- add EAX mode, XSalsa20

- speed up GCM key setup - wipe stack in AES assembly code - speed up CFB mode
weidai11 · Mar 12, 2009 · 2779fc6 · 2779fc6
1 parent 64af456
commit 2779fc6
Show file tree

Hide file tree

Showing 29 changed files with 1,560 additions and 795 deletions.
diff --git a/Readme.txt b/Readme.txt
@@ -412,7 +412,7 @@ the mailing list.
  Intel C++ Compiler 10.0, and Borland C++Builder 2007
 
 5.6 - added AuthenticatedSymmetricCipher interface class and Filter wrappers
- - added CCM, GCM (with SSE2 assembly), CMAC, and SEED
+ - added CCM, GCM (with SSE2 assembly), EAX, CMAC, XSalsa20, and SEED
  - added support for variable length IVs
  - improved AES and SHA-256 speed on x86 and x64
  - fixed run-time validation error on x86-64 with GCC 4.3.2 -O2

diff --git a/TestVectors/all.txt b/TestVectors/all.txt
@@ -25,3 +25,4 @@ Test: TestVectors/sosemanuk.txt
 Test: TestVectors/ccm.txt
 Test: TestVectors/gcm.txt
 Test: TestVectors/cmac.txt
+Test: TestVectors/eax.txt
diff --git a/TestVectors/eax.txt b/TestVectors/eax.txt
@@ -0,0 +1,75 @@
+AlgorithmType: AuthenticatedSymmetricCipher
+Name: AES/EAX
+Source: http:https://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf
+Plaintext:
+Key: 233952DEE4D5ED5F9B9C6D6FF80FF478
+IV: 62EC67F9C3A4A407FCB2A8C49031A8B3
+Header: 6BFB914FD07EAE6B
+Ciphertext: E037830E8389F27B025A2D6527E79D01
+Test: Encrypt
+Plaintext: F7FB
+Key: 91945D3F4DCBEE0BF45EF52255F095A4
+IV: BECAF043B0A23D843194BA972C66DEBD
+Header: FA3BFD4806EB53FA
+Ciphertext: 19DD5C4C9331049D0BDAB0277408F67967E5
+Test: Encrypt
+Plaintext: 1A47CB4933
+Key: 01F74AD64077F2E704C0F60ADA3DD523
+IV: 70C3DB4F0D26368400A10ED05D2BFF5E
+Header: 234A3463C1264AC6
+Ciphertext: D851D5BAE03A59F238A23E39199DC9266626C40F80
+Test: Encrypt
+Plaintext: 481C9E39B1
+Key: D07CF6CBB7F313BDDE66B727AFD3C5E8
+IV: 8408DFFF3C1A2B1292DC199E46B7D617
+Header: 33CCE2EABFF5A79D
+Ciphertext: 632A9D131AD4C168A4225D8E1FF755939974A7BEDE
+Test: Encrypt
+Plaintext: 40D0C07DA5E4
+Key: 35B6D0580005BBC12B0587124557D2C2
+IV: FDB6B06676EEDC5C61D74276E1F8E816
+Header: AEB96EAEBE2970E9
+Ciphertext: 071DFE16C675CB0677E536F73AFE6A14B74EE49844DD
+Test: Encrypt
+Plaintext: 4DE3B35C3FC039245BD1FB7D
+Key: BD8E6E11475E60B268784C38C62FEB22
