Lines Matching +full:other +full:- +full:key
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
39 * This file documents the API for block ciphers and other symmetric
48 * initialised with the encryption key.
63 * - `br_xxx_BLOCK_SIZE`
69 * - `br_xxx_cbcenc_keys`
71 * Context structure that contains the subkeys resulting from the key
76 * - `br_xxx_cbcenc_init(br_xxx_cbcenc_keys *ctx, const void *key, size_t len)`
78 * Perform key expansion: subkeys for CBC encryption are computed and
79 * written in the provided context structure. The key length MUST be
83 * - `br_xxx_cbcenc_run(const br_xxx_cbcenc_keys *ctx, void *iv, void *data, size_t len)`
91 * - `br_xxx_cbcdec_keys`
93 * Context structure that contains the subkeys resulting from the key
98 * - `br_xxx_cbcdec_init(br_xxx_cbcenc_keys *ctx, const void *key, size_t len)`
100 * Perform key expansion: subkeys for CBC decryption are computed and
101 * written in the provided context structure. The key length MUST be
105 * - `br_xxx_cbcdec_run(const br_xxx_cbcdec_keys *ctx, void *iv, void *data, size_t num_blocks)`
113 * - `br_xxx_ctr_keys`
115 * Context structure that contains the subkeys resulting from the key
120 * - `br_xxx_ctr_init(br_xxx_ctr_keys *ctx, const void *key, size_t len)`
122 * Perform key expansion: subkeys for CTR encryption and decryption
124 * key length MUST be adequate for the implemented block cipher. This
127 …* - `br_xxx_ctr_run(const br_xxx_ctr_keys *ctx, const void *iv, uint32_t cc, void *data, size_t …
131 * implements the "standard incrementing function" from NIST SP800-38A,
133 * (i.e. 12 bytes for AES) and the counter is the 32-bit value starting
139 * - `br_xxx_ctrcbc_keys`
142 * key expansion. These subkeys are appropriate for doing combined
143 * CTR encryption/decryption and CBC-MAC, as used in the CCM and EAX
147 * - `br_xxx_ctrcbc_init(br_xxx_ctr_keys *ctx, const void *key, size_t len)`
149 * Perform key expansion: subkeys for combined CTR
150 * encryption/decryption and CBC-MAC are computed and written in the
151 * provided context structure. The key length MUST be adequate for
155 …* - `br_xxx_ctrcbc_encrypt(const br_xxx_ctrcbc_keys *ctx, void *ctr, void *cbcmac, void *data, s…
157 * Perform CTR encryption of some data, and CBC-MAC. Processing is
160 * block-size counter (i.e. for 128-bit blocks, the counter is
161 * incremented as a 128-bit value). The 'ctr' array contains the
164 * value shall point to a block-sized value which is used as IV for
165 * CBC-MAC, computed over the encrypted data (output of CTR
166 * encryption); the resulting CBC-MAC is written over 'cbcmac' on
171 …* - `br_xxx_ctrcbc_decrypt(const br_xxx_ctrcbc_keys *ctx, void *ctr, void *cbcmac, void *data, s…
173 * Perform CTR decryption of some data, and CBC-MAC. Processing is
176 * block-size counter (i.e. for 128-bit blocks, the counter is
177 * incremented as a 128-bit value). The 'ctr' array contains the
180 * value shall point to a block-sized value which is used as IV for
181 * CBC-MAC, computed over the encrypted data (input of CTR
182 * encryption); the resulting CBC-MAC is written over 'cbcmac' on
187 * - `br_xxx_ctrcbc_ctr(const br_xxx_ctrcbc_keys *ctx, void *ctr, void *data, size_t len)`
191 * data). A full block-sized counter is applied (i.e. for 128-bit
192 * blocks, the counter is incremented as a 128-bit value). The 'ctr'
199 …* - `br_xxx_ctrcbc_mac(const br_xxx_ctrcbc_keys *ctx, void *cbcmac, const void *data, size_t len…
201 * Compute CBC-MAC over the provided data. The IV for CBC-MAC is
207 * It shall be noted that the key expansion functions return `void`. If
208 * the provided key length is not allowed, then there will be no error
209 * reporting; implementations need not validate the key length, thus an
210 * invalid key length may result in undefined behaviour (e.g. buffer
214 * resources are allocated upon key expansion. They can thus be
218 * ## Object-Oriented API
225 * - `context_size`
229 * - `block_size`
233 * - `log_block_size`
235 * The base-2 logarithm of cipher block size (e.g. 4 for blocks
238 * - `init`
240 * Pointer to the key expansion function.
