Crypto++  7.0
Free C++ class library of cryptographic schemes
poly1305.h
Go to the documentation of this file.
1 // poly1305.h - written and placed in the public domain by Jeffrey Walton and Jean-Pierre Munch
2 // Based on Andy Polyakov's Base-2^26 scalar multiplication implementation for OpenSSL.
3 
4 /// \file poly1305.h
5 /// \brief Classes for Poly1305 message authentication code
6 /// \details Poly1305-AES is a state-of-the-art message-authentication code suitable for a wide
7 /// variety of applications. Poly1305-AES computes a 16-byte authenticator of a variable-length
8 /// message, using a 16-byte AES key, a 16-byte additional key, and a 16-byte nonce.
9 /// \details Each message must use a unique security context, which means either the key or nonce
10 /// must be changed after each message. It can be accomplished in one of two ways. First, you
11 /// can create a new Poly1305 object with a key and nonce each time its needed.
12 /// <pre> SecByteBlock key(32), nonce(16);
13 /// prng.GenerateBlock(key, key.size());
14 /// prng.GenerateBlock(nonce, nonce.size());
15 ///
16 /// Poly1305<AES> poly1305(key, key.size(), nonce, nonce.size());
17 /// poly1305.Update(...);
18 /// poly1305.Final(...);</pre>
19 ///
20 /// \details Second, you can create a Poly1305 object, reuse the key, and set a fresh nonce
21 /// for each message. The second and subsequent nonces can be generated directly using a
22 /// RandomNumberGenerator() derived class; or it can be generated using GetNextIV().
23 /// <pre> SecByteBlock key(32), nonce(16);
24 /// prng.GenerateBlock(key, key.size());
25 /// prng.GenerateBlock(nonce, nonce.size());
26 ///
27 /// // First message
28 /// Poly1305<AES> poly1305(key, key.size());
29 /// poly1305.Resynchronize(nonce);
30 /// poly1305.Update(...);
31 /// poly1305.Final(...);
32 ///
33 /// // Second message
34 /// poly1305.GetNextIV(prng, nonce);
35 /// poly1305.Resynchronize(nonce);
36 /// poly1305.Update(...);
37 /// poly1305.Final(...);
38 /// ...</pre>
39 /// \sa Daniel J. Bernstein <A HREF="http://cr.yp.to/mac/poly1305-20050329.pdf">The Poly1305-AES
40 /// Message-Authentication Code (20050329)</A> and Andy Polyakov <A
41 /// HREF="http://www.openssl.org/blog/blog/2016/02/15/poly1305-revised/">Poly1305 Revised</A>
42 /// \since Crypto++ 6.0
43 
44 #ifndef CRYPTOPP_POLY1305_H
45 #define CRYPTOPP_POLY1305_H
46 
47 #include "cryptlib.h"
48 #include "seckey.h"
49 #include "secblock.h"
50 #include "argnames.h"
51 #include "algparam.h"
52 
53 NAMESPACE_BEGIN(CryptoPP)
54 
55 /// \brief Poly1305 message authentication code base class
56 /// \tparam T class derived from BlockCipherDocumentation with 16-byte key and 16-byte blocksize
57 /// \since Crypto++ 6.0
58 template <class T>
59 class CRYPTOPP_NO_VTABLE Poly1305_Base : public FixedKeyLength<32, SimpleKeyingInterface::UNIQUE_IV, 16>, public MessageAuthenticationCode
60 {
61  CRYPTOPP_COMPILE_ASSERT(T::DEFAULT_KEYLENGTH == 16);
62  CRYPTOPP_COMPILE_ASSERT(T::BLOCKSIZE == 16);
63 
64 public:
65  static std::string StaticAlgorithmName() {return std::string("Poly1305(") + T::StaticAlgorithmName() + ")";}
66 
67  CRYPTOPP_CONSTANT(DIGESTSIZE=T::BLOCKSIZE)
68  CRYPTOPP_CONSTANT(BLOCKSIZE=T::BLOCKSIZE)
69 
70  Poly1305_Base() : m_idx(0), m_used(true) {}
71 
72  void Resynchronize (const byte *iv, int ivLength=-1);
73  void GetNextIV (RandomNumberGenerator &rng, byte *iv);
74 
75  void UncheckedSetKey(const byte *key, unsigned int length, const NameValuePairs &params);
76  void Update(const byte *input, size_t length);
77  void TruncatedFinal(byte *mac, size_t size);
78  void Restart();
79 
80  unsigned int BlockSize() const {return BLOCKSIZE;}
81  unsigned int DigestSize() const {return DIGESTSIZE;}
82 
83 protected:
84  void HashBlocks(const byte *input, size_t length, word32 padbit);
85  void HashFinal(byte *mac, size_t length);
86 
87  typename T::Encryption m_cipher;
88 
89  // Accumulated hash, clamped r-key, and encrypted nonce
93 
94  // Accumulated message bytes and index
96  size_t m_idx;
97 
98  // Track nonce reuse; assert in debug but continue
99  bool m_used;
100 };
101 
102 /// \brief Poly1305 message authentication code
103 /// \tparam T class derived from BlockCipherDocumentation with 16-byte key and 16-byte blocksize
104 /// \details Poly1305-AES is a state-of-the-art message-authentication code suitable for a wide
105 /// variety of applications. Poly1305-AES computes a 16-byte authenticator of a variable-length
106 /// message, using a 16-byte AES key, a 16-byte additional key, and a 16-byte nonce.
107 /// \details Each message must use a unique security context, which means either the key or nonce
108 /// must be changed after each message. It can be accomplished in one of two ways. First, you
109 /// can create a new Poly1305 object with a key and nonce each time its needed.