+IV: 6EAC5C93072D8E8513F750935E46DA1B
+Header: D4482D1CA78DCE0F
+Ciphertext: 835BB4F15D743E350E728414ABB8644FD6CCB86947C5E10590210A4F
+Test: Encrypt
+Plaintext: 8B0A79306C9CE7ED99DAE4F87F8DD61636
+Key: 7C77D6E813BED5AC98BAA417477A2E7D
+IV: 1A8C98DCD73D38393B2BF1569DEEFC19
+Header: 65D2017990D62528
+Ciphertext: 02083E3979DA014812F59F11D52630DA30137327D10649B0AA6E1C181DB617D7F2
+Test: Encrypt
+Plaintext: 1BDA122BCE8A8DBAF1877D962B8592DD2D56
+Key: 5FFF20CAFAB119CA2FC73549E20F5B0D
+IV: DDE59B97D722156D4D9AFF2BC7559826
+Header: 54B9F04E6A09189A
+Ciphertext: 2EC47B2C4954A489AFC7BA4897EDCDAE8CC33B60450599BD02C96382902AEF7F832A
+Test: Encrypt
+Plaintext: 6CF36720872B8513F6EAB1A8A44438D5EF11
+Key: A4A4782BCFFD3EC5E7EF6D8C34A56123
+IV: B781FCF2F75FA5A8DE97A9CA48E522EC
+Header: 899A175897561D7E
+Ciphertext: 0DE18FD0FDD91E7AF19F1D8EE8733938B1E8E7F6D2231618102FDB7FE55FF1991700
+Test: Encrypt
+Plaintext: CA40D7446E545FFAED3BD12A740A659FFBBB3CEAB7
+Key: 8395FCF1E95BEBD697BD010BC766AAC3
+IV: 22E7ADD93CFC6393C57EC0B3C17D6B44
+Header: 126735FCC320D25A
+Ciphertext: CB8920F87A6C75CFF39627B56E3ED197C552D295A7CFC46AFC253B4652B1AF3795B124AB6E
+Test: Encrypt
+Plaintext: CA40D7446E545FFAED3BD12A740A659FFBBB3CEAB7
+Key: 8395FCF1E95BEBD697BD010BC766AAC3
+IV: 22E7ADD93CFC6393C57EC0B3C17D6B44
+Header: 126735FCC320D25A
+Ciphertext: CB8920F87A6C75CFF39627B56E3ED197C552D295A7CFC46AFC253B4652B1AF3795B124AB6E
+Test: Encrypt
+Plaintext: CA40D7446E545FFAED3BD12A740A659FFBBB3CEAB7
+Key: 8395FCF1E95BEBD697BD010BC766AAC3
+IV: 22E7ADD93CFC6393C57EC0B3C17D6B44
+Header: 126735FCC320D25A
+Ciphertext: 0B8920F87A6C75CFF39627B56E3ED197C552D295A7CFC46AFC253B4652B1AF3795B124AB6E
+Test: NotVerify
diff --git a/TestVectors/salsa.txt b/TestVectors/salsa.txt
diff --git a/authenc.h b/authenc.h
@@ -34,7 +34,7 @@ class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE AuthenticatedSymmetricCipherBase : public
  virtual void Resync(const byte *iv, size_t len) =0;
  virtual size_t AuthenticateBlocks(const byte *data, size_t len) =0;
  virtual void AuthenticateLastHeaderBlock() =0;
- virtual void AuthenticateLastConfidentialBlock() =0;
+ virtual void AuthenticateLastConfidentialBlock() {}
  virtual void AuthenticateLastFooterBlock(byte *mac, size_t macSize) =0;
 
