├── .cargo └── audit.toml ├── .github ├── dependabot.yml └── workflows │ ├── aead-stream.yml │ ├── aes-gcm-siv.yml │ ├── aes-gcm.yml │ ├── aes-siv.yml │ ├── ascon-aead128.yml │ ├── belt-dwp.yml │ ├── benches.yml │ ├── ccm.yml │ ├── chacha20poly1305.yml │ ├── deoxys.yml │ ├── eax.yml │ ├── mgm.yml │ ├── ocb3.yml │ ├── security-audit.yml │ ├── workspace.yml │ └── xaes-256-gcm.yml ├── .gitignore ├── Cargo.lock ├── Cargo.toml ├── README.md ├── SECURITY.md ├── aead-stream ├── CHANGELOG.md ├── Cargo.toml ├── LICENSE-APACHE ├── LICENSE-MIT ├── README.md └── src │ └── lib.rs ├── aes-gcm-siv ├── CHANGELOG.md ├── Cargo.toml ├── LICENSE-APACHE ├── LICENSE-MIT ├── README.md ├── src │ └── lib.rs └── tests │ ├── aes128gcmsiv.rs │ ├── aes256gcmsiv.rs │ ├── common │ └── mod.rs │ ├── ctr_wrap.rs │ └── data │ ├── wycheproof-128.blb │ └── wycheproof-256.blb ├── aes-gcm ├── CHANGELOG.md ├── Cargo.toml ├── LICENSE-APACHE ├── LICENSE-MIT ├── README.md ├── src │ └── lib.rs └── tests │ ├── aes128gcm.rs │ ├── aes256gcm.rs │ ├── common │ └── mod.rs │ ├── data │ ├── wycheproof-128.blb │ └── wycheproof-256.blb │ └── other_ivlen.rs ├── aes-siv ├── CHANGELOG.md ├── Cargo.toml ├── LICENSE-APACHE ├── LICENSE-MIT ├── README.md ├── src │ ├── lib.rs │ └── siv.rs └── tests │ ├── aead.rs │ ├── data │ ├── wycheproof-256.blb │ └── wycheproof-512.blb │ └── siv.rs ├── ascon-aead128 ├── CHANGELOG.md ├── Cargo.toml ├── LICENSE-APACHE ├── LICENSE-MIT ├── README.md ├── src │ ├── asconcore.rs │ └── lib.rs └── tests │ ├── data │ └── reference_kats.blb │ └── reference_kats.rs ├── belt-dwp ├── CHANGELOG.md ├── Cargo.toml ├── LICENSE-APACHE ├── LICENSE-MIT ├── README.md ├── src │ ├── gf.rs │ ├── gf │ │ ├── gf128_soft64.rs │ │ └── utils.rs │ ├── ghash.rs │ └── lib.rs └── tests │ └── belt.rs ├── benches ├── Cargo.toml └── src │ ├── aes-gcm-siv.rs │ ├── aes-gcm.rs │ ├── ascon-aead.rs │ ├── belt-dwp.rs │ ├── chacha20poly1305.rs │ ├── deoxys.rs │ └── eax.rs ├── ccm ├── CHANGELOG.md ├── Cargo.toml ├── LICENSE-APACHE ├── LICENSE-MIT ├── README.md ├── src │ ├── lib.rs │ └── private.rs └── tests │ ├── data │ ├── cavp_ccm_aes128_10_13.blb │ ├── cavp_ccm_aes128_12_13.blb │ ├── cavp_ccm_aes128_14_13.blb │ ├── cavp_ccm_aes128_16_10.blb │ ├── cavp_ccm_aes128_16_11.blb │ ├── cavp_ccm_aes128_16_12.blb │ ├── cavp_ccm_aes128_16_13.blb │ ├── cavp_ccm_aes128_16_7.blb │ ├── cavp_ccm_aes128_16_8.blb │ ├── cavp_ccm_aes128_16_9.blb │ ├── cavp_ccm_aes128_4_13.blb │ ├── cavp_ccm_aes128_4_7.blb │ ├── cavp_ccm_aes128_6_13.blb │ ├── cavp_ccm_aes128_8_13.blb │ ├── cavp_ccm_aes192_10_13.blb │ ├── cavp_ccm_aes192_12_13.blb │ ├── cavp_ccm_aes192_14_13.blb │ ├── cavp_ccm_aes192_16_10.blb │ ├── cavp_ccm_aes192_16_11.blb │ ├── cavp_ccm_aes192_16_12.blb │ ├── cavp_ccm_aes192_16_13.blb │ ├── cavp_ccm_aes192_16_7.blb │ ├── cavp_ccm_aes192_16_8.blb │ ├── cavp_ccm_aes192_16_9.blb │ ├── cavp_ccm_aes192_4_13.blb │ ├── cavp_ccm_aes192_4_7.blb │ ├── cavp_ccm_aes192_6_13.blb │ ├── cavp_ccm_aes192_8_13.blb │ ├── cavp_ccm_aes256_10_13.blb │ ├── cavp_ccm_aes256_12_13.blb │ ├── cavp_ccm_aes256_14_13.blb │ ├── cavp_ccm_aes256_16_10.blb │ ├── cavp_ccm_aes256_16_11.blb │ ├── cavp_ccm_aes256_16_12.blb │ ├── cavp_ccm_aes256_16_13.blb │ ├── cavp_ccm_aes256_16_7.blb │ ├── cavp_ccm_aes256_16_8.blb │ ├── cavp_ccm_aes256_16_9.blb │ ├── cavp_ccm_aes256_4_13.blb │ ├── cavp_ccm_aes256_4_7.blb │ ├── cavp_ccm_aes256_6_13.blb │ ├── cavp_ccm_aes256_8_13.blb │ ├── rfc3610_ccm_aes128_10_13.blb │ └── rfc3610_ccm_aes128_8_13.blb │ └── mod.rs ├── chacha20poly1305 ├── CHANGELOG.md ├── Cargo.toml ├── LICENSE-APACHE ├── LICENSE-MIT ├── README.md ├── src │ ├── cipher.rs │ └── lib.rs └── tests │ ├── data │ ├── wycheproof_chacha20poly1305.blb │ └── wycheproof_xchacha20poly1305.blb │ └── lib.rs ├── deoxys ├── CHANGELOG.md ├── Cargo.toml ├── LICENSE-APACHE ├── LICENSE-MIT ├── README.md ├── src │ ├── deoxys_bc.rs │ ├── lib.rs │ └── modes.rs └── tests │ ├── deoxys_i_128.rs │ ├── deoxys_i_256.rs │ ├── deoxys_ii_128.rs │ └── deoxys_ii_256.rs ├── eax ├── CHANGELOG.md ├── Cargo.toml ├── LICENSE-APACHE ├── LICENSE-MIT ├── README.md ├── src │ ├── lib.rs │ ├── online.rs │ └── traits.rs └── tests │ ├── aes128eax.rs │ ├── common │ └── mod.rs │ └── data │ └── aes128eax.blb ├── mgm ├── CHANGELOG.md ├── Cargo.lock ├── Cargo.toml ├── LICENSE-APACHE ├── LICENSE-MIT ├── README.md ├── benches │ └── mod.rs ├── src │ ├── encdec.rs │ ├── gf.rs │ ├── gf │ │ ├── gf128_pclmul.rs │ │ ├── gf128_soft64.rs │ │ ├── gf64_pclmul.rs │ │ ├── gf64_soft64.rs │ │ └── utils.rs │ ├── lib.rs │ └── sealed.rs └── tests │ ├── bad_nonce.rs │ ├── data │ ├── kuznyechik.blb │ └── magma.blb │ └── rfc9058.rs ├── ocb3 ├── CHANGELOG.md ├── Cargo.toml ├── LICENSE-APACHE ├── LICENSE-MIT ├── README.md ├── src │ └── lib.rs └── tests │ ├── data │ └── rfc7253_ocb_aes.blb │ └── kats.rs ├── xaes-256-gcm ├── CHANGELOG.md ├── Cargo.toml ├── LICENSE-APACHE ├── LICENSE-MIT ├── README.md ├── src │ └── lib.rs └── tests │ └── xaes256gcm.rs └── xsalsa20poly1305 └── README.md /.cargo/audit.toml: -------------------------------------------------------------------------------- 1 | [advisories] 2 | ignore = [ 3 | "RUSTSEC-2023-0037", # xsalsa20poly1305 unmaintained 4 | ] 5 | informational_warnings = ["unmaintained", "unsound"] 6 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: cargo 4 | directory: "/" 5 | schedule: 6 | interval: daily 7 | open-pull-requests-limit: 10 8 | - package-ecosystem: github-actions 9 | directory: "/" 10 | schedule: 11 | interval: weekly 12 | open-pull-requests-limit: 10 13 | -------------------------------------------------------------------------------- /.github/workflows/aead-stream.yml: -------------------------------------------------------------------------------- 1 | name: aead-stream 2 | 3 | on: 4 | pull_request: 5 | paths: 6 | - ".github/workflows/aead-stream.yml" 7 | - "aead-stream/**" 8 | - "Cargo.*" 9 | push: 10 | branches: master 11 | 12 | defaults: 13 | run: 14 | working-directory: aead-stream 15 | 16 | env: 17 | CARGO_INCREMENTAL: 0 18 | RUSTFLAGS: "-Dwarnings" 19 | 20 | jobs: 21 | build: 22 | runs-on: ubuntu-latest 23 | strategy: 24 | matrix: 25 | rust: 26 | - 1.85.0 # MSRV 27 | - stable 28 | target: 29 | - thumbv7em-none-eabi 30 | - wasm32-unknown-unknown 31 | steps: 32 | - uses: actions/checkout@v4 33 | - uses: dtolnay/rust-toolchain@master 34 | with: 35 | toolchain: ${{ matrix.rust }} 36 | targets: ${{ matrix.target }} 37 | - run: cargo build --no-default-features --release --target ${{ matrix.target }} 38 | 39 | test: 40 | runs-on: ubuntu-latest 41 | strategy: 42 | matrix: 43 | include: 44 | # 32-bit Linux 45 | - target: i686-unknown-linux-gnu 46 | rust: 1.85.0 # MSRV 47 | deps: sudo apt update && sudo apt install gcc-multilib 48 | - target: