// poly1305.h - written and placed in the public domain by Jeffrey Walton and Jean-Pierre Munch // Based on Andy Polyakov's Base-2^26 scalar multiplication implementation. // For more information, see https://www.openssl.org/~appro/cryptogams/. // The library added Bernstein's Poly1305 classes at Crypto++ 6.0. The IETF // uses a slightly different implementation than Bernstein, and the IETF // classes were added at Crypto++ 8.1. We wanted to maintain ABI compatibility // at the 8.1 release so the original Poly1305 classes were not disturbed. // Instead new classes were added for IETF Poly1305. The back-end implementation // shares code as expected, however. /// \file poly1305.h /// \brief Classes for Poly1305 message authentication code /// \details Poly1305-AES is a state-of-the-art message-authentication code suitable for a wide /// variety of applications. Poly1305-AES computes a 16-byte authenticator of a variable-length /// message, using a 16-byte AES key, a 16-byte additional key, and a 16-byte nonce. /// \details Crypto++ also supplies the IETF's version of Poly1305. It is a slightly different /// algorithm than Bernstein's version. /// \sa Daniel J. Bernstein The Poly1305-AES /// Message-Authentication Code (20050329), RFC /// 8439, ChaCha20 and Poly1305 for IETF Protocols and Andy Polyakov Poly1305 Revised /// \since Poly1305 since Crypto++ 6.0, Poly1305TLS since Crypto++ 8.1 #ifndef CRYPTOPP_POLY1305_H #define CRYPTOPP_POLY1305_H #include "cryptlib.h" #include "seckey.h" #include "secblock.h" #include "argnames.h" #include "algparam.h" NAMESPACE_BEGIN(CryptoPP) ////////////////////////////// Bernstein Poly1305 ////////////////////////////// /// \brief Poly1305 message authentication code base class /// \tparam T BlockCipherDocumentation derived class with 16-byte key and 16-byte blocksize /// \details Poly1305_Base is the base class of Bernstein's Poly1305 algorithm. /// \since Crypto++ 6.0 template class CRYPTOPP_NO_VTABLE Poly1305_Base : public FixedKeyLength<32, SimpleKeyingInterface::UNIQUE_IV, 16>, public MessageAuthenticationCode { CRYPTOPP_COMPILE_ASSERT(T::DEFAULT_KEYLENGTH == 16); CRYPTOPP_COMPILE_ASSERT(T::BLOCKSIZE == 16); public: static std::string StaticAlgorithmName() {return std::string("Poly1305(") + T::StaticAlgorithmName() + ")";} CRYPTOPP_CONSTANT(DIGESTSIZE=T::BLOCKSIZE); CRYPTOPP_CONSTANT(BLOCKSIZE=T::BLOCKSIZE); virtual ~Poly1305_Base() {} Poly1305_Base() : m_idx(0), m_used(true) {} void Resynchronize (const byte *iv, int ivLength=-1); void GetNextIV (RandomNumberGenerator &rng, byte *iv); void UncheckedSetKey(const byte *key, unsigned int length, const NameValuePairs ¶ms); void Update(const byte *input, size_t length); void TruncatedFinal(byte *mac, size_t size); void Restart(); unsigned int BlockSize() const {return BLOCKSIZE;} unsigned int DigestSize() const {return DIGESTSIZE;} std::string AlgorithmProvider() const; protected: // TODO: No longer needed. Remove at next major version bump void HashBlocks(const byte *input, size_t length, word32 padbit); void HashFinal(byte *mac, size_t length); typename T::Encryption m_cipher; // Accumulated hash, clamped r-key, and encrypted nonce FixedSizeAlignedSecBlock m_h; FixedSizeAlignedSecBlock m_r; FixedSizeAlignedSecBlock m_n; // Accumulated message bytes and index FixedSizeAlignedSecBlock m_acc, m_nk; size_t m_idx; // Track nonce reuse; assert in debug but continue bool m_used; }; /// \brief Poly1305 message authentication code /// \tparam T class derived from BlockCipherDocumentation with 16-byte key and 16-byte blocksize /// \details Poly1305-AES is a state-of-the-art message-authentication code suitable for a wide /// variety of applications. Poly1305-AES computes a 16-byte authenticator of a variable-length /// message, using a 16-byte AES key, a 16-byte additional key, and a 16-byte nonce. /// \details The key is 32 bytes and a concatenation key = {k,s}, where /// k is the AES key and r is additional key that gets clamped. /// The key is clamped internally so there is no need to perform the operation /// before setting the key. /// \details Each message must have a unique security context, which means either the key or nonce /// must be changed after each message. It can be accomplished in one of two ways. First, you /// can create a new Poly1305 object each time its needed. /// 
  SecByteBlock key(32), nonce(16);
///   prng.GenerateBlock(key, key.size());
///   prng.GenerateBlock(nonce, nonce.size());
///
///   Poly1305 poly1305(key, key.size(), nonce, nonce.size());
///   poly1305.Update(...);
///   poly1305.Final(...);
/// /// \details Second, you can create a Poly1305 object, reuse the key, and set a fresh nonce /// for each message. The second and subsequent nonces can be generated using GetNextIV(). /// 
  SecByteBlock key(32), nonce(16);
///   prng.GenerateBlock(key, key.size());
///   prng.GenerateBlock(nonce, nonce.size());
///
///   // First message
///   Poly1305 poly1305(key, key.size());
///   poly1305.Resynchronize(nonce);
///   poly1305.Update(...);
///   poly1305.Final(...);
///
///   // Second message
///   poly1305.GetNextIV(prng, nonce);
///   poly1305.Resynchronize(nonce);
///   poly1305.Update(...);
///   poly1305.Final(...);
///   ...