  enum State {State_Start, State_KeySet, State_IVSet, State_AuthUntransformed, State_AuthTransformed, State_AuthFooter};

diff --git a/bench.cpp b/bench.cpp
@@ -238,6 +238,7 @@ void BenchmarkAll(double t, double hertz)
  BenchMarkByName2<AuthenticatedSymmetricCipher, StreamTransformation>("AES/GCM", 0, "AES/GCM (2K tables)", MakeParameters(Name::TableSize(), 2048));
  BenchMarkByName2<AuthenticatedSymmetricCipher, StreamTransformation>("AES/GCM", 0, "AES/GCM (64K tables)", MakeParameters(Name::TableSize(), 64*1024));
  BenchMarkByName2<AuthenticatedSymmetricCipher, StreamTransformation>("AES/CCM");
+ BenchMarkByName2<AuthenticatedSymmetricCipher, StreamTransformation>("AES/EAX");
 
  cout << "\n<TBODY style=\"background: white\">";
  BenchMarkByName2<AuthenticatedSymmetricCipher, MessageAuthenticationCode>("AES/GCM", 0, "GMAC(AES) (2K tables)", MakeParameters(Name::TableSize(), 2048));

diff --git a/bench2.cpp b/bench2.cpp
@@ -245,44 +245,44 @@ void BenchmarkAll2(double t, double hertz)
  cout << "<THEAD><TR><TH>Operation<TH>Milliseconds/Operation" << (g_hertz ? "<TH>Megacycles/Operation" : "") << endl;
 
  cout << "\n<TBODY style=\"background: yellow\">";
- BenchMarkCrypto<RSAES<OAEP<SHA> > >("rsa1024.dat", "RSA 1024", t);
- BenchMarkCrypto<LUCES<OAEP<SHA> > >("luc1024.dat", "LUC 1024", t);
- BenchMarkCrypto<DLIES<> >("dlie1024.dat", "DLIES 1024", t);
- BenchMarkCrypto<LUC_IES<> >("lucc512.dat", "LUCELG 512", t);
+ BenchMarkCrypto<RSAES<OAEP<SHA> > >("TestData/rsa1024.dat", "RSA 1024", t);
+ BenchMarkCrypto<LUCES<OAEP<SHA> > >("TestData/luc1024.dat", "LUC 1024", t);
+ BenchMarkCrypto<DLIES<> >("TestData/dlie1024.dat", "DLIES 1024", t);
+ BenchMarkCrypto<LUC_IES<> >("TestData/lucc512.dat", "LUCELG 512", t);
 
  cout << "\n<TBODY style=\"background: white\">";
- BenchMarkCrypto<RSAES<OAEP<SHA> > >("rsa2048.dat", "RSA 2048", t);
- BenchMarkCrypto<LUCES<OAEP<SHA> > >("luc2048.dat", "LUC 2048", t);
- BenchMarkCrypto<DLIES<> >("dlie2048.dat", "DLIES 2048", t);
- BenchMarkCrypto<LUC_IES<> >("lucc1024.dat", "LUCELG 1024", t);
+ BenchMarkCrypto<RSAES<OAEP<SHA> > >("TestData/rsa2048.dat", "RSA 2048", t);
+ BenchMarkCrypto<LUCES<OAEP<SHA> > >("TestData/luc2048.dat", "LUC 2048", t);
+ BenchMarkCrypto<DLIES<> >("TestData/dlie2048.dat", "DLIES 2048", t);
+ BenchMarkCrypto<LUC_IES<> >("TestData/lucc1024.dat", "LUCELG 1024", t);
 
  cout << "\n<TBODY style=\"background: yellow\">";
- BenchMarkSignature<RSASS<PSSR, SHA> >("rsa1024.dat", "RSA 1024", t);
- BenchMarkSignature<RWSS<PSSR, SHA> >("rw1024.dat", "RW 1024", t);
- BenchMarkSignature<LUCSS<PSSR, SHA> >("luc1024.dat", "LUC 1024", t);
- BenchMarkSignature<NR<SHA> >("nr1024.dat", "NR 1024", t);
- BenchMarkSignature<DSA>("dsa1024.dat", "DSA 1024", t);
- BenchMarkSignature<LUC_HMP<SHA> >("lucs512.dat", "LUC-HMP 512", t);
- BenchMarkSignature<ESIGN<SHA> >("esig1023.dat", "ESIGN 1023", t);
- BenchMarkSignature<ESIGN<SHA> >("esig1536.dat", "ESIGN 1536", t);
+ BenchMarkSignature<RSASS<PSSR, SHA> >("TestData/rsa1024.dat", "RSA 1024", t);
+ BenchMarkSignature<RWSS<PSSR, SHA> >("TestData/rw1024.dat", "RW 1024", t);
+ BenchMarkSignature<LUCSS<PSSR, SHA> >("TestData/luc1024.dat", "LUC 1024", t);
+ BenchMarkSignature<NR<SHA> >("TestData/nr1024.dat", "NR 1024", t);
+ BenchMarkSignature<DSA>("TestData/dsa1024.dat", "DSA 1024", t);
+ BenchMarkSignature<LUC_HMP<SHA> >("TestData/lucs512.dat", "LUC-HMP 512", t);
+ BenchMarkSignature<ESIGN<SHA> >("TestData/esig1023.dat", "ESIGN 1023", t);
+ BenchMarkSignature<ESIGN<SHA> >("TestData/esig1536.dat", "ESIGN 1536", t);
 
