From b42562be74ee7b88e39edc757643444de63d2df5 Mon Sep 17 00:00:00 2001 From: Frank Denis <124872+jedisct1@users.noreply.github.com> Date: Fri, 14 Apr 2023 11:20:36 +0200 Subject: [PATCH] std.crypto.aegis: support 256-bit tags (#15276) --- lib/std/crypto.zig | 2 + lib/std/crypto/aegis.zig | 434 ++++++++++++++++++++++----------------- 2 files changed, 243 insertions(+), 193 deletions(-) diff --git a/lib/std/crypto.zig b/lib/std/crypto.zig index 6f0d1d9b6e92..ad59123a4a81 100644 --- a/lib/std/crypto.zig +++ b/lib/std/crypto.zig @@ -4,7 +4,9 @@ const root = @import("root"); pub const aead = struct { pub const aegis = struct { pub const Aegis128L = @import("crypto/aegis.zig").Aegis128L; + pub const Aegis128L_256 = @import("crypto/aegis.zig").Aegis128L_256; pub const Aegis256 = @import("crypto/aegis.zig").Aegis256; + pub const Aegis256_256 = @import("crypto/aegis.zig").Aegis256_256; }; pub const aes_gcm = struct { diff --git a/lib/std/crypto/aegis.zig b/lib/std/crypto/aegis.zig index 4a030d7870ed..3dfaa50dcfc4 100644 --- a/lib/std/crypto/aegis.zig +++ b/lib/std/crypto/aegis.zig @@ -1,9 +1,39 @@ +//! AEGIS is a very fast authenticated encryption system built on top of the core AES function. +//! +//! The AEGIS-128L variant has a 128 bit key, a 128 bit nonce, and processes 256 bit message blocks. +//! The AEGIS-256 variant has a 256 bit key, a 256 bit nonce, and processes 128 bit message blocks. +//! +//! The AEGIS cipher family offers performance that significantly exceeds that of AES-GCM with +//! hardware support for parallelizable AES block encryption. +//! +//! Unlike with AES-GCM, nonces can be safely chosen at random with no practical limit when using AEGIS-256. +//! AEGIS-128L also allows for more messages to be safely encrypted when using random nonces. +//! +//! AEGIS is believed to be key-committing, making it a safer choice than most other AEADs +//! when the key has low entropy, or can be controlled by an attacker. +//! +//! Finally, leaking the state does not leak the key. +//! +//! https://datatracker.ietf.org/doc/draft-irtf-cfrg-aegis-aead/ + const std = @import("std"); const mem = std.mem; const assert = std.debug.assert; const AesBlock = std.crypto.core.aes.Block; const AuthenticationError = std.crypto.errors.AuthenticationError; +/// AEGIS-128L with a 128-bit authentication tag. +pub const Aegis128L = Aegis128LGeneric(128); + +/// AEGIS-128L with a 256-bit authentication tag. +pub const Aegis128L_256 = Aegis128LGeneric(256); + +/// AEGIS-256 with a 128-bit authentication tag. +pub const Aegis256 = Aegis256Generic(128); + +/// AEGIS-256 with a 256-bit authentication tag. +pub const Aegis256_256 = Aegis256Generic(256); + const State128L = struct { blocks: [8]AesBlock, @@ -72,7 +102,7 @@ const State128L = struct { state.update(msg0, msg1); } - fn mac(state: *State128L, adlen: usize, mlen: usize) [16]u8 { + fn mac(state: *State128L, comptime tag_bits: u9, adlen: usize, mlen: usize) [tag_bits / 8]u8 { const blocks = &state.blocks; var sizes: [16]u8 = undefined; mem.writeIntLittle(u64, sizes[0..8], adlen * 8); @@ -82,103 +112,109 @@ const State128L = struct { while (i < 7) : (i += 1) { state.update(tmp, tmp); } - return