#define RATE 16 static void aegis256_init(const uint8_t *key, const uint8_t *nonce, aes_block_t *const state) { static CRYPTO_ALIGN(AES_BLOCK_LENGTH) const uint8_t c0_[AES_BLOCK_LENGTH] = { 0x00, 0x01, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d, 0x15, 0x22, 0x37, 0x59, 0x90, 0xe9, 0x79, 0x62 }; static CRYPTO_ALIGN(AES_BLOCK_LENGTH) const uint8_t c1_[AES_BLOCK_LENGTH] = { 0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1, 0x20, 0x11, 0x31, 0x42, 0x73, 0xb5, 0x28, 0xdd }; const aes_block_t c0 = AES_BLOCK_LOAD(c0_); const aes_block_t c1 = AES_BLOCK_LOAD(c1_); const aes_block_t k0 = AES_BLOCK_LOAD(key); const aes_block_t k1 = AES_BLOCK_LOAD(key + AES_BLOCK_LENGTH); const aes_block_t n0 = AES_BLOCK_LOAD(nonce); const aes_block_t n1 = AES_BLOCK_LOAD(nonce + AES_BLOCK_LENGTH); const aes_block_t k0_n0 = AES_BLOCK_XOR(k0, n0); const aes_block_t k1_n1 = AES_BLOCK_XOR(k1, n1); int i; state[0] = k0_n0; state[1] = k1_n1; state[2] = c1; state[3] = c0; state[4] = AES_BLOCK_XOR(k0, c0); state[5] = AES_BLOCK_XOR(k1, c1); for (i = 0; i < 4; i++) { aegis256_update(state, k0); aegis256_update(state, k1); aegis256_update(state, k0_n0); aegis256_update(state, k1_n1); } } static int aegis256_mac(uint8_t *mac, size_t maclen, size_t adlen, size_t mlen, aes_block_t *const state) { aes_block_t tmp; int i; tmp = AES_BLOCK_LOAD_64x2(((uint64_t) mlen) << 3, ((uint64_t) adlen) << 3); tmp = AES_BLOCK_XOR(tmp, state[3]); for (i = 0; i < 7; i++) { aegis256_update(state, tmp); } if (maclen == 16) { tmp = AES_BLOCK_XOR(state[5], state[4]); tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_XOR(state[3], state[2])); tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_XOR(state[1], state[0])); AES_BLOCK_STORE(mac, tmp); } else if (maclen == 32) { tmp = AES_BLOCK_XOR(AES_BLOCK_XOR(state[2], state[1]), state[0]); AES_BLOCK_STORE(mac, tmp); tmp = AES_BLOCK_XOR(AES_BLOCK_XOR(state[5], state[4]), state[3]); AES_BLOCK_STORE(mac + 16, tmp); } else { memset(mac, 0, maclen); return -1; } return 0; } static inline void aegis256_absorb(const uint8_t *const src, aes_block_t *const state) { aes_block_t msg; msg = AES_BLOCK_LOAD(src); aegis256_update(state, msg); } static inline void aegis256_absorb2(const uint8_t *const src, aes_block_t *const state) { aes_block_t msg, msg2; msg = AES_BLOCK_LOAD(src + 0 * AES_BLOCK_LENGTH); msg2 = AES_BLOCK_LOAD(src + 1 * AES_BLOCK_LENGTH); aegis256_update(state, msg); aegis256_update(state, msg2); } static void aegis256_enc(uint8_t *const dst, const uint8_t *const src, aes_block_t *const state) { aes_block_t msg; aes_block_t tmp; msg = AES_BLOCK_LOAD(src); tmp = AES_BLOCK_XOR(msg, state[5]); tmp = AES_BLOCK_XOR(tmp, state[4]); tmp = AES_BLOCK_XOR(tmp, state[1]); tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_AND(state[2], state[3])); AES_BLOCK_STORE(dst, tmp); aegis256_update(state, msg); } static void aegis256_dec(uint8_t *const dst, const uint8_t *const src, aes_block_t *const state) { aes_block_t msg; msg = AES_BLOCK_LOAD(src); msg = AES_BLOCK_XOR(msg, state[5]); msg = AES_BLOCK_XOR(msg, state[4]); msg = AES_BLOCK_XOR(msg, state[1]); msg = AES_BLOCK_XOR(msg, AES_BLOCK_AND(state[2], state[3])); AES_BLOCK_STORE(dst, msg); aegis256_update(state, msg); } static void aegis256_declast(uint8_t *const dst, const uint8_t *const src, size_t len, aes_block_t *const state) { uint8_t pad[RATE]; aes_block_t msg; memset(pad, 0, sizeof pad); memcpy(pad, src, len); msg = AES_BLOCK_LOAD(pad); msg = AES_BLOCK_XOR(msg, state[5]); msg = AES_BLOCK_XOR(msg, state[4]); msg = AES_BLOCK_XOR(msg, state[1]); msg = AES_BLOCK_XOR(msg, AES_BLOCK_AND(state[2], state[3])); AES_BLOCK_STORE(pad, msg); memset(pad + len, 0, sizeof pad - len); memcpy(dst, pad, len); msg = AES_BLOCK_LOAD(pad); aegis256_update(state, msg); } static int encrypt_detached(uint8_t *c, uint8_t *mac, size_t maclen, const uint8_t *m, size_t mlen, const uint8_t *ad, size_t adlen, const uint8_t *npub, const uint8_t *k) { aes_block_t state[6]; CRYPTO_ALIGN(RATE) uint8_t src[RATE]; CRYPTO_ALIGN(RATE) uint8_t dst[RATE]; size_t i; aegis256_init(k, npub, state); for (i = 0; i + 2 * RATE <= adlen; i += 2 * RATE) { aegis256_absorb2(ad + i, state); } for (; i + RATE <= adlen; i += RATE) { aegis256_absorb(ad + i, state); } if (adlen % RATE) { memset(src, 0, RATE); memcpy(src, ad + i, adlen % RATE); aegis256_absorb(src, state); } for (i = 0; i + RATE <= mlen; i += RATE) { aegis256_enc(c + i, m + i, state); } if (mlen % RATE) { memset(src, 0, RATE); memcpy(src, m + i, mlen % RATE); aegis256_enc(dst, src, state); memcpy(c + i, dst, mlen % RATE); } return aegis256_mac(mac, maclen, adlen, mlen, state); } static int decrypt_detached(uint8_t *m, const uint8_t *c, size_t clen, const uint8_t *mac, size_t maclen, const uint8_t *ad, size_t adlen, const uint8_t *npub, const uint8_t *k) { aes_block_t state[6]; CRYPTO_ALIGN(RATE) uint8_t src[RATE]; CRYPTO_ALIGN(RATE) uint8_t dst[RATE]; CRYPTO_ALIGN(16) uint8_t computed_mac[32]; const size_t mlen = clen; size_t i; int ret; aegis256_init(k, npub, state); for (i = 0; i + 2 * RATE <= adlen; i += 2 * RATE) { aegis256_absorb2(ad + i, state); } for (; i + RATE <= adlen; i += RATE) { aegis256_absorb(ad + i, state); } if (adlen % RATE) { memset(src, 0, RATE); memcpy(src, ad + i, adlen % RATE); aegis256_absorb(src, state); } if (m != NULL) { for (i = 0; i + RATE <= mlen; i += RATE) { aegis256_dec(m + i, c + i, state); } } else { for (i = 0; i + RATE <= mlen; i += RATE) { aegis256_dec(dst, c + i, state); } } if (mlen % RATE) { if (m != NULL) { aegis256_declast(m + i, c + i, mlen % RATE, state); } else { aegis256_declast(dst, c + i, mlen % RATE, state); } } COMPILER_ASSERT(sizeof computed_mac >= 32); ret = -1; if (aegis256_mac(computed_mac, maclen, adlen, mlen, state) == 0) { if (maclen == 16) { ret = crypto_verify_16(computed_mac, mac); } else if (maclen == 32) { ret = crypto_verify_32(computed_mac, mac); } } if (ret != 0 && m != NULL) { memset(m, 0, mlen); } return ret; }