Botan 3.11.0
Crypto and TLS for C&
ascon_aead128.cpp
Go to the documentation of this file.
1/*
2* Ascon-AEAD128 AEAD
3* (C) 2025 Jack Lloyd
4* 2025 René Meusel
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/internal/ascon_aead128.h>
10
11#include <botan/exceptn.h>
12#include <botan/internal/concat_util.h>
13#include <botan/internal/loadstor.h>
14
15namespace Botan {
16
17namespace {
18
19constexpr void xor2x64(std::span<uint64_t, 2> lhs, std::span<const uint64_t, 2> rhs) {
20 lhs[0] ^= rhs[0];
21 lhs[1] ^= rhs[1];
22}
23
24template <size_t N>
25constexpr auto as_array_of_uint64(std::span<const uint8_t> in) {
26 BOTAN_DEBUG_ASSERT(in.size() == N * sizeof(uint64_t));
27 return load_le<std::array<uint64_t, N>>(in.first<N * 8>());
28}
29
30// NIST SP.800-232 Appendix B (Table 13)
31constexpr Ascon_p initial_state_of_ascon_aead_permutation({
32 .init_and_final_rounds = 12,
33 .processing_rounds = 8,
34 .bit_rate = 128,
35 .initial_state = {},
36});
37
38// NIST SP.800-232 Section 5.1
39constexpr uint64_t ascon_aead_128_iv = 0x00001000808c0001;
40
41// NIST SP.800-232 Appendix A.2
42constexpr uint64_t ascon_aead_128_domain_sep = 0x8000000000000000;
43
44} // namespace
45
46Ascon_AEAD128_Mode::Ascon_AEAD128_Mode() : m_ascon_p(initial_state_of_ascon_aead_permutation) {}
47
48void Ascon_AEAD128_Mode::clear() {
49 m_key.reset();
50 m_ad.clear();
51 reset();
52}
53
54void Ascon_AEAD128_Mode::reset() {
55 m_ascon_p = initial_state_of_ascon_aead_permutation;
56 m_started = false;
57 m_has_nonce = false;
58}
59
60void Ascon_AEAD128_Mode::key_schedule(std::span<const uint8_t> key) {
61 clear();
62 m_key = as_array_of_uint64<2>(key);
63}
64
65void Ascon_AEAD128_Mode::set_associated_data_n(size_t idx, std::span<const uint8_t> ad) {
66 BOTAN_ARG_CHECK(idx == 0, "Ascon-AEAD128: cannot handle non-zero index in set_associated_data_n");
67 m_ad.assign(ad.begin(), ad.end());
68}
69
70void Ascon_AEAD128_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {
71 BOTAN_ARG_CHECK(valid_nonce_length(nonce_len), "Invalid nonce length in Ascon-AEAD128");
72
73 BOTAN_STATE_CHECK(has_keying_material());
74 BOTAN_STATE_CHECK(!m_started);
75
76 m_ascon_p.state() = concat(std::array{ascon_aead_128_iv}, *m_key, as_array_of_uint64<2>({nonce, nonce_len}));
77 m_ascon_p.initial_permute();
78 xor2x64(m_ascon_p.range_of_state<3, 2>(), *m_key);
79
80 m_has_nonce = true;
81}
82
83void Ascon_AEAD128_Mode::maybe_absorb_associated_data() {
84 BOTAN_DEBUG_ASSERT(has_keying_material());
85 BOTAN_DEBUG_ASSERT(m_has_nonce);
86
87 if(!m_started) {
88 if(!m_ad.empty()) {
89 m_ascon_p.absorb(m_ad);
90 m_ascon_p.intermediate_finish();
91 }
92 m_ascon_p.state()[4] ^= ascon_aead_128_domain_sep;
93
94 m_started = true;
95 }
96}
97
98std::array<uint8_t, 16> Ascon_AEAD128_Mode::calculate_tag_and_finish() {
99 BOTAN_DEBUG_ASSERT(m_started);
100
101 xor2x64(m_ascon_p.range_of_state<2, 2>(), *m_key);
102 m_ascon_p.finish();
103 xor2x64(m_ascon_p.range_of_state<3, 2>(), *m_key);
104
105 auto tag = store_le(m_ascon_p.range_of_state<3, 2>());
106
107 reset();
108 return tag;
109}
110
111size_t Ascon_AEAD128_Encryption::process_msg(uint8_t buf[], size_t size) {
112 BOTAN_STATE_CHECK(has_keying_material());
113 BOTAN_STATE_CHECK(m_has_nonce);
114
115 maybe_absorb_associated_data();
116 m_ascon_p.percolate_in({buf, size});
117 return size;
118}
119
120void Ascon_AEAD128_Encryption::finish_msg(secure_vector<uint8_t>& final_block, size_t offset) {
121 BOTAN_STATE_CHECK(has_keying_material());
122
123 const auto final_block_at_offset = std::span{final_block}.subspan(offset);