blocks[0].xorBlocks(blocks[1]).xorBlocks(blocks[2]).xorBlocks(blocks[3]).xorBlocks(blocks[4]) - .xorBlocks(blocks[5]).xorBlocks(blocks[6]).toBytes(); + return switch (tag_bits) { + 128 => blocks[0].xorBlocks(blocks[1]).xorBlocks(blocks[2]).xorBlocks(blocks[3]) + .xorBlocks(blocks[4]).xorBlocks(blocks[5]).xorBlocks(blocks[6]).toBytes(), + 256 => tag: { + const t1 = blocks[0].xorBlocks(blocks[1]).xorBlocks(blocks[2]).xorBlocks(blocks[3]); + const t2 = blocks[4].xorBlocks(blocks[5]).xorBlocks(blocks[6]).xorBlocks(blocks[7]); + break :tag t1.toBytes() ++ t2.toBytes(); + }, + else => unreachable, + }; } }; -/// AEGIS is a very fast authenticated encryption system built on top of the core AES function. -/// -/// The 128L variant of AEGIS has a 128 bit key, a 128 bit nonce, and processes 256 bit message blocks. -/// It was designed to fully exploit the parallelism and built-in AES support of recent Intel and ARM CPUs. -/// -/// https://datatracker.ietf.org/doc/draft-irtf-cfrg-aegis-aead/ -pub const Aegis128L = struct { - pub const tag_length = 16; - pub const nonce_length = 16; - pub const key_length = 16; - pub const block_length = 32; - - const State = State128L; - - /// c: ciphertext: output buffer should be of size m.len - /// tag: authentication tag: output MAC - /// m: message - /// ad: Associated Data - /// npub: public nonce - /// k: private key - pub fn encrypt(c: []u8, tag: *[tag_length]u8, m: []const u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) void { - assert(c.len == m.len); - var state = State128L.init(key, npub); - var src: [32]u8 align(16) = undefined; - var dst: [32]u8 align(16) = undefined; - var i: usize = 0; - while (i + 32 <= ad.len) : (i += 32) { - state.absorb(ad[i..][0..32]); - } - if (ad.len % 32 != 0) { - mem.set(u8, src[0..], 0); - mem.copy(u8, src[0 .. ad.len % 32], ad[i .. i + ad.len % 32]); - state.absorb(&src); - } - i = 0; - while (i + 32 <= m.len) : (i += 32) { - state.enc(c[i..][0..32], m[i..][0..32]); - } - if (m.len % 32 != 0) { - mem.set(u8, src[0..], 0); - mem.copy(u8, src[0 .. m.len % 32], m[i .. i + m.len % 32]); - state.enc(&dst, &src); - mem.copy(u8, c[i .. i + m.len % 32], dst[0 .. m.len % 32]); - } - tag.* = state.mac(ad.len, m.len); - } +fn Aegis128LGeneric(comptime tag_bits: u9) type { + comptime assert(tag_bits == 128 or tag_bits == 256); // tag must be 128 or 256 bits - /// m: message: output buffer should be of size c.len - /// c: ciphertext - /// tag: authentication tag - /// ad: Associated Data - /// npub: public nonce - /// k: private key - pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) AuthenticationError!void { - assert(c.len == m.len); - var state = State128L.init(key, npub); - var src: [32]u8 align(16) = undefined; - var dst: [32]u8 align(16) = undefined; - var i: usize = 0; - while (i + 32 <= ad.len) : (i += 32) { - state.absorb(ad[i..][0..32]); - } - if (ad.len % 32 != 0) { - mem.set(u8, src[0..], 0); - mem.copy(u8, src[0 .. ad.len % 32], ad[i .. i + ad.len % 32]); - state.absorb(&src); - } - i = 0; - while (i + 32 <= m.len) : (i += 32) { - state.dec(m[i..][0..32], c[i..][0..32]); - } - if (m.len % 32 != 0) { - mem.set(u8, src[0..], 0); - mem.copy(u8, src[0 .. m.len % 32], c[i .. i + m.len % 