i686-unknown-linux-gnu 49 | rust: stable 50 | deps: sudo apt update && sudo apt install gcc-multilib 51 | 52 | # 64-bit Linux 53 | - target: x86_64-unknown-linux-gnu 54 | rust: 1.85.0 # MSRV 55 | - target: x86_64-unknown-linux-gnu 56 | rust: stable 57 | steps: 58 | - uses: actions/checkout@v4 59 | - uses: dtolnay/rust-toolchain@master 60 | with: 61 | toolchain: ${{ matrix.rust }} 62 | targets: ${{ matrix.target }} 63 | - run: ${{ matrix.deps }} 64 | - run: cargo test --target ${{ matrix.target }} --release --no-default-features 65 | - run: cargo test --target ${{ matrix.target }} --release 66 | - run: cargo test --target ${{ matrix.target }} --release --all-features 67 | - run: cargo build --target ${{ matrix.target }} --benches 68 | -------------------------------------------------------------------------------- /.github/workflows/aes-gcm-siv.yml: -------------------------------------------------------------------------------- 1 | name: aes-gcm-siv 2 | 3 | on: 4 | pull_request: 5 | paths: 6 | - ".github/workflows/aes-gcm-siv.yml" 7 | - "aes-gcm-siv/**" 8 | - "Cargo.*" 9 | push: 10 | branches: master 11 | 12 | defaults: 13 | run: 14 | working-directory: aes-gcm-siv 15 | 16 | env: 17 | CARGO_INCREMENTAL: 0 18 | RUSTFLAGS: "-Dwarnings" 19 | 20 | jobs: 21 | build: 22 | runs-on: ubuntu-latest 23 | strategy: 24 | matrix: 25 | rust: 26 | - 1.85.0 # MSRV 27 | - stable 28 | target: 29 | - armv7a-none-eabi 30 | - thumbv7em-none-eabi 31 | - wasm32-unknown-unknown 32 | steps: 33 | - uses: actions/checkout@v4 34 | - uses: dtolnay/rust-toolchain@master 35 | with: 36 | toolchain: ${{ matrix.rust }} 37 | targets: ${{ matrix.target }} 38 | - run: cargo build --no-default-features --release --target ${{ matrix.target }} 39 | 40 | test: 41 | runs-on: ubuntu-latest 42 | strategy: 43 | matrix: 44 | include: 45 | # 32-bit Linux 46 | - target: i686-unknown-linux-gnu 47 | rust: 1.85.0 # MSRV 48 | deps: sudo apt update && sudo apt install gcc-multilib 49 | - target: i686-unknown-linux-gnu 50 | rust: stable 51 | deps: sudo apt update && sudo apt install gcc-multilib 52 | 53 | # 64-bit Linux 54 | - target: x86_64-unknown-linux-gnu 55 | rust: 1.85.0 # MSRV 56 | - target: x86_64-unknown-linux-gnu 57 | rust: stable 58 | steps: 59 | - uses: actions/checkout@v4 60 | - uses: dtolnay/rust-toolchain@master 61 | with: 62 | toolchain: ${{ matrix.rust }} 63 | targets: ${{ matrix.target }} 64 | - run: ${{ matrix.deps }} 65 | - run: cargo test --target ${{ matrix.target }} --release --no-default-features 66 | - run: cargo test --target ${{ matrix.target }} --release 67 | - run: cargo test --target ${{ matrix.target }} --release --all-features 68 | - run: cargo build --target ${{ matrix.target }} --benches 69 | -------------------------------------------------------------------------------- /.github/workflows/aes-gcm.yml: -------------------------------------------------------------------------------- 1 | name: aes-gcm 2 | 3 | on: 4 | pull_request: 5 | paths: 6 | - ".github/workflows/aes-gcm.yml" 7 | - "aes-gcm/**" 8 | - "Cargo.