Botan 3.12.0
Crypto and TLS for C&
ascon_aead128.cpp
Go to the documentation of this file.
1/*
2* Ascon-AEAD128 AEAD
3* (C) 2025 Jack Lloyd
4* 2025 René Meusel
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/internal/ascon_aead128.h>
10
11#include <botan/exceptn.h>
12#include <botan/mem_ops.h>
13#include <botan/internal/concat_util.h>
14#include <botan/internal/loadstor.h>
15
16namespace Botan {
17
18namespace {
19
20constexpr void xor2x64(std::span<uint64_t, 2> lhs, std::span<const uint64_t, 2> rhs) {
21 lhs[0] ^= rhs[0];
22 lhs[1] ^= rhs[1];
23}
24
25template <size_t N>
26constexpr auto as_array_of_uint64(std::span<const uint8_t> in) {
27 BOTAN_DEBUG_ASSERT(in.size() == N * sizeof(uint64_t));
28 return load_le<std::array<uint64_t, N>>(in.first<N * 8>());
29}
30
31// NIST SP.800-232 Appendix B (Table 13)
32constexpr Ascon_p initial_state_of_ascon_aead_permutation({
33 .init_and_final_rounds = 12,
34 .processing_rounds = 8,
35 .bit_rate = 128,
36 .initial_state = {},
37});
38
39// NIST SP.800-232 Section 5.1
40constexpr uint64_t ascon_aead_128_iv = 0x00001000808c0001;
41
42// NIST SP.800-232 Appendix A.2
43constexpr uint64_t ascon_aead_128_domain_sep = 0x8000000000000000;
44
45} // namespace
46
47Ascon_AEAD128_Mode::Ascon_AEAD128_Mode() : m_ascon_p(initial_state_of_ascon_aead_permutation) {}
48
49void Ascon_AEAD128_Mode::clear() {
50 m_key.reset();
51 m_ad.clear();
52 reset();
53}
54
55void Ascon_AEAD128_Mode::reset() {
56 m_ascon_p = initial_state_of_ascon_aead_permutation;
57 m_started = false;
58 m_has_nonce = false;
59}
60
61void Ascon_AEAD128_Mode::key_schedule(std::span<const uint8_t> key) {
62 clear();
63 m_key = as_array_of_uint64<2>(key);
64}
65
66void Ascon_AEAD128_Mode::set_associated_data_n(size_t idx, std::span<const uint8_t> ad) {
67 BOTAN_ARG_CHECK(idx == 0, "Ascon-AEAD128: cannot handle non-zero index in set_associated_data_n");
68 m_ad.assign(ad.begin(), ad.end());
69}
70
71void Ascon_AEAD128_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {
72 BOTAN_ARG_CHECK(valid_nonce_length(nonce_len), "Invalid nonce length in Ascon-AEAD128");
73
74 BOTAN_STATE_CHECK(has_keying_material());
75 BOTAN_STATE_CHECK(!m_started);
76
77 m_ascon_p.state() = concat(std::array{ascon_aead_128_iv}, *m_key, as_array_of_uint64<2>({nonce, nonce_len}));
78 m_ascon_p.initial_permute();
79 xor2x64(m_ascon_p.range_of_state<3, 2>(), *m_key);
80
81 m_has_nonce = true;
82}
83
84void Ascon_AEAD128_Mode::maybe_absorb_associated_data() {
85 BOTAN_DEBUG_ASSERT(has_keying_material());
86 BOTAN_DEBUG_ASSERT(m_has_nonce);
87
88 if(!m_started) {
89 if(!m_ad.empty()) {
90 m_ascon_p.absorb(m_ad);
91 m_ascon_p.intermediate_finish();
92 }
93 m_ascon_p.state()[4] ^= ascon_aead_128_domain_sep;
94
95 m_started = true;
96 }
97}
98
99std::array<uint8_t, 16> Ascon_AEAD128_Mode::calculate_tag_and_finish() {
100 BOTAN_DEBUG_ASSERT(m_started);
101
102 xor2x64(m_ascon_p.range_of_state<2, 2>(), *m_key);
103 m_ascon_p.finish();
104 xor2x64(m_ascon_p.range_of_state<3, 2>(), *m_key);
105
106 auto tag = store_le(m_ascon_p.range_of_state<3, 2>());
107
108 reset();
109 return tag;
110}
111
112size_t Ascon_AEAD128_Encryption::process_msg(uint8_t buf[], size_t size) {
113 BOTAN_STATE_CHECK(has_keying_material());
114 BOTAN_STATE_CHECK(m_has_nonce);
115
116 maybe_absorb_associated_data();
117 m_ascon_p.percolate_in({buf, size});
118 return size;
119}
120
121void Ascon_AEAD128_Encryption::finish_msg(secure_vector<uint8_t>& final_block, size_t offset) {
122 BOTAN_STATE_CHECK(has_keying_material());
123
124 const auto final_block_at_offset = std::span{final_block}.subspan(offset);
125 process_msg(final_block_at_offset.data(), final_block_at_offset.size());
126 const auto tag = calculate_tag_and_finish();