242 * - `run`
246 * For combined CTR/CBC-MAC encryption, the `vtable` has a slightly
249 * - `context_size`
253 * - `block_size`
257 * - `log_block_size`
259 * The base-2 logarithm of cipher block size (e.g. 4 for blocks
262 * - `init`
264 * Pointer to the key expansion function.
266 * - `encrypt`
268 * Pointer to the CTR encryption + CBC-MAC function.
270 * - `decrypt`
272 * Pointer to the CTR decryption + CBC-MAC function.
274 * - `ctr`
278 * - `mac`
280 * Pointer to the CBC-MAC function.
285 * - `br_xxx_cbcenc_vtable`
286 * - `br_xxx_cbcdec_vtable`
287 * - `br_xxx_ctr_vtable`
288 * - `br_xxx_ctrcbc_vtable`
295 * | Name | Function | Block Size (bytes) | Key lengths (bytes) |
296 * | :-------- | :------- | :----------------: | :-----------------: |
308 * the _effective_ key lengths, from a security point of view, are 56,
312 * is fast but not constant-time, since it makes data-dependent array
316 * is substantially slower than `aes_big`; it is not constant-time
319 * `aes_ct` is a constant-time implementation of AES; its code is about
321 * that of `aes_small`. However, it is constant-time. This
324 * non-constant-time implementation is safe, or an architecture-specific
325 * constant-time implementation can be used (e.g. using dedicated
328 * `aes_ct64` is another constant-time implementation of AES. It is
329 * similar to `aes_ct` but uses 64-bit values. On 32-bit machines,
331 * a larger footprint; however, on 64-bit architectures, `aes_ct64`
335 * `aes_x86ni` exists only on x86 architectures (32-bit and 64-bit). It
336 * uses the AES-NI opcodes when available.
338 * `aes_pwr8` exists only on PowerPC / POWER architectures (32-bit and
339 * 64-bit, both little-endian and big-endian). It uses the AES opcodes
342 * `des_tab` is a classic, table-based implementation of DES/3DES. It
343 * is not constant-time.
345 * `des_ct` is an constant-time implementation of DES/3DES. It is
355 * - `br_chacha20_run` describes a function that implements ChaCha20
358 * - `br_poly1305_run` describes an implementation of Poly1305,
363 * plain C; it is constant-time, small, and reasonably fast.
369 * construction, where the Poly1305 part is performed with mixed 32-bit
370 * multiplications (operands are 32-bit, result is 64-bit).
372 * `poly1305_ctmul32` implements ChaCha20+Poly1305 using pure 32-bit
373 * multiplications (32-bit operands, 32-bit result). It is slower than
377 * `poly1305_ctmulq` implements ChaCha20+Poly1305 with mixed 64-bit
378 * multiplications (operands are 64-bit, result is 128-bit) on 64-bit
407 * \brief Base-2 logarithm of the size of individual blocks,
416 * The key length MUST be one of the key lengths supported by
420 * \param key secret key.
421 * \param key_len key length (in bytes).
424 const void *key, size_t key_len);
463 * \brief Base-2 logarithm of the size of individual blocks,
472 * The key length MUST be one of the key lengths supported by
476 * \param key secret key.
477 * \param key_len key length (in bytes).
480 const void *key, size_t key_len);
520 * \brief Base-2 logarithm of the size of individual blocks,
529 * The key length MUST be one of the key lengths supported by
533 * \param key secret key.
534 * \param key_len key length (in bytes).
537 const void *key, size_t key_len);
544 * 12 bytes for AES/CTR). The IV is combined with a 32-bit
551 * corresponding key stream bits are dropped.