*" 9 | push: 10 | branches: master 11 | 12 | defaults: 13 | run: 14 | working-directory: aes-gcm 15 | 16 | env: 17 | CARGO_INCREMENTAL: 0 18 | RUSTFLAGS: "-Dwarnings" 19 | 20 | jobs: 21 | build: 22 | runs-on: ubuntu-latest 23 | strategy: 24 | matrix: 25 | rust: 26 | - 1.85.0 # MSRV 27 | - stable 28 | target: 29 | - armv7a-none-eabi 30 | - thumbv7em-none-eabi 31 | - wasm32-unknown-unknown 32 | steps: 33 | - uses: actions/checkout@v4 34 | - uses: dtolnay/rust-toolchain@master 35 | with: 36 | toolchain: ${{ matrix.rust }} 37 | targets: ${{ matrix.target }} 38 | - run: cargo build --no-default-features --release --target ${{ matrix.target }} 39 | 40 | test: 41 | runs-on: ubuntu-latest 42 | strategy: 43 | matrix: 44 | include: 45 | # 32-bit Linux 46 | - target: i686-unknown-linux-gnu 47 | rust: 1.85.0 # MSRV 48 | deps: sudo apt update && sudo apt install gcc-multilib 49 | - target: i686-unknown-linux-gnu 50 | rust: stable 51 | deps: sudo apt update && sudo apt install gcc-multilib 52 | 53 | # 64-bit Linux 54 | - target: x86_64-unknown-linux-gnu 55 | rust: 1.85.0 # MSRV 56 | - target: x86_64-unknown-linux-gnu 57 | rust: stable 58 | steps: 59 | - uses: actions/checkout@v4 60 | - uses: dtolnay/rust-toolchain@master 61 | with: 62 | toolchain: ${{ matrix.rust }} 63 | targets: ${{ matrix.target }} 64 | - run: ${{ matrix.deps }} 65 | - run: cargo test --target ${{ matrix.target }} --release --no-default-features --lib 66 | - run: cargo test --target ${{ matrix.target }} --release 67 | - run: cargo test --target ${{ matrix.target }} --release --features zeroize 68 | - run: cargo test --target ${{ matrix.target }} --release --all-features 69 | - run: cargo build --target ${{ matrix.target }} --benches 70 | -------------------------------------------------------------------------------- /.github/workflows/aes-siv.yml: -------------------------------------------------------------------------------- 1 | name: aes-siv 2 | 3 | on: 4 | pull_request: 5 | paths: 6 | - ".github/workflows/aes-siv.yml" 7 | - "aes-siv/**" 8 | - "Cargo.*" 9 | push: 10 | branches: master 11 | 12 | defaults: 13 | run: 14 | working-directory: aes-siv 15 | 16 | env: 17 | CARGO_INCREMENTAL: 0 18 | RUSTFLAGS: "-Dwarnings" 19 | 20 | jobs: 21 | build: 22 | runs-on: ubuntu-latest 23 | strategy: 24 | matrix: 25 | rust: 26 | - 1.85.0 # MSRV 27 | - stable 28 | target: 29 | - armv7a-none-eabi 30 | - thumbv7em-none-eabi 31 | - wasm32-unknown-unknown 32 | steps: 33 | - uses: actions/checkout@v4 34 | - uses: dtolnay/rust-toolchain@master 35 | with: 36 | toolchain: ${{ matrix.rust }} 37 | targets: ${{ matrix.target }} 38 | - run: cargo build --no-default-features --release --target ${{ matrix.target }} 39 | 40 | test: 41 | runs-on: ubuntu-latest 42 | strategy: 43 | matrix: 44 | rust: 45 | - 1.85.0 # MSRV 46 | - stable 47 | steps: 48 | - uses: actions/checkout@v4 49 | - uses: dtolnay/rust-toolchain@master 50 | with: 51 | toolchain: ${{ matrix.rust }} 52 | - run: cargo test --release --no-default-features 53 | - run: cargo test --release 54 | - run: cargo test --release --all-features 55 | -------------------------------------------------------------------------------- /.github/workflows/ascon-aead128.yml: -------------------------------------------------------------------------------- 1 | name: ascon-aead128 2 | 3 | on: 4 | pull_request: 5 | paths: 6 | - ".github/workflows/ascon-aead128.yml" 7 | - "ascon-aead128/**" 8 | - "Cargo.