diff options
author | Jussi Kivilinna <jussi.kivilinna@iki.fi> | 2021-07-28 12:26:00 +0300 |
---|---|---|
committer | Jussi Kivilinna <jussi.kivilinna@iki.fi> | 2021-08-26 20:30:31 +0300 |
commit | 659a208cb065d686f60e2c4f51856f460d6b44f5 (patch) | |
tree | 92981640db56d3f0f015c16b8412ee5013952f50 /doc | |
parent | 9e3b0446653fda6912e91fae84883cdbefdc2195 (diff) | |
download | libgcrypt-659a208cb065d686f60e2c4f51856f460d6b44f5.tar.gz |
Add SIV mode (RFC 5297)
* cipher/Makefile.am: Add 'cipher-siv.c'.
* cipher/cipher-ctr.c (_gcry_cipher_ctr_encrypt): Rename to
_gcry_cipher_ctr_encrypt_ctx and add algo context parameter.
(_gcry_cipher_ctr_encrypt): New using _gcry_cipher_ctr_encrypt_ctx.
* cipher/cipher-internal.h (gcry_cipher_handle): Add 'u_mode.siv'.
(_gcry_cipher_ctr_encrypt_ctx, _gcry_cipher_siv_encrypt)
(_gcry_cipher_siv_decrypt, _gcry_cipher_siv_set_nonce)
(_gcry_cipher_siv_authenticate, _gcry_cipher_siv_set_decryption_tag)
(_gcry_cipher_siv_get_tag, _gcry_cipher_siv_check_tag)
(_gcry_cipher_siv_setkey): New.
* cipher/cipher-siv.c: New.
* cipher/cipher.c (_gcry_cipher_open_internal, cipher_setkey)
(cipher_reset, _gcry_cipher_setup_mode_ops, _gcry_cipher_info): Add
GCRY_CIPHER_MODE_SIV handling.
(_gcry_cipher_ctl): Add GCRYCTL_SET_DECRYPTION_TAG handling.
* doc/gcrypt.texi: Add documentation for SIV mode.
* src/gcrypt.h.in (GCRYCTL_SET_DECRYPTION_TAG): New.
(GCRY_CIPHER_MODE_SIV): New.
(gcry_cipher_set_decryption_tag): New.
* tests/basic.c (check_siv_cipher): New.
(check_cipher_modes): Add call for 'check_siv_cipher'.
* tests/bench-slope.c (bench_encrypt_init): Use double size key for
SIV mode.
(bench_aead_encrypt_do_bench, bench_aead_decrypt_do_bench)
(bench_aead_authenticate_do_bench): Reset cipher context on each run.
(bench_aead_authenticate_do_bench): Support nonce-less operation.
(bench_siv_encrypt_do_bench, bench_siv_decrypt_do_bench)
(bench_siv_authenticate_do_bench, siv_encrypt_ops)
(siv_decrypt_ops, siv_authenticate_ops): New.
(cipher_modes): Add SIV mode benchmarks.
(cipher_bench_one): Restrict SIV mode testing to 16 byte block-size.
--
GnuPG-bug-id: T4486
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/gcrypt.texi | 37 |
1 files changed, 35 insertions, 2 deletions
diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi index 148a5fa2..e5c4b64e 100644 --- a/doc/gcrypt.texi +++ b/doc/gcrypt.texi @@ -1760,6 +1760,28 @@ EAX is an Authenticated Encryption with Associated Data (AEAD) block cipher mode by Bellare, Rogaway, and Wagner (see @uref{http://web.cs.ucdavis.edu/~rogaway/papers/eax.html}). +@item GCRY_CIPHER_MODE_SIV +@cindex SIV, SIV mode +Synthetic Initialization Vector (SIV) is an Authenticated Encryption +with Associated Data (AEAD) block cipher mode, which is specified in +RFC-5297. This mode works with block ciphers with block size of 128 +bits and uses tag length of 128 bits. Depending on how it is used, +SIV achieves either the goal of deterministic authenticated encryption +or the goal of nonce-based, misuse-resistant authenticated encryption. + +The SIV mode requires doubling key-length, for example, using 512-bit +key with AES-256 (@code{GCRY_CIPHER_AES256}). Multiple AD instances can +be passed to SIV mode with separate calls to +@code{gcry_cipher_authenticate}. Nonce may be passed either through +@code{gcry_cipher_setiv} or in the last call to +@code{gcry_cipher_authenticate}. Note that use of @code{gcry_cipher_setiv} +blocks any further calls to @code{gcry_cipher_authenticate} as nonce needs +to be the last AD element with the SIV mode. When encrypting or decrypting, +full-sized plaintext or ciphertext needs to be passed to +@code{gcry_cipher_encrypt} or @code{gcry_cipher_decrypt}. Decryption tag +needs to be given to SIV mode before decryption using +@code{gcry_cipher_set_decryption_tag}. + @end table @node Working with cipher handles @@ -1794,8 +1816,9 @@ ChaCha20 stream cipher. The block cipher modes @code{GCRY_CIPHER_MODE_CTR} and @code{GCRY_CIPHER_MODE_EAX}) will work with any block cipher algorithm. GCM mode (@code{GCRY_CIPHER_MODE_GCM}), CCM mode (@code{GCRY_CIPHER_MODE_CCM}), -OCB mode (@code{GCRY_CIPHER_MODE_OCB}), and XTS mode -(@code{GCRY_CIPHER_MODE_XTS}) will only work with block cipher +OCB mode (@code{GCRY_CIPHER_MODE_OCB}), XTS mode +(@code{GCRY_CIPHER_MODE_XTS}) and SIV mode +(@code{GCRY_CIPHER_MODE_SIV}) will only work with block cipher algorithms which have the block size of 16 bytes. The third argument @var{flags} can either be passed as @code{0} or as @@ -1988,6 +2011,16 @@ implemented as a macro. @end deftypefun +The SIV mode requires decryption tag to be input before decryption. +This is done with: + +@deftypefun gcry_error_t gcry_cipher_set_decryption_tag (gcry_cipher_hd_t @var{h}, const void *@var{tag}, size_t @var{taglen}) + +Set decryption tag for the SIV mode decryption. This is implemented +as a macro. +@end deftypefun + + OpenPGP (as defined in RFC-4880) requires a special sync operation in some places. The following function is used for this: |