xref: /linux/include/crypto/nh.h (revision c17ee635fd3a482b2ad2bf5e269755c2eae5f25e) 
1*14e15c71SEric Biggers /* SPDX-License-Identifier: GPL-2.0 */
2*14e15c71SEric Biggers /*
3*14e15c71SEric Biggers  * NH hash function for Adiantum
4*14e15c71SEric Biggers  */
5*14e15c71SEric Biggers 
6*14e15c71SEric Biggers #ifndef _CRYPTO_NH_H
7*14e15c71SEric Biggers #define _CRYPTO_NH_H
8*14e15c71SEric Biggers 
9*14e15c71SEric Biggers #include <linux/types.h>
10*14e15c71SEric Biggers 
11*14e15c71SEric Biggers /* NH parameterization: */
12*14e15c71SEric Biggers 
13*14e15c71SEric Biggers /* Endianness: little */
14*14e15c71SEric Biggers /* Word size: 32 bits (works well on NEON, SSE2, AVX2) */
15*14e15c71SEric Biggers 
16*14e15c71SEric Biggers /* Stride: 2 words (optimal on ARM32 NEON; works okay on other CPUs too) */
17*14e15c71SEric Biggers #define NH_PAIR_STRIDE		2
18*14e15c71SEric Biggers #define NH_MESSAGE_UNIT		(NH_PAIR_STRIDE * 2 * sizeof(u32))
19*14e15c71SEric Biggers 
20*14e15c71SEric Biggers /* Num passes (Toeplitz iteration count): 4, to give ε = 2^{-128} */
21*14e15c71SEric Biggers #define NH_NUM_PASSES		4
22*14e15c71SEric Biggers #define NH_HASH_BYTES		(NH_NUM_PASSES * sizeof(u64))
23*14e15c71SEric Biggers 
24*14e15c71SEric Biggers /* Max message size: 1024 bytes (32x compression factor) */
25*14e15c71SEric Biggers #define NH_NUM_STRIDES		64
26*14e15c71SEric Biggers #define NH_MESSAGE_WORDS	(NH_PAIR_STRIDE * 2 * NH_NUM_STRIDES)
27*14e15c71SEric Biggers #define NH_MESSAGE_BYTES	(NH_MESSAGE_WORDS * sizeof(u32))
28*14e15c71SEric Biggers #define NH_KEY_WORDS		(NH_MESSAGE_WORDS + \
29*14e15c71SEric Biggers 				 NH_PAIR_STRIDE * 2 * (NH_NUM_PASSES - 1))
30*14e15c71SEric Biggers #define NH_KEY_BYTES		(NH_KEY_WORDS * sizeof(u32))
31*14e15c71SEric Biggers 
32*14e15c71SEric Biggers /**
33*14e15c71SEric Biggers  * nh() - NH hash function for Adiantum
34*14e15c71SEric Biggers  * @key: The key.  @message_len + 48 bytes of it are used.  This is NH_KEY_BYTES
35*14e15c71SEric Biggers  *	 if @message_len has its maximum length of NH_MESSAGE_BYTES.
36*14e15c71SEric Biggers  * @message: The message
37*14e15c71SEric Biggers  * @message_len: The message length in bytes.  Must be a multiple of 16
38*14e15c71SEric Biggers  *		 (NH_MESSAGE_UNIT) and at most 1024 (NH_MESSAGE_BYTES).
39*14e15c71SEric Biggers  * @hash: (output) The resulting hash value
40*14e15c71SEric Biggers  *
41*14e15c71SEric Biggers  * Note: the pseudocode for NH in the Adiantum paper iterates over 1024-byte
42*14e15c71SEric Biggers  * segments of the message, computes a 32-byte hash for each, and returns all
43*14e15c71SEric Biggers  * the hashes concatenated together.  In contrast, this function just hashes one
44*14e15c71SEric Biggers  * segment and returns one hash.  It's the caller's responsibility to call this
45*14e15c71SEric Biggers  * function for each 1024-byte segment and collect all the hashes.
46*14e15c71SEric Biggers  *
47*14e15c71SEric Biggers  * Context: Any context.
48*14e15c71SEric Biggers  */
49*14e15c71SEric Biggers void nh(const u32 *key, const u8 *message, size_t message_len,
50*14e15c71SEric Biggers 	__le64 hash[NH_NUM_PASSES]);
51*14e15c71SEric Biggers 
52*14e15c71SEric Biggers #endif /* _CRYPTO_NH_H */
53