32]); - state.dec(&dst, &src); - mem.copy(u8, m[i .. i + m.len % 32], dst[0 .. m.len % 32]); - mem.set(u8, dst[0 .. m.len % 32], 0); - const blocks = &state.blocks; - blocks[0] = blocks[0].xorBlocks(AesBlock.fromBytes(dst[0..16])); - blocks[4] = blocks[4].xorBlocks(AesBlock.fromBytes(dst[16..32])); - } - const computed_tag = state.mac(ad.len, m.len); - var acc: u8 = 0; - for (computed_tag, 0..) |_, j| { - acc |= (computed_tag[j] ^ tag[j]); - } - if (acc != 0) { - @memset(m.ptr, undefined, m.len); - return error.AuthenticationFailed; + return struct { + pub const tag_length = tag_bits / 8; + pub const nonce_length = 16; + pub const key_length = 16; + pub const block_length = 32; + + const State = State128L; + + /// c: ciphertext: output buffer should be of size m.len + /// tag: authentication tag: output MAC + /// m: message + /// ad: Associated Data + /// npub: public nonce + /// k: private key + pub fn encrypt(c: []u8, tag: *[tag_length]u8, m: []const u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) void { + assert(c.len == m.len); + var state = State128L.init(key, npub); + var src: [32]u8 align(16) = undefined; + var dst: [32]u8 align(16) = undefined; + var i: usize = 0; + while (i + 32 <= ad.len) : (i += 32) { + state.absorb(ad[i..][0..32]); + } + if (ad.len % 32 != 0) { + mem.set(u8, src[0..], 0); + mem.copy(u8, src[0 .. ad.len % 32], ad[i .. i + ad.len % 32]); + state.absorb(&src); + } + i = 0; + while (i + 32 <= m.len) : (i += 32) { + state.enc(c[i..][0..32], m[i..][0..32]); + } + if (m.len % 32 != 0) { + mem.set(u8, src[0..], 0); + mem.copy(u8, src[0 .. m.len % 32], m[i .. i + m.len % 32]); + state.enc(&dst, &src); + mem.copy(u8, c[i .. i + m.len % 32], dst[0 .. m.len % 32]); + } + tag.* = state.mac(tag_bits, ad.len, m.len); + } + + /// m: message: output buffer should be of size c.len + /// c: ciphertext + /// tag: authentication tag + /// ad: Associated Data + /// npub: public nonce + /// k: private key + pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) AuthenticationError!void { + assert(c.len == m.len); + var state = State128L.init(key, npub); + var src: [32]u8 align(16) = undefined; + var dst: [32]u8 align(16) = undefined; + var i: usize = 0; + while (i + 32 <= ad.len) : (i += 32) { + state.absorb(ad[i..][0..32]); + } + if (ad.len % 32 != 0) { + mem.set(u8, src[0..], 0); + mem.copy(u8, src[0 .. ad.len % 32], ad[i .. i + ad.len % 32]); + state.absorb(&src); + } + i = 0; + while (i + 32 <= m.len) : (i += 32) { + state.dec(m[i..][0..32], c[i..][0..32]); + } + if (m.len % 32 != 0) { + mem.set(u8, src[0..], 0); + mem.copy(u8, src[0 .. m.len % 32], c[i .. i + m.len % 32]); + state.dec(&dst, &src); + mem.copy(u8, m[i .. i + m.len % 32], dst[0 .. m.len % 32]); + mem.set(u8, dst[0 .. m.len % 32], 0); + const blocks = &state.blocks; + blocks[0] = blocks[0].xorBlocks(AesBlock.fromBytes(dst[0..16])); + blocks[4] = blocks[4].xorBlocks(AesBlock.fromBytes(dst[16..32])); + } + const computed_tag = state.mac(tag_bits, ad.len, m.len); + var acc: u8 = 0; + for (computed_tag, 0..) |_, j| { + acc |= (computed_tag[j] ^ tag[j]); + } + if (acc != 0) { + @memset(m.ptr, undefined, m.len); + return error.AuthenticationFailed; + } } - } -}; + }; +} const State256 = struct { blocks: [6]AesBlock, @@ -243,7 +279,7 @@ const State256 = struct { state.update(msg); } - fn mac(state: *State256, adlen: usize, mlen: usize) [16]u8 { + fn mac(state: *State256, comptime tag_bits: u9, adlen: usize, mlen: usize) [tag_bits / 8]u8 { const blocks = &state.blocks; var sizes: [16]u8 = undefined; mem.writeIntLittle(u64, sizes[0..8], adlen * 8); @@ -253,8 +289,16 @@ const State256 = struct { while (i < 7) : (i += 1) { state.update(tmp); } - return blocks[0].xorBlocks(blocks[1]).xorBlocks(blocks[2]).xorBlocks(blocks[3]).xorBlocks(blocks[4]) - .xorBlocks(blocks[5]).toBytes(); + return switch (tag_bits) { + 128 => blocks[0].xorBlocks(blocks[1]).xorBlocks(blocks[2]).xorBlocks(blocks[3]) + .xorBlocks(blocks[4]).xorBlocks(blocks[5]).toBytes(), + 256 => tag: { + const t1 = blocks[0].xorBlocks(blocks[1]).xorBlocks(blocks[2]); + const t2 = blocks[3].xorBlocks(blocks[4]).xorBlocks(blocks[5]); + break :tag t1.toBytes() ++ t2.toBytes(); + }, + else => unreachable, + }; } }; @@ -263,111 +307,115 @@ const State256 = struct { /// The 256 bit variant of AEGIS has a 256 bit key, a 256 bit nonce, and processes 128 bit message blocks. /// /// https://datatracker.ietf.org/doc/draft-irtf-cfrg-aegis-aead/ -pub const Aegis256 = struct { - pub const tag_length = 16; - pub const nonce_length = 32; - pub const key_length = 32; - pub const block_length = 16; - - const State = State256; - - /// c: ciphertext: output buffer should be of size m.len - /// tag: authentication tag: output MAC - /// m: message - /// ad: Associated Data - /// npub: public nonce - /// k: private key - pub fn encrypt(c: []u8, tag: *[tag_length]u8, m: []const u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) void { - assert(c.len == m.len); - var state = State256.init(key, npub); - var src: [16]u8 align(16) = undefined; - var dst: [16]u8 align(16) = undefined; - var i: usize = 0; - while (i + 16 <= ad.len) : (i += 16) { - state.enc(&dst, ad[i..][0..16]); - } - if (ad.len % 16 != 0) { - mem.set(u8, src[0..], 0); - mem.copy(u8, src[0 .. ad.len % 16], ad[i .. i + ad.len % 16]); - state.enc(&dst, &src); - } - i = 0; - while (i + 16 <= m.len) : (i += 16) { - state.enc(c[i..][0..16], m[i..][0..16]); - } - if (m.len % 16 != 0) { - mem.set(u8, src[0..], 0); - mem.copy(u8, src[0 .. m.len % 16], m[i .. i + m.len % 16]); - state.enc(&dst, &src); - mem.copy(u8, c[i .. i + m.len % 16], dst[0 .. m.len % 16]); - } - tag.* = state.mac(ad.len, m.len); - } +fn Aegis256Generic(comptime tag_bits: u9) type { + comptime assert(tag_bits == 128 or tag_bits == 256); // tag must be 128 or 256 bits - /// m: message: output buffer should be of size c.len - /// c: ciphertext - /// tag: authentication tag - /// ad: Associated Data - /// npub: public nonce - /// k: private key - pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) AuthenticationError!void { - assert(c.len == m.len); - var state = State256.init(key, npub); - var src: [16]u8 align(16) = undefined; - var dst: [16]u8 align(16) = undefined; - var i: usize = 0; - while (i + 16 <= ad.len) : (i += 16) { - state.enc(&dst, ad[i..][0..16]); - } - if (ad.len % 16 != 0) { - mem.set(u8, src[0..], 0); - mem.copy(u8, src[0 .. ad.len % 16], ad[i .. i + ad.len % 