  cout << "\n<TBODY style=\"background: white\">";
- BenchMarkSignature<RSASS<PSSR, SHA> >("rsa2048.dat", "RSA 2048", t);
- BenchMarkSignature<RWSS<PSSR, SHA> >("rw2048.dat", "RW 2048", t);
- BenchMarkSignature<LUCSS<PSSR, SHA> >("luc2048.dat", "LUC 2048", t);
- BenchMarkSignature<NR<SHA> >("nr2048.dat", "NR 2048", t);
- BenchMarkSignature<LUC_HMP<SHA> >("lucs1024.dat", "LUC-HMP 1024", t);
- BenchMarkSignature<ESIGN<SHA> >("esig2046.dat", "ESIGN 2046", t);
+ BenchMarkSignature<RSASS<PSSR, SHA> >("TestData/rsa2048.dat", "RSA 2048", t);
+ BenchMarkSignature<RWSS<PSSR, SHA> >("TestData/rw2048.dat", "RW 2048", t);
+ BenchMarkSignature<LUCSS<PSSR, SHA> >("TestData/luc2048.dat", "LUC 2048", t);
+ BenchMarkSignature<NR<SHA> >("TestData/nr2048.dat", "NR 2048", t);
+ BenchMarkSignature<LUC_HMP<SHA> >("TestData/lucs1024.dat", "LUC-HMP 1024", t);
+ BenchMarkSignature<ESIGN<SHA> >("TestData/esig2046.dat", "ESIGN 2046", t);
 
  cout << "\n<TBODY style=\"background: yellow\">";
- BenchMarkKeyAgreement<XTR_DH>("xtrdh171.dat", "XTR-DH 171", t);
- BenchMarkKeyAgreement<XTR_DH>("xtrdh342.dat", "XTR-DH 342", t);
- BenchMarkKeyAgreement<DH>("dh1024.dat", "DH 1024", t);
- BenchMarkKeyAgreement<DH>("dh2048.dat", "DH 2048", t);
- BenchMarkKeyAgreement<LUC_DH>("lucd512.dat", "LUCDIF 512", t);
- BenchMarkKeyAgreement<LUC_DH>("lucd1024.dat", "LUCDIF 1024", t);
- BenchMarkKeyAgreement<MQV>("mqv1024.dat", "MQV 1024", t);
- BenchMarkKeyAgreement<MQV>("mqv2048.dat", "MQV 2048", t);
+ BenchMarkKeyAgreement<XTR_DH>("TestData/xtrdh171.dat", "XTR-DH 171", t);
+ BenchMarkKeyAgreement<XTR_DH>("TestData/xtrdh342.dat", "XTR-DH 342", t);
+ BenchMarkKeyAgreement<DH>("TestData/dh1024.dat", "DH 1024", t);
+ BenchMarkKeyAgreement<DH>("TestData/dh2048.dat", "DH 2048", t);
+ BenchMarkKeyAgreement<LUC_DH>("TestData/lucd512.dat", "LUCDIF 512", t);
+ BenchMarkKeyAgreement<LUC_DH>("TestData/lucd1024.dat", "LUCDIF 1024", t);
+ BenchMarkKeyAgreement<MQV>("TestData/mqv1024.dat", "MQV 1024", t);
+ BenchMarkKeyAgreement<MQV>("TestData/mqv2048.dat", "MQV 2048", t);
 
  cout << "\n<TBODY style=\"background: white\">";
  {

diff --git a/ccm.h b/ccm.h
@@ -36,7 +36,7 @@ class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE CCM_Base : public AuthenticatedSymmetricCi
  {return 7;}
  unsigned int MaxIVLength() const
  {return 13;}
- unsigned int DigestSize(void) const
+ unsigned int DigestSize() const
  {return m_digestSize;}
  lword MaxHeaderLength() const
  {return W64LIT(0)-1;}