110 /// <pre> SecByteBlock key(32), nonce(16);
111 /// prng.GenerateBlock(key, key.size());
112 /// prng.GenerateBlock(nonce, nonce.size());
113 ///
114 /// Poly1305<AES> poly1305(key, key.size(), nonce, nonce.size());
115 /// poly1305.Update(...);
116 /// poly1305.Final(...);</pre>
117 ///
118 /// \details Second, you can create a Poly1305 object, reuse the key, and set a fresh nonce
119 /// for each message. The second and subsequent nonces can be generated directly using a
120 /// RandomNumberGenerator() derived class; or it can be generated using GetNextIV().
121 /// <pre> SecByteBlock key(32), nonce(16);
122 /// prng.GenerateBlock(key, key.size());
123 /// prng.GenerateBlock(nonce, nonce.size());
124 ///
125 /// // First message
126 /// Poly1305<AES> poly1305(key, key.size());
127 /// poly1305.Resynchronize(nonce);
128 /// poly1305.Update(...);
129 /// poly1305.Final(...);
130 ///
131 /// // Second message
132 /// poly1305.GetNextIV(prng, nonce);
133 /// poly1305.Resynchronize(nonce);
134 /// poly1305.Update(...);
135 /// poly1305.Final(...);
136 /// ...</pre>
137 /// \warning The Poly1305 class does not enforce a fresh nonce for each message. The source code
138 /// will assert in debug builds to alert of nonce reuse. No action is taken in release builds.
139 /// \sa Daniel J. Bernstein <A HREF="http://cr.yp.to/mac/poly1305-20050329.pdf">The Poly1305-AES
140 /// Message-Authentication Code (20050329)</A> and Andy Polyakov <A
141 /// HREF="http://www.openssl.org/blog/blog/2016/02/15/poly1305-revised/">Poly1305 Revised</A>
142 /// \since Crypto++ 6.0
143 template <class T>
144 class Poly1305 : public MessageAuthenticationCodeFinal<Poly1305_Base<T> >
145 {
146 public:
147  CRYPTOPP_CONSTANT(DEFAULT_KEYLENGTH=Poly1305_Base<T>::DEFAULT_KEYLENGTH)
148 
149  /// \brief Construct a Poly1305
150  Poly1305() {}
151 
152  /// \brief Construct a Poly1305
153  /// \param key a byte array used to key the cipher
154  /// \param keyLength the size of the byte array, in bytes
155  /// \param nonce a byte array used to key the cipher
156  /// \param nonceLength the size of the byte array, in bytes
157  /// \details key is the 32-byte key composed of the 16-byte AES key and the 16 additional key
158  /// bytes used for <tt>r</tt>.
159  /// \details Each message requires a unique security context. You can use GetNextIV() and
160  /// Resynchronize() to set a new nonce under a key for a message.
161  Poly1305(const byte *key, size_t keyLength=DEFAULT_KEYLENGTH, const byte *nonce=NULLPTR, size_t nonceLength=0)
162  {this->SetKey(key, keyLength, MakeParameters(Name::IV(), ConstByteArrayParameter(nonce, nonceLength)));}
163 };
164 
165 NAMESPACE_END
166 
167 #endif // CRYPTOPP_POLY1305_H
Used to pass byte array input as part of a NameValuePairs object.
Definition: algparam.h:20
Standard names for retrieving values by name when working with NameValuePairs.
Interface for message authentication codes.
Definition: cryptlib.h:1245
Poly1305 message authentication code base class.
Definition: poly1305.h:59
Inherited by keyed algorithms with fixed key length.
Definition: seckey.h:147
Classes for working with NameValuePairs.
virtual void SetKey(const byte *key, size_t length, const NameValuePairs &params=g_nullNameValuePairs)
Sets or reset the key of this object.
Definition: cryptlib.cpp:64
virtual void TruncatedFinal(byte *digest, size_t digestSize)=0
Computes the hash of the current message.
unsigned int BlockSize() const
Provides the block size of the compression function.
Definition: poly1305.h:80
Abstract base classes that provide a uniform interface to this library.
Interface for random number generators.
Definition: cryptlib.h:1330
Provides class member functions to key a message authentication code.
Definition: seckey.h:392
Classes and functions for secure memory allocations.
AlgorithmParameters MakeParameters(const char *name, const T &value, bool throwIfNotUsed=true)
Create an object that implements NameValuePairs.
Definition: algparam.h:502
virtual void Restart()
Restart the hash.
Definition: cryptlib.h:1100
Classes and functions for implementing secret key algorithms.
virtual void Resynchronize(const byte *iv, int ivLength=-1)
Resynchronize with an IV.
Definition: cryptlib.h:736
#define CRYPTOPP_COMPILE_ASSERT(expr)
Compile time assertion.
Definition: misc.h:144
Poly1305 message authentication code.
Definition: poly1305.h:144
const char * IV()
ConstByteArrayParameter, also accepts const byte * for backwards compatibility.
Definition: argnames.h:21
unsigned int DigestSize() const
Provides the digest size of the hash.
Definition: poly1305.h:81
Poly1305(const byte *key, size_t keyLength=DEFAULT_KEYLENGTH, const byte *nonce=NULL, size_t nonceLength=0)
Construct a Poly1305.
Definition: poly1305.h:161
Crypto++ library namespace.
virtual void GetNextIV(RandomNumberGenerator &rng, byte *iv)
Retrieves a secure IV for the next message.
Definition: cryptlib.cpp:142
virtual void Update(const byte *input, size_t length)=0
Updates a hash with additional input.
Interface for retrieving values given their names.
Definition: cryptlib.h:290