16]); - state.enc(&dst, &src); - } - i = 0; - while (i + 16 <= m.len) : (i += 16) { - state.dec(m[i..][0..16], c[i..][0..16]); - } - if (m.len % 16 != 0) { - mem.set(u8, src[0..], 0); - mem.copy(u8, src[0 .. m.len % 16], c[i .. i + m.len % 16]); - state.dec(&dst, &src); - mem.copy(u8, m[i .. i + m.len % 16], dst[0 .. m.len % 16]); - mem.set(u8, dst[0 .. m.len % 16], 0); - const blocks = &state.blocks; - blocks[0] = blocks[0].xorBlocks(AesBlock.fromBytes(&dst)); - } - const computed_tag = state.mac(ad.len, m.len); - var acc: u8 = 0; - for (computed_tag, 0..) |_, j| { - acc |= (computed_tag[j] ^ tag[j]); - } - if (acc != 0) { - @memset(m.ptr, undefined, m.len); - return error.AuthenticationFailed; + return struct { + pub const tag_length = tag_bits / 8; + pub const nonce_length = 32; + pub const key_length = 32; + pub const block_length = 16; + + const State = State256; + + /// c: ciphertext: output buffer should be of size m.len + /// tag: authentication tag: output MAC + /// m: message + /// ad: Associated Data + /// npub: public nonce + /// k: private key + pub fn encrypt(c: []u8, tag: *[tag_length]u8, m: []const u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) void { + assert(c.len == m.len); + var state = State256.init(key, npub); + var src: [16]u8 align(16) = undefined; + var dst: [16]u8 align(16) = undefined; + var i: usize = 0; + while (i + 16 <= ad.len) : (i += 16) { + state.enc(&dst, ad[i..][0..16]); + } + if (ad.len % 16 != 0) { + mem.set(u8, src[0..], 0); + mem.copy(u8, src[0 .. ad.len % 16], ad[i .. i + ad.len % 16]); + state.enc(&dst, &src); + } + i = 0; + while (i + 16 <= m.len) : (i += 16) { + state.enc(c[i..][0..16], m[i..][0..16]); + } + if (m.len % 16 != 0) { + mem.set(u8, src[0..], 0); + mem.copy(u8, src[0 .. m.len % 16], m[i .. i + m.len % 16]); + state.enc(&dst, &src); + mem.copy(u8, c[i .. i + m.len % 16], dst[0 .. m.len % 16]); + } + tag.* = state.mac(tag_bits, ad.len, m.len); + } + + /// m: message: output buffer should be of size c.len + /// c: ciphertext + /// tag: authentication tag + /// ad: Associated Data + /// npub: public nonce + /// k: private key + pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) AuthenticationError!void { + assert(c.len == m.len); + var state = State256.init(key, npub); + var src: [16]u8 align(16) = undefined; + var dst: [16]u8 align(16) = undefined; + var i: usize = 0; + while (i + 16 <= ad.len) : (i += 16) { + state.enc(&dst, ad[i..][0..16]); + } + if (ad.len % 16 != 0) { + mem.set(u8, src[0..], 0); + mem.copy(u8, src[0 .. ad.len % 16], ad[i .. i + ad.len % 16]); + state.enc(&dst, &src); + } + i = 0; + while (i + 16 <= m.len) : (i += 16) { + state.dec(m[i..][0..16], c[i..][0..16]); + } + if (m.len % 16 != 0) { + mem.set(u8, src[0..], 0); + mem.copy(u8, src[0 .. m.len % 16], c[i .. i + m.len % 16]); + state.dec(&dst, &src); + mem.copy(u8, m[i .. i + m.len % 16], dst[0 .. m.len % 16]); + mem.set(u8, dst[0 .. m.len % 16], 0); + const blocks = &state.blocks; + blocks[0] = blocks[0].xorBlocks(AesBlock.fromBytes(&dst)); + } + const computed_tag = state.mac(tag_bits, ad.len, m.len); + var acc: u8 = 0; + for (computed_tag, 0..) |_, j| { + acc |= (computed_tag[j] ^ tag[j]); + } + if (acc != 0) { + @memset(m.ptr, undefined, m.len); + return