124 process_msg(final_block_at_offset.data(), final_block_at_offset.size());
125 const auto tag = calculate_tag_and_finish();
126 final_block.insert(final_block.end(), tag.begin(), tag.end());
127}
128
129size_t Ascon_AEAD128_Decryption::process_msg(uint8_t buf[], size_t size) {
130 BOTAN_STATE_CHECK(has_keying_material());
131 BOTAN_STATE_CHECK(m_has_nonce);
132
133 maybe_absorb_associated_data();
134 m_ascon_p.percolate_out({buf, size});
135 return size;
136}
137
138void Ascon_AEAD128_Decryption::finish_msg(secure_vector<uint8_t>& final_block, size_t offset) {
139 BOTAN_STATE_CHECK(has_keying_material());
140
141 const auto final_block_at_offset = std::span{final_block}.subspan(offset);
142 const auto final_ciphertext_block = final_block_at_offset.first(final_block_at_offset.size() - tag_size());
143 const auto expected_tag = final_block_at_offset.last(tag_size());
144
145 process_msg(final_ciphertext_block.data(), final_ciphertext_block.size());
146 if(!constant_time_compare(calculate_tag_and_finish(), expected_tag)) {
147 throw Invalid_Authentication_Tag("Ascon-AEAD128 tag check failed");
148 }
149
150 final_block.resize(offset + final_ciphertext_block.size());
151}
152
153} // namespace Botan
BOTAN_DEBUG_ASSERT
#define BOTAN_DEBUG_ASSERT(expr)
Definition assert.h:129
BOTAN_STATE_CHECK
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:49
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33
Botan::Ascon_AEAD128_Mode::has_keying_material
bool has_keying_material() const final
Definition ascon_aead128.h:45
Botan::Ascon_AEAD128_Mode::m_has_nonce
bool m_has_nonce
Definition ascon_aead128.h:59
Botan::Ascon_AEAD128_Mode::clear
void clear() final
Definition ascon_aead128.cpp:48
Botan::Ascon_AEAD128_Mode::reset
void reset() final
Definition ascon_aead128.cpp:54
Botan::Ascon_AEAD128_Mode::key_schedule
void key_schedule(std::span< const uint8_t > key) final
Definition ascon_aead128.cpp:60
Botan::Ascon_AEAD128_Mode::m_key
std::optional< std::array< uint64_t, 2 > > m_key
Definition ascon_aead128.h:57
Botan::Ascon_AEAD128_Mode::Ascon_AEAD128_Mode
Ascon_AEAD128_Mode()
Definition ascon_aead128.cpp:46
Botan::Ascon_AEAD128_Mode::maybe_absorb_associated_data
void maybe_absorb_associated_data()
Definition ascon_aead128.cpp:83
Botan::Ascon_AEAD128_Mode::set_associated_data_n
void set_associated_data_n(size_t idx, std::span< const uint8_t > ad) final
Definition ascon_aead128.cpp:65
Botan::Ascon_AEAD128_Mode::m_ascon_p
Ascon_p m_ascon_p
Definition ascon_aead128.h:58
Botan::Ascon_AEAD128_Mode::tag_size
size_t tag_size() const final
Definition ascon_aead128.h:39
Botan::Ascon_AEAD128_Mode::valid_nonce_length
bool valid_nonce_length(size_t n) const final
Definition ascon_aead128.h:35
Botan::Ascon_AEAD128_Mode::calculate_tag_and_finish
std::array< uint8_t, 16 > calculate_tag_and_finish()
Definition ascon_aead128.cpp:98
Botan::Ascon_AEAD128_Mode::start_msg
void start_msg(const uint8_t nonce[], size_t nonce_len) final
Definition ascon_aead128.cpp:70
Botan::Ascon_p
Definition ascon_perm.h:22
Botan::Ascon_p::percolate_in
void percolate_in(std::span< uint8_t > data)
Definition ascon_perm.cpp:26
Botan::store_le
constexpr auto store_le(ParamTs &&... params)
Definition loadstor.h:736
Botan::concat
constexpr auto concat(Rs &&... ranges)
Definition concat_util.h:90
Botan::load_le
constexpr auto load_le(ParamTs &&... params)
Definition loadstor.h:495
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:68
Botan::constant_time_compare
bool constant_time_compare(std::span< const uint8_t > x, std::span< const uint8_t > y)
Definition mem_ops.cpp:17
Generated by doxygen 1.15.0