Botan 3.10.0
Crypto and TLS for C&
ascon_aead128.cpp
Go to the documentation of this file.
1/*
2* Ascon-AEAD128 AEAD
3* (C) 2025 Jack Lloyd
4* 2025 René Meusel
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/internal/ascon_aead128.h>
10
11#include <botan/internal/loadstor.h>
12#include <botan/internal/stl_util.h>
13
14namespace Botan {
15
16namespace {
17
18constexpr void xor2x64(std::span<uint64_t, 2> lhs, std::span<const uint64_t, 2> rhs) {
19 lhs[0] ^= rhs[0];
20 lhs[1] ^= rhs[1];
21}
22
23template <size_t N>
24constexpr auto as_array_of_uint64(std::span<const uint8_t> in) {
25 BOTAN_DEBUG_ASSERT(in.size() == N * sizeof(uint64_t));
26 return load_le<std::array<uint64_t, N>>(in.first<N * 8>());
27}
28
29// NIST SP.800-232 Appendix B (Table 13)
30constexpr Ascon_p initial_state_of_ascon_aead_permutation({
31 .init_and_final_rounds = 12,
32 .processing_rounds = 8,
33 .bit_rate = 128,
34 .initial_state = {},
35});
36
37// NIST SP.800-232 Section 5.1
38constexpr uint64_t ascon_aead_128_iv = 0x00001000808c0001;
39
40// NIST SP.800-232 Appendix A.2
41constexpr uint64_t ascon_aead_128_domain_sep = 0x8000000000000000;
42
43} // namespace
44
45Ascon_AEAD128_Mode::Ascon_AEAD128_Mode() : m_ascon_p(initial_state_of_ascon_aead_permutation) {}
46
47void Ascon_AEAD128_Mode::clear() {
48 m_key.reset();
49 m_ad.clear();
50 reset();
51}
52
53void Ascon_AEAD128_Mode::reset() {
54 m_ascon_p = initial_state_of_ascon_aead_permutation;
55 m_started = false;
56 m_has_nonce = false;
57}
58
59void Ascon_AEAD128_Mode::key_schedule(std::span<const uint8_t> key) {
60 clear();
61 m_key = as_array_of_uint64<2>(key);
62}
63
64void Ascon_AEAD128_Mode::set_associated_data_n(size_t idx, std::span<const uint8_t> ad) {
65 BOTAN_ARG_CHECK(idx == 0, "Ascon-AEAD128: cannot handle non-zero index in set_associated_data_n");
66 m_ad.assign(ad.begin(), ad.end());
67}
68
69void Ascon_AEAD128_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {
70 BOTAN_ARG_CHECK(valid_nonce_length(nonce_len), "Invalid nonce length in Ascon-AEAD128");
71
72 BOTAN_STATE_CHECK(has_keying_material());
73 BOTAN_STATE_CHECK(!m_started);
74
75 m_ascon_p.state() = concat(std::array{ascon_aead_128_iv}, *m_key, as_array_of_uint64<2>({nonce, nonce_len}));
76 m_ascon_p.initial_permute();
77 xor2x64(m_ascon_p.range_of_state<3, 2>(), *m_key);
78
79 m_has_nonce = true;
80}
81
82void Ascon_AEAD128_Mode::maybe_absorb_associated_data() {
83 BOTAN_DEBUG_ASSERT(has_keying_material());
84 BOTAN_DEBUG_ASSERT(m_has_nonce);
85
86 if(!m_started) {
87 if(!m_ad.empty()) {
88 m_ascon_p.absorb(m_ad);
89 m_ascon_p.intermediate_finish();
90 }
91 m_ascon_p.state()[4] ^= ascon_aead_128_domain_sep;
92
93 m_started = true;
94 }
95}
96
97std::array<uint8_t, 16> Ascon_AEAD128_Mode::calculate_tag_and_finish() {
98 BOTAN_DEBUG_ASSERT(m_started);
99
100 xor2x64(m_ascon_p.range_of_state<2, 2>(), *m_key);
101 m_ascon_p.finish();
102 xor2x64(m_ascon_p.range_of_state<3, 2>(), *m_key);
103
104 auto tag = store_le(m_ascon_p.range_of_state<3, 2>());
105
106 reset();
107 return tag;
108}
109
110size_t Ascon_AEAD128_Encryption::process_msg(uint8_t buf[], size_t size) {
111 BOTAN_STATE_CHECK(has_keying_material());
112 BOTAN_STATE_CHECK(m_has_nonce);
113
114 maybe_absorb_associated_data();
115 m_ascon_p.percolate_in({buf, size});
116 return size;
117}
118
119void Ascon_AEAD128_Encryption::finish_msg(secure_vector<uint8_t>& final_block, size_t offset) {
120 BOTAN_STATE_CHECK(has_keying_material());
121
122 const auto final_block_at_offset = std::span{final_block}.subspan(offset);