127 final_block.insert(final_block.end(), tag.begin(), tag.end());
128}
129
130size_t Ascon_AEAD128_Decryption::process_msg(uint8_t buf[], size_t size) {
131 BOTAN_STATE_CHECK(has_keying_material());
132 BOTAN_STATE_CHECK(m_has_nonce);
133
134 maybe_absorb_associated_data();
135 m_ascon_p.percolate_out({buf, size});
136 return size;
137}
138
139void Ascon_AEAD128_Decryption::finish_msg(secure_vector<uint8_t>& final_block, size_t offset) {
140 BOTAN_STATE_CHECK(has_keying_material());
141
142 const auto final_block_at_offset = std::span{final_block}.subspan(offset);
143 BOTAN_ARG_CHECK(final_block_at_offset.size() >= tag_size(), "input did not include the tag");
144 const auto final_ciphertext_block = final_block_at_offset.first(final_block_at_offset.size() - tag_size());
145 const auto expected_tag = final_block_at_offset.last(tag_size());
146
147 process_msg(final_ciphertext_block.data(), final_ciphertext_block.size());
148 if(!constant_time_compare(calculate_tag_and_finish(), expected_tag)) {
149 clear_mem(std::span{final_block}.subspan(offset, final_ciphertext_block.size()));
150 throw Invalid_Authentication_Tag("Ascon-AEAD128 tag check failed");
151 }
152
153 final_block.resize(offset + final_ciphertext_block.size());
154}
155
156} // namespace Botan
BOTAN_DEBUG_ASSERT
#define BOTAN_DEBUG_ASSERT(expr)
Definition assert.h:129
BOTAN_STATE_CHECK
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:49
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33
Botan::Ascon_AEAD128_Mode::has_keying_material
bool has_keying_material() const final
Definition ascon_aead128.h:45
Botan::Ascon_AEAD128_Mode::m_has_nonce
bool m_has_nonce
Definition ascon_aead128.h:59
Botan::Ascon_AEAD128_Mode::clear
void clear() final
Definition ascon_aead128.cpp:49
Botan::Ascon_AEAD128_Mode::reset
void reset() final
Definition ascon_aead128.cpp:55
Botan::Ascon_AEAD128_Mode::key_schedule
void key_schedule(std::span< const uint8_t > key) final
Definition ascon_aead128.cpp:61
Botan::Ascon_AEAD128_Mode::m_key
std::optional< std::array< uint64_t, 2 > > m_key
Definition ascon_aead128.h:57
Botan::Ascon_AEAD128_Mode::Ascon_AEAD128_Mode
Ascon_AEAD128_Mode()
Definition ascon_aead128.cpp:47
Botan::Ascon_AEAD128_Mode::maybe_absorb_associated_data
void maybe_absorb_associated_data()
Definition ascon_aead128.cpp:84
Botan::Ascon_AEAD128_Mode::set_associated_data_n
void set_associated_data_n(size_t idx, std::span< const uint8_t > ad) final
Definition ascon_aead128.cpp:66
Botan::Ascon_AEAD128_Mode::m_ascon_p
Ascon_p m_ascon_p
Definition ascon_aead128.h:58
Botan::Ascon_AEAD128_Mode::tag_size
size_t tag_size() const final
Definition ascon_aead128.h:39
Botan::Ascon_AEAD128_Mode::valid_nonce_length
bool valid_nonce_length(size_t n) const final
Definition ascon_aead128.h:35
Botan::Ascon_AEAD128_Mode::calculate_tag_and_finish
std::array< uint8_t, 16 > calculate_tag_and_finish()
Definition ascon_aead128.cpp:99
Botan::Ascon_AEAD128_Mode::start_msg
void start_msg(const uint8_t nonce[], size_t nonce_len) final
Definition ascon_aead128.cpp:71
Botan::Ascon_p
Definition ascon_perm.h:22
Botan::Ascon_p::percolate_in
void percolate_in(std::span< uint8_t > data)
Definition ascon_perm.cpp:26
Botan::store_le
constexpr auto store_le(ParamTs &&... params)
Definition loadstor.h:736
Botan::concat
constexpr auto concat(Rs &&... ranges)
Definition concat_util.h:90
Botan::load_le
constexpr auto load_le(ParamTs &&... params)
Definition loadstor.h:495
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:68
Botan::constant_time_compare
bool constant_time_compare(std::span< const uint8_t > x, std::span< const uint8_t > y)
Definition mem_ops.cpp:17
Botan::clear_mem
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:118
Generated by doxygen 1.16.1