error.AuthenticationFailed; + } } - } -}; + }; +} -/// The AEGIS-128L message authentication function outputs 128 bit tags. +/// The `Aegis128LMac` message authentication function outputs 256 bit tags. /// In addition to being extremely fast, its large state, non-linearity /// and non-invertibility provides the following properties: /// - 128 bit security, stronger than GHash/Polyval/Poly1305. /// - Recovering the secret key from the state would require ~2^128 attempts, /// which is infeasible for any practical adversary. /// - It has a large security margin against internal collisions. -pub const Aegis128LMac = AegisMac(Aegis128L); +pub const Aegis128LMac = AegisMac(Aegis128L_256); -/// The AEGIS-256 message authentication function has a 256-bit key size, -/// but outputs 128 bit tags. Unless theoretical multi-target attacks are a +/// The `Aegis256Mac` message authentication function has a 256-bit key size, +/// and outputs 256 bit tags. Unless theoretical multi-target attacks are a /// concern, the AEGIS-128L variant should be preferred. /// AEGIS' large state, non-linearity and non-invertibility provides the /// following properties: -/// - 128 bit security, stronger than GHash/Polyval/Poly1305. -/// - Recovering the secret key from the state would require ~2^128 attempts, +/// - 256 bit security against forgery. +/// - Recovering the secret key from the state would require ~2^256 attempts, /// which is infeasible for any practical adversary. /// - It has a large security margin against internal collisions. -pub const Aegis256Mac = AegisMac(Aegis256); +pub const Aegis256Mac = AegisMac(Aegis256_256); fn AegisMac(comptime T: type) type { return struct { @@ -420,7 +468,7 @@ fn AegisMac(comptime T: type) type { mem.copy(u8, pad[0..], self.buf[0..self.off]); self.state.absorb(&pad); } - out.* = self.state.mac(self.msg_len, 0); + out.* = self.state.mac(T.tag_length * 8, self.msg_len, 0); } /// Return an authentication tag for a message and a key @@ -572,23 +620,23 @@ test "Aegis MAC" { st.update(msg[0..32]); st.update(msg[32..]); st.final(&tag); - try htest.assertEqual("b4e8e46cee04a401ec67bad73df4aa60", &tag); + try htest.assertEqual("f8840849602738d81037cbaa0f584ea95759e2ac60263ce77346bcdc79fe4319", &tag); st = st_init; st.update(msg[0..31]); st.update(msg[31..]); st.final(&tag); - try htest.assertEqual("b4e8e46cee04a401ec67bad73df4aa60", &tag); + try htest.assertEqual("f8840849602738d81037cbaa0f584ea95759e2ac60263ce77346bcdc79fe4319", &tag); st = st_init; st.update(msg[0..14]); st.update(msg[14..30]); st.update(msg[30..]); st.final(&tag); - try htest.assertEqual("b4e8e46cee04a401ec67bad73df4aa60", &tag); + try htest.assertEqual("f8840849602738d81037cbaa0f584ea95759e2ac60263ce77346bcdc79fe4319", &tag); var empty: [0]u8 = undefined; - const nonce = [_]u8{0x00} ** Aegis128L.nonce_length; - Aegis128L.encrypt(&empty, &tag, &empty, &msg, nonce, key); - try htest.assertEqual("b4e8e46cee04a401ec67bad73df4aa60", &tag); + const nonce = [_]u8{0x00} ** Aegis128L_256.nonce_length; + Aegis128L_256.encrypt(&empty, &tag, &empty, &msg, nonce, key); + try htest.assertEqual("f8840849602738d81037cbaa0f584ea95759e2ac60263ce77346bcdc79fe4319", &tag); }