*" 9 | push: 10 | branches: master 11 | 12 | defaults: 13 | run: 14 | working-directory: ascon-aead128 15 | 16 | env: 17 | CARGO_INCREMENTAL: 0 18 | RUSTFLAGS: "-Dwarnings" 19 | 20 | jobs: 21 | build: 22 | runs-on: ubuntu-latest 23 | strategy: 24 | matrix: 25 | rust: 26 | - 1.85.0 # MSRV 27 | - stable 28 | target: 29 | - armv7a-none-eabi 30 | - thumbv7em-none-eabi 31 | - wasm32-unknown-unknown 32 | steps: 33 | - uses: actions/checkout@v4 34 | - uses: dtolnay/rust-toolchain@master 35 | with: 36 | toolchain: ${{ matrix.rust }} 37 | targets: ${{ matrix.target }} 38 | - run: cargo build --no-default-features --release --target ${{ matrix.target }} 39 | 40 | test: 41 | runs-on: ubuntu-latest 42 | strategy: 43 | matrix: 44 | include: 45 | # 32-bit Linux 46 | - target: i686-unknown-linux-gnu 47 | rust: 1.85.0 # MSRV 48 | deps: sudo apt update && sudo apt install gcc-multilib 49 | - target: i686-unknown-linux-gnu 50 | rust: stable 51 | deps: sudo apt update && sudo apt install gcc-multilib 52 | 53 | # 64-bit Linux 54 | - target: x86_64-unknown-linux-gnu 55 | rust: 1.85.0 # MSRV 56 | - target: x86_64-unknown-linux-gnu 57 | rust: stable 58 | steps: 59 | - uses: actions/checkout@v4 60 | - uses: dtolnay/rust-toolchain@master 61 | with: 62 | toolchain: ${{ matrix.rust }} 63 | targets: ${{ matrix.target }} 64 | - run: ${{ matrix.deps }} 65 | - run: cargo test --target ${{ matrix.target }} --release --no-default-features 66 | - run: cargo test --target ${{ matrix.target }} --release 67 | - run: cargo test --target ${{ matrix.target }} --release --features zeroize 68 | - run: cargo test --target ${{ matrix.target }} --release --all-features 69 | -------------------------------------------------------------------------------- /.github/workflows/belt-dwp.yml: -------------------------------------------------------------------------------- 1 | name: belt-dwp 2 | 3 | on: 4 | pull_request: 5 | paths: 6 | - ".github/workflows/belt-dwp.yml" 7 | - "belt-dwp/**" 8 | - "Cargo.*" 9 | push: 10 | branches: master 11 | 12 | defaults: 13 | run: 14 | working-directory: belt-dwp 15 | 16 | env: 17 | CARGO_INCREMENTAL: 0 18 | RUSTFLAGS: "-Dwarnings" 19 | 20 | jobs: 21 | build: 22 | runs-on: ubuntu-latest 23 | strategy: 24 | matrix: 25 | rust: 26 | - 1.85.0 # MSRV 27 | - stable 28 | target: 29 | - armv7a-none-eabi 30 | - thumbv7em-none-eabi 31 | - wasm32-unknown-unknown 32 | steps: 33 | - uses: actions/checkout@v4 34 | - uses: dtolnay/rust-toolchain@master 35 | with: 36 | toolchain: ${{ matrix.rust }} 37 | targets: ${{ matrix.target }} 38 | - run: cargo build --no-default-features --release --target ${{ matrix.target }} 39 | 40 | test: 41 | runs-on: ubuntu-latest 42 | strategy: 43 | matrix: 44 | include: 45 | # 32-bit Linux 46 | - target: i686-unknown-linux-gnu 47 | rust: 1.85.0 # MSRV 48 | deps: sudo apt update && sudo apt install gcc-multilib 49 | - target: i686-unknown-linux-gnu 50 | rust: stable 51 | deps: sudo apt update && sudo apt install gcc-multilib 52 | 53 | # 64-bit Linux 54 | - target: x86_64-unknown-linux-gnu 55 | rust: 1.85.0 # MSRV 56 | - target: x86_64-unknown-linux-gnu 57 | rust: stable 58 | steps: 59 | - uses: actions/checkout@v4 60 | - uses: dtolnay/rust-toolchain@master 61 | with: 62 | toolchain: ${{ matrix.rust }} 63 | targets: ${{ matrix.target }} 64 | - run: ${{ matrix.deps }} 65 | - run: cargo test --target ${{ matrix.target }} --release --no-default-features --lib 66 | - run: cargo test --target ${{ matrix.target }} --release 67 | - run: cargo test --target ${{ matrix.target }} --release --features heapless 68 | - run: cargo test --target ${{ matrix.target }} --release --all-features 69 | - run: cargo build --target ${{ matrix.target }} --benches 70 | -------------------------------------------------------------------------------- /.github/workflows/benches.yml: -------------------------------------------------------------------------------- 1 | name: benches 2 | 3 | on: 4 | pull_request: 5 | paths: 6 | - ".github/workflows/benches.yml" 7 | - "benches/**" 8 | - "Cargo.