1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
|
const std = @import("std");
const crypto = std.crypto;
const debug = std.debug;
const mem = std.mem;
const math = std.math;
const testing = std.testing;
const Ascon = crypto.core.Ascon(.big);
const AuthenticationError = crypto.errors.AuthenticationError;
/// ISAPv2 is an authenticated encryption system hardened against side channels and fault attacks.
/// https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/isap-spec-round2.pdf
///
/// Note that ISAP is not suitable for high-performance applications.
///
/// However:
/// - if allowing physical access to the device is part of your threat model,
/// - or if you need resistance against microcode/hardware-level side channel attacks,
/// - or if software-induced fault attacks such as rowhammer are a concern,
///
/// then you may consider ISAP for highly sensitive data.
pub const IsapA128A = struct {
pub const key_length = 16;
pub const nonce_length = 16;
pub const tag_length: usize = 16;
const iv1 = [_]u8{ 0x01, 0x80, 0x40, 0x01, 0x0c, 0x01, 0x06, 0x0c };
const iv2 = [_]u8{ 0x02, 0x80, 0x40, 0x01, 0x0c, 0x01, 0x06, 0x0c };
const iv3 = [_]u8{ 0x03, 0x80, 0x40, 0x01, 0x0c, 0x01, 0x06, 0x0c };
st: Ascon,
fn absorb(isap: *IsapA128A, m: []const u8) void {
var i: usize = 0;
while (true) : (i += 8) {
const left = m.len - i;
if (left >= 8) {
isap.st.addBytes(m[i..][0..8]);
isap.st.permute();
if (left == 8) {
isap.st.addByte(0x80, 0);
isap.st.permute();
break;
}
} else {
var padded = [_]u8{0} ** 8;
@memcpy(padded[0..left], m[i..]);
padded[left] = 0x80;
isap.st.addBytes(&padded);
isap.st.permute();
break;
}
}
}
fn trickle(k: [16]u8, iv: [8]u8, y: []const u8, comptime out_len: usize) [out_len]u8 {
var isap = IsapA128A{
.st = Ascon.initFromWords(.{
mem.readInt(u64, k[0..8], .big),
mem.readInt(u64, k[8..16], .big),
mem.readInt(u64, iv[0..8], .big),
0,
0,
}),
};
isap.st.permute();
var i: usize = 0;
while (i < y.len * 8 - 1) : (i += 1) {
const cur_byte_pos = i / 8;
const cur_bit_pos: u3 = @truncate(7 - (i % 8));
const cur_bit = ((y[cur_byte_pos] >> cur_bit_pos) & 1) << 7;
isap.st.addByte(cur_bit, 0);
isap.st.permuteR(1);
}
const cur_bit = (y[y.len - 1] & 1) << 7;
isap.st.addByte(cur_bit, 0);
isap.st.permute();
var out: [out_len]u8 = undefined;
isap.st.extractBytes(&out);
isap.st.secureZero();
return out;
}
fn mac(c: []const u8, ad: []const u8, npub: [16]u8, key: [16]u8) [16]u8 {
var isap = IsapA128A{
.st = Ascon.initFromWords(.{
mem.readInt(u64, npub[0..8], .big),
mem.readInt(u64, npub[8..16], .big),
mem.readInt(u64, iv1[0..], .big),
0,
0,
}),
};
isap.st.permute();
isap.absorb(ad);
isap.st.addByte(1, Ascon.block_bytes - 1);
isap.absorb(c);
var y: [16]u8 = undefined;
isap.st.extractBytes(&y);
const nb = trickle(key, iv2, y[0..], 16);
isap.st.setBytes(&nb);
isap.st.permute();
var tag: [16]u8 = undefined;
isap.st.extractBytes(&tag);
isap.st.secureZero();
return tag;
}
fn xor(out: []u8, in: []const u8, npub: [16]u8, key: [16]u8) void {
debug.assert(in.len == out.len);
const nb = trickle(key, iv3, npub[0..], 24);
var isap = IsapA128A{
.st = Ascon.initFromWords(.{
mem.readInt(u64, nb[0..8], .big),
mem.readInt(u64, nb[8..16], .big),
mem.readInt(u64, nb[16..24], .big),
mem.readInt(u64, npub[0..8], .big),
mem.readInt(u64, npub[8..16], .big),
}),
};
isap.st.permuteR(6);
var i: usize = 0;
while (true) : (i += 8) {
const left = in.len - i;
if (left >= 8) {
isap.st.xorBytes(out[i..][0..8], in[i..][0..8]);
if (left == 8) {
break;
}
isap.st.permuteR(6);
} else {
isap.st.xorBytes(out[i..], in[i..]);
break;
}
}
isap.st.secureZero();
}
pub fn encrypt(c: []u8, tag: *[tag_length]u8, m: []const u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) void {
xor(c, m, npub, key);
tag.* = mac(c, ad, npub, key);
}
/// `m`: Message
/// `c`: Ciphertext
/// `tag`: Authentication tag
/// `ad`: Associated data
/// `npub`: Public nonce
/// `k`: Private key
/// Asserts `c.len == m.len`.
///
/// Contents of `m` are undefined if an error is returned.
pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) AuthenticationError!void {
var computed_tag = mac(c, ad, npub, key);
const verify = crypto.timing_safe.eql([tag_length]u8, computed_tag, tag);
if (!verify) {
crypto.secureZero(u8, &computed_tag);
@memset(m, undefined);
return error.AuthenticationFailed;
}
xor(m, c, npub, key);
}
};
test "ISAP" {
const k = [_]u8{1} ** 16;
const n = [_]u8{2} ** 16;
var tag: [16]u8 = undefined;
const ad = "ad";
var msg = "test";
var c: [msg.len]u8 = undefined;
IsapA128A.encrypt(c[0..], &tag, msg[0..], ad, n, k);
try testing.expect(mem.eql(u8, &[_]u8{ 0x8f, 0x68, 0x03, 0x8d }, c[0..]));
try testing.expect(mem.eql(u8, &[_]u8{ 0x6c, 0x25, 0xe8, 0xe2, 0xe1, 0x1f, 0x38, 0xe9, 0x80, 0x75, 0xde, 0xd5, 0x2d, 0xb2, 0x31, 0x82 }, tag[0..]));
try IsapA128A.decrypt(c[0..], c[0..], tag, ad, n, k);
try testing.expect(mem.eql(u8, msg, c[0..]));
}
|