567 * \brief Class type for combined CTR and CBC-MAC implementations.
571 * decrypting data, along with CBC-MAC.
587 * \brief Base-2 logarithm of the size of individual blocks,
596 * The key length MUST be one of the key lengths supported by
600 * \param key secret key.
601 * \param key_len key length (in bytes).
604 const void *key, size_t key_len);
607 * \brief Run the CTR encryption + CBC-MAC.
613 * The `cbcmac` parameter points to the IV for CBC-MAC. The MAC
616 * computed CBC-MAC value is written over the `cbcmac` array.
623 * \param cbcmac IV and output buffer for CBC-MAC.
631 * \brief Run the CTR decryption + CBC-MAC.
637 * The `cbcmac` parameter points to the IV for CBC-MAC. The MAC
640 * computed CBC-MAC value is written over the `cbcmac` array.
647 * \param cbcmac IV and output buffer for CBC-MAC.
673 * \brief Run the CBC-MAC only.
675 * The `cbcmac` parameter points to the IV for CBC-MAC. The MAC
678 * computed CBC-MAC value is written over the `cbcmac` array.
684 * \param cbcmac IV and output buffer for CBC-MAC.
693 * Traditional, table-based AES implementation. It is fast, but uses
695 * 1 kB table for decryption, and a 256-byte table for key schedule),
696 * and it is not constant-time. In contexts where cache-timing attacks
697 * apply, this implementation may leak the secret key.
707 * function. Other fields are not supposed to be accessed by user code.
722 * function. Other fields are not supposed to be accessed by user code.
738 * function. Other fields are not supposed to be accessed by user code.
751 * and decryption + CBC-MAC).
754 * function. Other fields are not supposed to be accessed by user code.
782 * \brief Class instance for AES CTR encryption/decryption + CBC-MAC
788 * \brief Context initialisation (key schedule) for AES CBC encryption
792 * \param key secret key.
793 * \param len secret key length (in bytes).
796 const void *key, size_t len);
799 * \brief Context initialisation (key schedule) for AES CBC decryption
803 * \param key secret key.
804 * \param len secret key length (in bytes).
807 const void *key, size_t len);
810 * \brief Context initialisation (key schedule) for AES CTR encryption
814 * \param key secret key.
815 * \param len secret key length (in bytes).
818 const void *key, size_t len);
821 * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC
825 * \param key secret key.
826 * \param len secret key length (in bytes).
829 const void *key, size_t len);
867 * \brief CTR encryption + CBC-MAC with AES (`aes_big` implementation).
871 * \param cbcmac IV for CBC-MAC (updated).
879 * \brief CTR decryption + CBC-MAC with AES (`aes_big` implementation).
883 * \param cbcmac IV for CBC-MAC (updated).
902 * \brief CBC-MAC with AES (`aes_big` implementation).
905 * \param cbcmac IV for CBC-MAC (updated).
914 * traditional table-based AES implementation, but requires much less
915 * code. It still uses data-dependent table accesses (albeit within a
916 * much smaller 256-byte table), which makes it conceptually vulnerable
917 * to cache-timing attacks.
927 * function. Other fields are not supposed to be accessed by user code.
942 * function. Other fields are not supposed to be accessed by user code.
958 * function. Other fields are not supposed to be accessed by user code.
971 * and decryption + CBC-MAC).
974 * function. Other fields are not supposed to be accessed by user code.
1002 * \brief Class instance for AES CTR encryption/decryption + CBC-MAC
1008 * \brief Context initialisation (key schedule) for AES CBC encryption
1012 * \param key secret key.
1013 * \param len secret key length (in bytes).
1016 const void *key, size_t len);
1019 * \brief Context initialisation (key schedule) for AES CBC decryption
1023 * \param key secret key.
1024 * \param len secret key length (in bytes).
1027 const void *key, size_t len);
1030 * \brief Context initialisation (key schedule) for AES CTR encryption
1034 * \param key secret key.
1035 * \param len secret key length (in bytes).
1038 const void *key, size_t len);
1041 * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC
1045 * \param key secret key.
1046 * \param len secret key length (in bytes).