/// \warning Each message must have a unique security context. The Poly1305 class does not /// enforce a fresh key or nonce for each message. The source code will assert in debug /// builds to alert of nonce reuse. No action is taken in release builds. /// \sa Daniel J. Bernstein The Poly1305-AES /// Message-Authentication Code (20050329) and Andy Polyakov Poly1305 Revised /// \since Crypto++ 6.0 template class Poly1305 : public MessageAuthenticationCodeFinal > { public: CRYPTOPP_CONSTANT(DEFAULT_KEYLENGTH=Poly1305_Base::DEFAULT_KEYLENGTH); /// \brief Construct a Poly1305 Poly1305() {} /// \brief Construct a Poly1305 /// \param key a byte array used to key the cipher /// \param keyLength the size of the byte array, in bytes /// \param nonce a byte array used to key the cipher /// \param nonceLength the size of the byte array, in bytes /// \details The key is 32 bytes and a concatenation key = {k,s}, where /// k is the AES key and r is additional key that gets clamped. /// The key is clamped internally so there is no need to perform the operation /// before setting the key. /// \details Each message requires a unique security context. You can use GetNextIV() /// and Resynchronize() to set a new nonce under a key for a message. Poly1305(const byte *key, size_t keyLength=DEFAULT_KEYLENGTH, const byte *nonce=NULLPTR, size_t nonceLength=0) {this->SetKey(key, keyLength, MakeParameters(Name::IV(), ConstByteArrayParameter(nonce, nonceLength)));} }; ////////////////////////////// IETF Poly1305 ////////////////////////////// /// \brief Poly1305-TLS message authentication code base class /// \details Poly1305TLS_Base is the base class of the IETF's Poly1305 algorithm. /// \since Crypto++ 8.1 class Poly1305TLS_Base : public FixedKeyLength<32>, public MessageAuthenticationCode { public: static std::string StaticAlgorithmName() {return std::string("Poly1305TLS");} CRYPTOPP_CONSTANT(DIGESTSIZE=16); CRYPTOPP_CONSTANT(BLOCKSIZE=16); virtual ~Poly1305TLS_Base() {} Poly1305TLS_Base() {} void UncheckedSetKey(const byte *key, unsigned int length, const NameValuePairs ¶ms); void Update(const byte *input, size_t length); void TruncatedFinal(byte *mac, size_t size); void Restart(); unsigned int BlockSize() const {return BLOCKSIZE;} unsigned int DigestSize() const {return DIGESTSIZE;} protected: // Accumulated hash, clamped r-key, and encrypted nonce FixedSizeAlignedSecBlock m_h; FixedSizeAlignedSecBlock m_r; FixedSizeAlignedSecBlock m_n; // Accumulated message bytes and index FixedSizeAlignedSecBlock m_acc; size_t m_idx; }; /// \brief Poly1305-TLS message authentication code /// \details This is the IETF's variant of Bernstein's Poly1305 from RFC 8439. /// IETF Poly1305 is called Poly1305TLS in the Crypto++ library. It is /// _slightly_ different from the Bernstein implementation. Poly1305-TLS /// can be used for cipher suites /// TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, /// TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, and /// TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256. /// \details The key is 32 bytes and a concatenation key = {r,s}, where /// r is additional key that gets clamped and s is the nonce. /// The key is clamped internally so there is no need to perform the operation /// before setting the key. /// \details Each message must have a unique security context, which means the key /// must be changed after each message. It can be accomplished in one of two ways. /// First, you can create a new Poly1305 object with a new key each time its needed. /// 
  SecByteBlock key(32);
///   prng.GenerateBlock(key, key.size());
///
///   Poly1305TLS poly1305(key, key.size());
///   poly1305.Update(...);
///   poly1305.Final(...);
/// /// \details Second, you can create a Poly1305 object, and use a new key for each /// message. The keys can be generated directly using a RandomNumberGenerator() /// derived class. /// 
  SecByteBlock key(32);
///   prng.GenerateBlock(key, key.size());
///
///   // First message
///   Poly1305TLS poly1305(key, key.size());
///   poly1305.Update(...);
///   poly1305.Final(...);
///
///   // Second message
///   prng.GenerateBlock(key, key.size());
///   poly1305.SetKey(key, key.size());
///   poly1305.Update(...);
///   poly1305.Final(...);
///   ...
/// \warning Each message must have a unique security context. The Poly1305-TLS class /// does not enforce a fresh key or nonce for each message. /// \since Crypto++ 8.1 /// \sa MessageAuthenticationCode(), RFC /// 8439, ChaCha20 and Poly1305 for IETF Protocols DOCUMENTED_TYPEDEF(MessageAuthenticationCodeFinal, Poly1305TLS); NAMESPACE_END #endif // CRYPTOPP_POLY1305_H