diff --git a/cmac.h b/cmac.h
@@ -1,48 +1,52 @@
-#ifndef CRYPTOPP_CMAC_H
-#define CRYPTOPP_CMAC_H
-
-#include "seckey.h"
-#include "secblock.h"
-
-NAMESPACE_BEGIN(CryptoPP)
-
-//! _
-class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE CMAC_Base : public MessageAuthenticationCode
-{
-public:
- CMAC_Base() {}
-
- void UncheckedSetKey(const byte *key, unsigned int length, const NameValuePairs &params);
- void Update(const byte *input, size_t length);
- void TruncatedFinal(byte *mac, size_t size);
- unsigned int DigestSize() const {return const_cast<CMAC_Base*>(this)->AccessCipher().BlockSize();}
-
-protected:
- virtual BlockCipher & AccessCipher() =0;
-
-private:
- void ProcessBuf();
- SecByteBlock m_reg;
- unsigned int m_counter;
-};
-
-/// <a href="http:https://www.cryptolounge.org/wiki/CMAC">CMAC</a>
-/*! Template parameter T should be a class derived from BlockCipherDocumentation, for example AES, with a block size of 8, 16, or 32 */
-template <class T>
-class CMAC : public MessageAuthenticationCodeImpl<CMAC_Base, CMAC<T> >, public SameKeyLengthAs<T>
-{
-public:
- CMAC() {}
- CMAC(const byte *key, size_t length=SameKeyLengthAs<T>::DEFAULT_KEYLENGTH)
- {this->SetKey(key, length);}
-
- static std::string StaticAlgorithmName() {return std::string("CMAC(") + T::StaticAlgorithmName() + ")";}
-
-private:
- BlockCipher & AccessCipher() {return m_cipher;}
- typename T::Encryption m_cipher;
-};
-
-NAMESPACE_END
-
-#endif
+#ifndef CRYPTOPP_CMAC_H
+#define CRYPTOPP_CMAC_H
+
+#include "seckey.h"
+#include "secblock.h"
+
+NAMESPACE_BEGIN(CryptoPP)
+
+//! _
+class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE CMAC_Base : public MessageAuthenticationCode
+{
+public:
+ CMAC_Base() {}
+
+ void UncheckedSetKey(const byte *key, unsigned int length, const NameValuePairs &params);
+ void Update(const byte *input, size_t length);
+ void TruncatedFinal(byte *mac, size_t size);
+ unsigned int DigestSize() const {return GetCipher().BlockSize();}
+ unsigned int OptimalBlockSize() const {return GetCipher().BlockSize();}
+ unsigned int OptimalDataAlignment() const {return GetCipher().OptimalDataAlignment();}
+
+protected:
+ friend class EAX_Base;
+
+ const BlockCipher & GetCipher() const {return const_cast<CMAC_Base*>(this)->AccessCipher();}
+ virtual BlockCipher & AccessCipher() =0;
+
+ void ProcessBuf();
+ SecByteBlock m_reg;
+ unsigned int m_counter;
+};
+
+/// <a href="http:https://www.cryptolounge.org/wiki/CMAC">CMAC</a>
+/*! Template parameter T should be a class derived from BlockCipherDocumentation, for example AES, with a block size of 8, 16, or 32 */
+template <class T>
+class CMAC : public MessageAuthenticationCodeImpl<CMAC_Base, CMAC<T> >, public SameKeyLengthAs<T>
+{
+public:
+ CMAC() {}
+ CMAC(const byte *key, size_t length=SameKeyLengthAs<T>::DEFAULT_KEYLENGTH)
+ {this->SetKey(key, length);}
+
+ static std::string StaticAlgorithmName() {return std::string("CMAC(") + T::StaticAlgorithmName() + ")";}
+
+private:
+ BlockCipher & AccessCipher() {return m_cipher;}
+ typename T::Encryption m_cipher;
+};
+
+NAMESPACE_END
+
+#endif