123 process_msg(final_block_at_offset.data(), final_block_at_offset.size());
124 const auto tag = calculate_tag_and_finish();
125 final_block.insert(final_block.end(), tag.begin(), tag.end());
126}
127
128size_t Ascon_AEAD128_Decryption::process_msg(uint8_t buf[], size_t size) {
129 BOTAN_STATE_CHECK(has_keying_material());
130 BOTAN_STATE_CHECK(m_has_nonce);
131
132 maybe_absorb_associated_data();
133 m_ascon_p.percolate_out({buf, size});
134 return size;
135}
136
137void Ascon_AEAD128_Decryption::finish_msg(secure_vector<uint8_t>& final_block, size_t offset) {
138 BOTAN_STATE_CHECK(has_keying_material());
139
140 const auto final_block_at_offset = std::span{final_block}.subspan(offset);
141 const auto final_ciphertext_block = final_block_at_offset.first(final_block_at_offset.size() - tag_size());
142 const auto expected_tag = final_block_at_offset.last(tag_size());
143
144 process_msg(final_ciphertext_block.data(), final_ciphertext_block.size());
145 if(!constant_time_compare(calculate_tag_and_finish(), expected_tag)) {
146 throw Invalid_Authentication_Tag("Ascon-AEAD128 tag check failed");
147 }
148
149 final_block.resize(offset + final_ciphertext_block.size());
150}
151
152} // namespace Botan
BOTAN_DEBUG_ASSERT
#define BOTAN_DEBUG_ASSERT(expr)
Definition assert.h:129
BOTAN_STATE_CHECK
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:49
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33
Botan::Ascon_AEAD128_Mode::has_keying_material
bool has_keying_material() const final
Definition ascon_aead128.h:45
Botan::Ascon_AEAD128_Mode::m_has_nonce
bool m_has_nonce
Definition ascon_aead128.h:59
Botan::Ascon_AEAD128_Mode::clear
void clear() final
Definition ascon_aead128.cpp:47
Botan::Ascon_AEAD128_Mode::reset
void reset() final
Definition ascon_aead128.cpp:53
Botan::Ascon_AEAD128_Mode::key_schedule
void key_schedule(std::span< const uint8_t > key) final
Definition ascon_aead128.cpp:59
Botan::Ascon_AEAD128_Mode::m_key
std::optional< std::array< uint64_t, 2 > > m_key
Definition ascon_aead128.h:57
Botan::Ascon_AEAD128_Mode::Ascon_AEAD128_Mode
Ascon_AEAD128_Mode()
Definition ascon_aead128.cpp:45
Botan::Ascon_AEAD128_Mode::maybe_absorb_associated_data
void maybe_absorb_associated_data()
Definition ascon_aead128.cpp:82
Botan::Ascon_AEAD128_Mode::set_associated_data_n
void set_associated_data_n(size_t idx, std::span< const uint8_t > ad) final
Definition ascon_aead128.cpp:64
Botan::Ascon_AEAD128_Mode::m_ascon_p
Ascon_p m_ascon_p
Definition ascon_aead128.h:58
Botan::Ascon_AEAD128_Mode::tag_size
size_t tag_size() const final
Definition ascon_aead128.h:39
Botan::Ascon_AEAD128_Mode::valid_nonce_length
bool valid_nonce_length(size_t n) const final
Definition ascon_aead128.h:35
Botan::Ascon_AEAD128_Mode::calculate_tag_and_finish
std::array< uint8_t, 16 > calculate_tag_and_finish()
Definition ascon_aead128.cpp:97
Botan::Ascon_AEAD128_Mode::start_msg
void start_msg(const uint8_t nonce[], size_t nonce_len) final
Definition ascon_aead128.cpp:69
Botan::Ascon_p
Definition ascon_perm.h:22
Botan::Ascon_p::percolate_in
void percolate_in(std::span< uint8_t > data)
Definition ascon_perm.cpp:27
Botan::store_le
constexpr auto store_le(ParamTs &&... params)
Definition loadstor.h:736
Botan::concat
constexpr auto concat(Rs &&... ranges)
Definition stl_util.h:254
Botan::load_le
constexpr auto load_le(ParamTs &&... params)
Definition loadstor.h:495
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69
Botan::constant_time_compare
bool constant_time_compare(std::span< const uint8_t > x, std::span< const uint8_t > y)
Definition mem_ops.cpp:17
Generated by doxygen 1.15.0