1049 const void *key, size_t len);
1087 * \brief CTR encryption + CBC-MAC with AES (`aes_small` implementation).
1091 * \param cbcmac IV for CBC-MAC (updated).
1099 * \brief CTR decryption + CBC-MAC with AES (`aes_small` implementation).
1103 * \param cbcmac IV for CBC-MAC (updated).
1122 * \brief CBC-MAC with AES (`aes_small` implementation).
1125 * \param cbcmac IV for CBC-MAC (updated).
1133 * Constant-time AES implementation. Its size is similar to that of
1135 * decryption, slower encryption). However, it is constant-time, i.e.
1136 * immune to cache-timing and similar attacks.
1146 * function. Other fields are not supposed to be accessed by user code.
1161 * function. Other fields are not supposed to be accessed by user code.
1177 * function. Other fields are not supposed to be accessed by user code.
1190 * and decryption + CBC-MAC).
1193 * function. Other fields are not supposed to be accessed by user code.
1221 * \brief Class instance for AES CTR encryption/decryption + CBC-MAC
1227 * \brief Context initialisation (key schedule) for AES CBC encryption
1231 * \param key secret key.
1232 * \param len secret key length (in bytes).
1235 const void *key, size_t len);
1238 * \brief Context initialisation (key schedule) for AES CBC decryption
1242 * \param key secret key.
1243 * \param len secret key length (in bytes).
1246 const void *key, size_t len);
1249 * \brief Context initialisation (key schedule) for AES CTR encryption
1253 * \param key secret key.
1254 * \param len secret key length (in bytes).
1257 const void *key, size_t len);
1260 * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC
1264 * \param key secret key.
1265 * \param len secret key length (in bytes).
1268 const void *key, size_t len);
1306 * \brief CTR encryption + CBC-MAC with AES (`aes_ct` implementation).
1310 * \param cbcmac IV for CBC-MAC (updated).
1318 * \brief CTR decryption + CBC-MAC with AES (`aes_ct` implementation).
1322 * \param cbcmac IV for CBC-MAC (updated).
1341 * \brief CBC-MAC with AES (`aes_ct` implementation).
1344 * \param cbcmac IV for CBC-MAC (updated).
1352 * 64-bit constant-time AES implementation. It is similar to 'aes_ct'
1353 * but uses 64-bit registers, making it about twice faster than 'aes_ct'
1354 * on 64-bit platforms, while remaining constant-time and with a similar
1356 * and CTR mode; CBC encryption is non-parallel and cannot benefit from
1367 * function. Other fields are not supposed to be accessed by user code.
1382 * function. Other fields are not supposed to be accessed by user code.
1398 * function. Other fields are not supposed to be accessed by user code.
1411 * and decryption + CBC-MAC).
1414 * function. Other fields are not supposed to be accessed by user code.
1442 * \brief Class instance for AES CTR encryption/decryption + CBC-MAC
1448 * \brief Context initialisation (key schedule) for AES CBC encryption
1452 * \param key secret key.
1453 * \param len secret key length (in bytes).
1456 const void *key, size_t len);
1459 * \brief Context initialisation (key schedule) for AES CBC decryption
1463 * \param key secret key.
1464 * \param len secret key length (in bytes).
1467 const void *key, size_t len);
1470 * \brief Context initialisation (key schedule) for AES CTR encryption
1474 * \param key secret key.
1475 * \param len secret key length (in bytes).
1478 const void *key, size_t len);
1481 * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC
1485 * \param key secret key.
1486 * \param len secret key length (in bytes).
1489 const void *key, size_t len);
1527 * \brief CTR encryption + CBC-MAC with AES (`aes_ct64` implementation).
1531 * \param cbcmac IV for CBC-MAC (updated).
1539 * \brief CTR decryption + CBC-MAC with AES (`aes_ct64` implementation).
1543 * \param cbcmac IV for CBC-MAC (updated).
1562 * \brief CBC-MAC with AES (`aes_ct64` implementation).
1565 * \param cbcmac IV for CBC-MAC (updated).
1573 * AES implementation using AES-NI opcodes (x86 platform).
1583 * function. Other fields are not supposed to be accessed by user code.