*" 9 | push: 10 | branches: master 11 | 12 | defaults: 13 | run: 14 | working-directory: benches 15 | 16 | env: 17 | CARGO_INCREMENTAL: 0 18 | RUSTFLAGS: "-Dwarnings" 19 | 20 | jobs: 21 | build: 22 | if: false # benches are broken until https://github.com/RustCrypto/AEADs/pull/665 merges 23 | runs-on: ubuntu-latest 24 | strategy: 25 | matrix: 26 | rust: 27 | - 1.85.0 # MSRV 28 | - stable 29 | steps: 30 | - uses: actions/checkout@v4 31 | - uses: dtolnay/rust-toolchain@master 32 | with: 33 | toolchain: ${{ matrix.rust }} 34 | - run: cargo bench --no-run 35 | -------------------------------------------------------------------------------- /.github/workflows/ccm.yml: -------------------------------------------------------------------------------- 1 | name: ccm 2 | 3 | on: 4 | pull_request: 5 | paths: 6 | - ".github/workflows/ccm.yml" 7 | - "ccm/**" 8 | - "Cargo.*" 9 | push: 10 | branches: master 11 | 12 | defaults: 13 | run: 14 | working-directory: ccm 15 | 16 | env: 17 | CARGO_INCREMENTAL: 0 18 | RUSTFLAGS: "-Dwarnings" 19 | 20 | jobs: 21 | build: 22 | runs-on: ubuntu-latest 23 | strategy: 24 | matrix: 25 | rust: 26 | - 1.85.0 # MSRV 27 | - stable 28 | target: 29 | - thumbv7em-none-eabi 30 | - wasm32-unknown-unknown 31 | steps: 32 | - uses: actions/checkout@v4 33 | - uses: dtolnay/rust-toolchain@master 34 | with: 35 | toolchain: ${{ matrix.rust }} 36 | targets: ${{ matrix.target }} 37 | - run: cargo build --no-default-features --release --target ${{ matrix.target }} 38 | 39 | test: 40 | runs-on: ubuntu-latest 41 | strategy: 42 | matrix: 43 | include: 44 | # 32-bit Linux 45 | - target: i686-unknown-linux-gnu 46 | rust: 1.85.0 # MSRV 47 | deps: sudo apt update && sudo apt install gcc-multilib 48 | - target: i686-unknown-linux-gnu 49 | rust: stable 50 | deps: sudo apt update && sudo apt install gcc-multilib 51 | 52 | # 64-bit Linux 53 | - target: x86_64-unknown-linux-gnu 54 | rust: 1.85.0 # MSRV 55 | - target: x86_64-unknown-linux-gnu 56 | rust: stable 57 | steps: 58 | - uses: actions/checkout@v4 59 | - uses: dtolnay/rust-toolchain@master 60 | with: 61 | toolchain: ${{ matrix.rust }} 62 | targets: ${{ matrix.target }} 63 | - run: ${{ matrix.deps }} 64 | - run: cargo test --target ${{ matrix.target }} --release --no-default-features 65 | - run: cargo test --target ${{ matrix.target }} --release 66 | - run: cargo test --target ${{ matrix.target }} --release --all-features 67 | - run: cargo build --target ${{ matrix.target }} --benches 68 | -------------------------------------------------------------------------------- /.github/workflows/chacha20poly1305.yml: -------------------------------------------------------------------------------- 1 | name: chacha20poly1305 2 | 3 | on: 4 | pull_request: 5 | paths: 6 | - ".github/workflows/chacha20poly1305.yml" 7 | - "chacha20poly1305/**" 8 | - "Cargo.