m_acc, m_nk;
size_t m_idx;
// Track nonce reuse; assert in debug but continue
bool m_used;
};
/// \brief Poly1305 message authentication code
/// \tparam T class derived from BlockCipherDocumentation with 16-byte key and 16-byte blocksize
/// \details Poly1305-AES is a state-of-the-art message-authentication code suitable for a wide
/// variety of applications. Poly1305-AES computes a 16-byte authenticator of a variable-length
/// message, using a 16-byte AES key, a 16-byte additional key, and a 16-byte nonce.
/// \details The key is 32 bytes and a concatenation key = {k,s}, where
/// k is the AES key and r is additional key that gets clamped.
/// \details Each message must use a unique security context, which means either the key or nonce
/// must be changed after each message. It can be accomplished in one of two ways. First, you
/// can create a new Poly1305 object with a key and nonce each time its needed.
/// SecByteBlock key(32), nonce(16);
/// prng.GenerateBlock(key, key.size());
/// prng.GenerateBlock(nonce, nonce.size());
///
/// Poly1305 poly1305(key, key.size(), nonce, nonce.size());
/// poly1305.Update(...);
/// poly1305.Final(...);
///
/// \details Second, you can create a Poly1305 object, reuse the key, and set a fresh nonce
/// for each message. The second and subsequent nonces can be generated directly using a
/// RandomNumberGenerator() derived class; or it can be generated using GetNextIV().
/// SecByteBlock key(32), nonce(16);
/// prng.GenerateBlock(key, key.size());
/// prng.GenerateBlock(nonce, nonce.size());
///
/// // First message
/// Poly1305 poly1305(key, key.size());
/// poly1305.Resynchronize(nonce);
/// poly1305.Update(...);
/// poly1305.Final(...);
///
/// // Second message
/// poly1305.GetNextIV(prng, nonce);
/// poly1305.Resynchronize(nonce);
/// poly1305.Update(...);
/// poly1305.Final(...);
/// ...
/// \warning The Poly1305 class does not enforce a fresh nonce for each message. The source code
/// will assert in debug builds to alert of nonce reuse. No action is taken in release builds.
/// \sa Daniel J. Bernstein The Poly1305-AES
/// Message-Authentication Code (20050329) and Andy Polyakov Poly1305 Revised
/// \since Crypto++ 6.0
template
class Poly1305 : public MessageAuthenticationCodeFinal >
{
public:
CRYPTOPP_CONSTANT(DEFAULT_KEYLENGTH=Poly1305_Base::DEFAULT_KEYLENGTH)
/// \brief Construct a Poly1305
Poly1305() {}
/// \brief Construct a Poly1305
/// \param key a byte array used to key the cipher
/// \param keyLength the size of the byte array, in bytes
/// \param nonce a byte array used to key the cipher
/// \param nonceLength the size of the byte array, in bytes
/// \details key is the 32-byte key composed of the 16-byte AES key and the 16 additional key
/// bytes used for r.
/// \details Each message requires a unique security context. You can use GetNextIV() and
/// Resynchronize() to set a new nonce under a key for a message.
Poly1305(const byte *key, size_t keyLength=DEFAULT_KEYLENGTH, const byte *nonce=NULLPTR, size_t nonceLength=0)
{this->SetKey(key, keyLength, MakeParameters(Name::IV(), ConstByteArrayParameter(nonce, nonceLength)));}
};
////////////////////////////// IETF Poly1305 //////////////////////////////
/// \brief Poly1305-TLS message authentication code base class
/// \details Poly1305TLS_Base is the base class of the IETF's Poly1305 algorithm.
/// \since Crypto++ 8.1
class Poly1305TLS_Base : public FixedKeyLength<32>, public MessageAuthenticationCode
{
public:
static std::string StaticAlgorithmName() {return std::string("Poly1305TLS");}
CRYPTOPP_CONSTANT(DIGESTSIZE=16)
CRYPTOPP_CONSTANT(BLOCKSIZE=16)
virtual ~Poly1305TLS_Base() {}
Poly1305TLS_Base() {}
void UncheckedSetKey(const byte *key, unsigned int length, const NameValuePairs ¶ms);
void Update(const byte *input, size_t length);
void TruncatedFinal(byte *mac, size_t size);
void Restart();
unsigned int BlockSize() const {return BLOCKSIZE;}
unsigned int DigestSize() const {return DIGESTSIZE;}
protected:
// Accumulated hash, clamped r-key, and encrypted nonce
FixedSizeAlignedSecBlock m_h;
FixedSizeAlignedSecBlock m_r;
FixedSizeAlignedSecBlock m_n;
// Accumulated message bytes and index
FixedSizeAlignedSecBlock m_acc;
size_t m_idx;
};
/// \brief Poly1305-TLS message authentication code
/// \details Poly1305-TLS is the IETF's version of Poly1305. It is a slightly
/// different algorithm than Bernstein's version.
/// \details The key is 32 bytes and a concatenation key = {r,s}, where
/// r is additional key that gets clamped and s is the nonce.
/// \details Each message must use a unique security context, which means the key
/// must be changed after each message. It can be accomplished in one of two ways.
/// First, you can create a new Poly1305 object with a new key each time its needed.
/// SecByteBlock key(32);
/// prng.GenerateBlock(key, key.size());
///
/// Poly1305TLS poly1305(key, key.size());
/// poly1305.Update(...);
/// poly1305.Final(...);
///
/// \details Second, you can create a Poly1305 object, and use a new key for each
/// message. The keys can be generated directly using a RandomNumberGenerator()
/// derived class.
/// SecByteBlock key(32);
/// prng.GenerateBlock(key, key.size());
///
/// // First message
/// Poly1305TLS poly1305(key, key.size());
/// poly1305.Update(...);
/// poly1305.Final(...);
///
/// // Second message
/// prng.GenerateBlock(key, key.size());
/// poly1305.SetKey(key, key.size());
/// poly1305.Update(...);
/// poly1305.Final(...);
/// ...
/// \since Crypto++ 8.1
/// \sa MessageAuthenticationCode(), RFC
/// 8439, ChaCha20 and Poly1305 for IETF Protocols
DOCUMENTED_TYPEDEF(MessageAuthenticationCodeFinal, Poly1305TLS)
NAMESPACE_END
#endif // CRYPTOPP_POLY1305_H