1600 * function. Other fields are not supposed to be accessed by user code.
1618 * function. Other fields are not supposed to be accessed by user code.
1633 * and decryption + CBC-MAC).
1636 * function. Other fields are not supposed to be accessed by user code.
1678 * \brief Class instance for AES CTR encryption/decryption + CBC-MAC
1688 * \brief Context initialisation (key schedule) for AES CBC encryption
1692 * \param key secret key.
1693 * \param len secret key length (in bytes).
1696 const void *key, size_t len);
1699 * \brief Context initialisation (key schedule) for AES CBC decryption
1703 * \param key secret key.
1704 * \param len secret key length (in bytes).
1707 const void *key, size_t len);
1710 * \brief Context initialisation (key schedule) for AES CTR encryption
1714 * \param key secret key.
1715 * \param len secret key length (in bytes).
1718 const void *key, size_t len);
1721 * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC
1725 * \param key secret key.
1726 * \param len secret key length (in bytes).
1729 const void *key, size_t len);
1767 * \brief CTR encryption + CBC-MAC with AES (`aes_x86ni` implementation).
1771 * \param cbcmac IV for CBC-MAC (updated).
1779 * \brief CTR decryption + CBC-MAC with AES (`aes_x86ni` implementation).
1783 * \param cbcmac IV for CBC-MAC (updated).
1802 * \brief CBC-MAC with AES (`aes_x86ni` implementation).
1805 * \param cbcmac IV for CBC-MAC (updated).
1813 * \brief Obtain the `aes_x86ni` AES-CBC (encryption) implementation, if
1821 * \return the `aes_x86ni` AES-CBC (encryption) implementation, or `NULL`.
1826 * \brief Obtain the `aes_x86ni` AES-CBC (decryption) implementation, if
1834 * \return the `aes_x86ni` AES-CBC (decryption) implementation, or `NULL`.
1839 * \brief Obtain the `aes_x86ni` AES-CTR implementation, if available.
1846 * \return the `aes_x86ni` AES-CTR implementation, or `NULL`.
1851 * \brief Obtain the `aes_x86ni` AES-CTR + CBC-MAC implementation, if
1859 * \return the `aes_x86ni` AES-CTR implementation, or `NULL`.
1874 * function. Other fields are not supposed to be accessed by user code.
1891 * function. Other fields are not supposed to be accessed by user code.
1909 * function. Other fields are not supposed to be accessed by user code.
1924 * and decryption + CBC-MAC).
1927 * function. Other fields are not supposed to be accessed by user code.
1969 * \brief Class instance for AES CTR encryption/decryption + CBC-MAC
1979 * \brief Context initialisation (key schedule) for AES CBC encryption
1983 * \param key secret key.
1984 * \param len secret key length (in bytes).
1987 const void *key, size_t len);
1990 * \brief Context initialisation (key schedule) for AES CBC decryption
1994 * \param key secret key.
1995 * \param len secret key length (in bytes).
1998 const void *key, size_t len);
2001 * \brief Context initialisation (key schedule) for AES CTR encryption
2005 * \param key secret key.
2006 * \param len secret key length (in bytes).
2009 const void *key, size_t len);
2012 * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC
2016 * \param key secret key.
2017 * \param len secret key length (in bytes).
2020 const void *key, size_t len);
2058 * \brief CTR encryption + CBC-MAC with AES (`aes_pwr8` implementation).
2062 * \param cbcmac IV for CBC-MAC (updated).
2070 * \brief CTR decryption + CBC-MAC with AES (`aes_pwr8` implementation).
2074 * \param cbcmac IV for CBC-MAC (updated).
2093 * \brief CBC-MAC with AES (`aes_pwr8` implementation).
2096 * \param cbcmac IV for CBC-MAC (updated).
2104 * \brief Obtain the `aes_pwr8` AES-CBC (encryption) implementation, if
2112 * \return the `aes_pwr8` AES-CBC (encryption) implementation, or `NULL`.
2117 * \brief Obtain the `aes_pwr8` AES-CBC (decryption) implementation, if
2125 * \return the `aes_pwr8` AES-CBC (decryption) implementation, or `NULL`.