*" 9 | push: 10 | branches: master 11 | 12 | defaults: 13 | run: 14 | working-directory: chacha20poly1305 15 | 16 | env: 17 | CARGO_INCREMENTAL: 0 18 | RUSTFLAGS: "-Dwarnings" 19 | 20 | jobs: 21 | build: 22 | runs-on: ubuntu-latest 23 | strategy: 24 | matrix: 25 | rust: 26 | - 1.85.0 # MSRV 27 | - stable 28 | target: 29 | - armv7a-none-eabi 30 | - thumbv7em-none-eabi 31 | - wasm32-unknown-unknown 32 | steps: 33 | - uses: actions/checkout@v4 34 | - uses: dtolnay/rust-toolchain@master 35 | with: 36 | toolchain: ${{ matrix.rust }} 37 | targets: ${{ matrix.target }} 38 | - run: cargo build --target ${{ matrix.target }} --release --no-default-features 39 | - run: cargo build --target ${{ matrix.target }} --release --no-default-features --features reduced-round 40 | 41 | test: 42 | runs-on: ubuntu-latest 43 | strategy: 44 | matrix: 45 | include: 46 | # 32-bit Linux 47 | - target: i686-unknown-linux-gnu 48 | rust: 1.85.0 # MSRV 49 | deps: sudo apt update && sudo apt install gcc-multilib 50 | - target: i686-unknown-linux-gnu 51 | rust: stable 52 | deps: sudo apt update && sudo apt install gcc-multilib 53 | 54 | # 64-bit Linux 55 | - target: x86_64-unknown-linux-gnu 56 | rust: 1.85.0 # MSRV 57 | - target: x86_64-unknown-linux-gnu 58 | rust: stable 59 | steps: 60 | - uses: actions/checkout@v4 61 | - uses: dtolnay/rust-toolchain@master 62 | with: 63 | toolchain: ${{ matrix.rust }} 64 | targets: ${{ matrix.target }} 65 | - run: ${{ matrix.deps }} 66 | - run: cargo test --target ${{ matrix.target }} --release --no-default-features 67 | - run: cargo test --target ${{ matrix.target }} --release 68 | - run: cargo test --target ${{ matrix.target }} --release --features reduced-round 69 | - run: cargo test --target ${{ matrix.target }} --release --all-features 70 | - run: cargo build --target ${{ matrix.target }} --benches 71 | 72 | -------------------------------------------------------------------------------- /.github/workflows/deoxys.yml: -------------------------------------------------------------------------------- 1 | name: deoxys 2 | 3 | on: 4 | pull_request: 5 | paths: 6 | - ".github/workflows/deoxys.yml" 7 | - "deoxys/**" 8 | - "Cargo.*" 9 | push: 10 | branches: master 11 | 12 | defaults: 13 | run: 14 | working-directory: deoxys 15 | 16 | env: 17 | CARGO_INCREMENTAL: 0 18 | RUSTFLAGS: "-Dwarnings" 19 | 20 | jobs: 21 | build: 22 | runs-on: ubuntu-latest 23 | strategy: 24 | matrix: 25 | rust: 26 | - 1.85.0 # MSRV 27 | - stable 28 | target: 29 | - armv7a-none-eabi 30 | - thumbv7em-none-eabi 31 | - wasm32-unknown-unknown 32 | steps: 33 | - uses: actions/checkout@v4 34 | - uses: dtolnay/rust-toolchain@master 35 | with: 36 | toolchain: ${{ matrix.rust }} 37 | targets: ${{ matrix.target }} 38 | - run: cargo build --no-default-features --release --target ${{ matrix.target }} 39 | 40 | test: 41 | runs-on: ubuntu-latest 42 | strategy: 43 | matrix: 44 | rust: 45 | - 1.85.0 # MSRV 46 | - stable 47 | steps: 48 | - uses: actions/checkout@v4 49 | - uses: dtolnay/rust-toolchain@master 50 | with: 51 | toolchain: ${{ matrix.rust }} 52 | - run: cargo test --release --no-default-features --lib 53 | - run: cargo test --release 54 | - run: cargo test --release --all-features 55 | -------------------------------------------------------------------------------- /.github/workflows/eax.yml: -------------------------------------------------------------------------------- 1 | name: eax 2 | 3 | on: 4 | pull_request: 5 | paths: 6 | - ".github/workflows/eax.yml" 7 | - "eax/**" 8 | - "Cargo.