingleKey<AES256>();
perfEncrypt("Encrypt", xtsaes256, &testVectorXTSAES128_4, 32);
perfDecrypt("Decrypt", xtsaes256, &testVectorXTSAES128_4, 32);
perfSetKey("Set Key", xtsaes256, &testVectorXTSAES128_4, 32);
perfSetTweak("Set Tweak", xtsaes256, &testVectorXTSAES128_4);
delete xtsaes256;
Serial.println();
printlnProgMem("XTS-SpeckSmall-256:");
XTS<SpeckSmall, SpeckTiny> *xtsspeck = new XTS<SpeckSmall, SpeckTiny>();
perfEncrypt("Encrypt", xtsspeck, &testVectorXTSAES128_4, 64);
perfDecrypt("Decrypt", xtsspeck, &testVectorXTSAES128_4, 64);
perfSetKey("Set Key", xtsspeck, &testVectorXTSAES128_4, 64);
perfSetTweak("Set Tweak", xtsspeck, &testVectorXTSAES128_4);
delete xtsspeck;
Serial.println();
printlnProgMem("XTS-SpeckSmall-256 Single Key:");
XTSSingleKey<SpeckSmall> *singlespeck = new XTSSingleKey<SpeckSmall>();
perfEncrypt("Encrypt", singlespeck, &testVectorXTSAES128_4, 32);
perfDecrypt("Decrypt", singlespeck, &testVectorXTSAES128_4, 32);
perfSetKey("Set Key", singlespeck, &testVectorXTSAES128_4, 32);
perfSetTweak("Set Tweak", singlespeck, &testVectorXTSAES128_4);
delete singlespeck;
Serial.println();
printlnProgMem("XTS-Speck-256:");
XTS<Speck> *xtsspeck2 = new XTS<Speck>();
perfEncrypt("Encrypt", xtsspeck2, &testVectorXTSAES128_4, 64);
perfDecrypt("Decrypt", xtsspeck2, &testVectorXTSAES128_4, 64);
perfSetKey("Set Key", xtsspeck2, &testVectorXTSAES128_4, 64);
perfSetTweak("Set Tweak", xtsspeck2, &testVectorXTSAES128_4);
delete xtsspeck2;
Serial.println();
printlnProgMem("XTS-Speck-256 Single Key:");
XTSSingleKey<Speck> *singlespeck2 = new XTSSingleKey<Speck>();
perfEncrypt("Encrypt", singlespeck2, &testVectorXTSAES128_4, 32);
perfDecrypt("Decrypt", singlespeck2, &testVectorXTSAES128_4, 32);
perfSetKey("Set Key", singlespeck2, &testVectorXTSAES128_4, 32);
perfSetTweak("Set Tweak", singlespeck2, &testVectorXTSAES128_4);
delete singlespeck2;
Serial.println();
}
void loop()
{
}