2130 * \brief Obtain the `aes_pwr8` AES-CTR implementation, if available.
2137 * \return the `aes_pwr8` AES-CTR implementation, or `NULL`.
2142 * \brief Obtain the `aes_pwr8` AES-CTR + CBC-MAC implementation, if
2150 * \return the `aes_pwr8` AES-CTR implementation, or `NULL`.
2198 * subkeys (CTR encryption/decryption + CBC-MAC) for all AES implementations.
2211 * Traditional, table-based implementation for DES/3DES. Since tables are
2212 * used, cache-timing attacks are conceptually possible.
2222 * function. Other fields are not supposed to be accessed by user code.
2237 * function. Other fields are not supposed to be accessed by user code.
2259 * \brief Context initialisation (key schedule) for DES CBC encryption
2263 * \param key secret key.
2264 * \param len secret key length (in bytes).
2267 const void *key, size_t len);
2270 * \brief Context initialisation (key schedule) for DES CBC decryption
2274 * \param key secret key.
2275 * \param len secret key length (in bytes).
2278 const void *key, size_t len);
2303 * Constant-time implementation for DES/3DES. It is substantially slower
2304 * (by a factor of about 4x), but also immune to cache-timing attacks.
2314 * function. Other fields are not supposed to be accessed by user code.
2329 * function. Other fields are not supposed to be accessed by user code.
2351 * \brief Context initialisation (key schedule) for DES CBC encryption
2355 * \param key secret key.
2356 * \param len secret key length (in bytes).
2359 const void *key, size_t len);
2362 * \brief Context initialisation (key schedule) for DES CBC decryption
2366 * \param key secret key.
2367 * \param len secret key length (in bytes).
2370 const void *key, size_t len);
2424 * - Key is 256 bits (`key` points to exactly 32 bytes).
2426 * - IV is 96 bits (`iv` points to exactly 12 bytes).
2428 * - Block counter is over 32 bits and starts at value `cc`; the
2434 * works only as long as each non-final chunk has a length multiple of 64).
2436 * \param key secret key (32 bytes).
2442 typedef uint32_t (*br_chacha20_run)(const void *key,
2446 * \brief ChaCha20 implementation (straightforward C code, constant-time).
2450 * \param key secret key (32 bytes).
2456 uint32_t br_chacha20_ct_run(const void *key,
2460 * \brief ChaCha20 implementation (SSE2 code, constant-time).
2463 * compiler support. Moreover, in 32-bit mode, it might not actually run,
2465 * 64-bit mode, SSE2 is part of the ABI, so if the code could be compiled
2471 * \param key secret key (32 bytes).
2477 uint32_t br_chacha20_sse2_run(const void *key,
2503 * \param key secret key (32 bytes).
2511 * \param encrypt non-zero for encryption, zero for decryption.
2513 typedef void (*br_poly1305_run)(const void *key, const void *iv,
2518 * \brief ChaCha20+Poly1305 AEAD implementation (mixed 32-bit multiplications).
2522 * \param key secret key (32 bytes).
2530 * \param encrypt non-zero for encryption, zero for decryption.
2532 void br_poly1305_ctmul_run(const void *key, const void *iv,
2537 * \brief ChaCha20+Poly1305 AEAD implementation (pure 32-bit multiplications).
2541 * \param key secret key (32 bytes).
2549 * \param encrypt non-zero for encryption, zero for decryption.
2551 void br_poly1305_ctmul32_run(const void *key, const void *iv,
2559 * (which uses pure 32-bit multiplications). As such, it may save a
2566 * \param key secret key (32 bytes).
2574 * \param encrypt non-zero for encryption, zero for decryption.
2576 void br_poly1305_i15_run(const void *key, const void *iv,
2583 * This implementation uses 64-bit multiplications (result over 128 bits).
2585 * practice, 64-bit architectures). Use `br_poly1305_ctmulq_get()` to
2590 * \param key secret key (32 bytes).
2598 * \param encrypt non-zero for encryption, zero for decryption.
2600 void br_poly1305_ctmulq_run(const void *key, const void *iv,