*" 9 | push: 10 | branches: master 11 | 12 | defaults: 13 | run: 14 | working-directory: eax 15 | 16 | env: 17 | CARGO_INCREMENTAL: 0 18 | RUSTFLAGS: "-Dwarnings" 19 | 20 | jobs: 21 | build: 22 | runs-on: ubuntu-latest 23 | strategy: 24 | matrix: 25 | rust: 26 | - 1.85.0 # MSRV 27 | - stable 28 | target: 29 | - thumbv7em-none-eabi 30 | - wasm32-unknown-unknown 31 | steps: 32 | - uses: actions/checkout@v4 33 | - uses: dtolnay/rust-toolchain@master 34 | with: 35 | toolchain: ${{ matrix.rust }} 36 | targets: ${{ matrix.target }} 37 | - run: cargo build --no-default-features --release --target ${{ matrix.target }} 38 | 39 | test: 40 | runs-on: ubuntu-latest 41 | strategy: 42 | matrix: 43 | rust: 44 | - 1.85.0 # MSRV 45 | - stable 46 | steps: 47 | - uses: actions/checkout@v4 48 | - uses: dtolnay/rust-toolchain@master 49 | with: 50 | toolchain: ${{ matrix.rust }} 51 | - run: cargo test --release --no-default-features 52 | - run: cargo test --release 53 | - run: cargo test --release --all-features 54 | -------------------------------------------------------------------------------- /.github/workflows/mgm.yml: -------------------------------------------------------------------------------- 1 | name: mgm 2 | 3 | on: 4 | pull_request: 5 | paths: 6 | - ".github/workflows/mgm.yml" 7 | - "mgm/**" 8 | - "Cargo.*" 9 | push: 10 | branches: master 11 | 12 | defaults: 13 | run: 14 | working-directory: mgm 15 | 16 | env: 17 | CARGO_INCREMENTAL: 0 18 | RUSTFLAGS: "-Dwarnings" 19 | 20 | jobs: 21 | build: 22 | runs-on: ubuntu-latest 23 | strategy: 24 | matrix: 25 | rust: 26 | - 1.81.0 # MSRV 27 | - stable 28 | target: 29 | - thumbv7em-none-eabi 30 | - wasm32-unknown-unknown 31 | steps: 32 | - uses: actions/checkout@v4 33 | - uses: dtolnay/rust-toolchain@master 34 | with: 35 | toolchain: ${{ matrix.rust }} 36 | targets: ${{ matrix.target }} 37 | - run: cargo build --no-default-features --release --target ${{ matrix.target }} 38 | 39 | test: 40 | runs-on: ubuntu-latest 41 | strategy: 42 | matrix: 43 | rust: 44 | - 1.81.0 # MSRV 45 | - stable 46 | steps: 47 | - uses: actions/checkout@v4 48 | - uses: dtolnay/rust-toolchain@master 49 | with: 50 | toolchain: ${{ matrix.rust }} 51 | - run: cargo test --release --no-default-features 52 | - run: cargo test --release 53 | - run: cargo test --release --features force-soft 54 | - run: cargo test --release --features stream,std 55 | - run: RUSTFLAGS="-C target-cpu=native" cargo test --release --all-features 56 | -------------------------------------------------------------------------------- /.github/workflows/ocb3.yml: -------------------------------------------------------------------------------- 1 | name: ocb3 2 | 3 | on: 4 | pull_request: 5 | paths: 6 | - ".github/workflows/ocb3.yml" 7 | - "ocb3/**" 8 | - "Cargo.*" 9 | push: 10 | branches: master 11 | 12 | defaults: 13 | run: 14 | working-directory: ocb3 15 | 16 | env: 17 | CARGO_INCREMENTAL: 0 18 | RUSTFLAGS: "-Dwarnings" 19 | 20 | jobs: 21 | build: 22 | runs-on: ubuntu-latest 23 | strategy: 24 | matrix: 25 | rust: 26 | - 1.85.0 # MSRV 27 | - stable 28 | target: 29 | - armv7a-none-eabi 30 | - thumbv7em-none-eabi 31 | - wasm32-unknown-unknown 32 | steps: 33 | - uses: actions/checkout@v4 34 | - uses: dtolnay/rust-toolchain@master 35 | with: 36 | toolchain: ${{ matrix.rust }} 37 | targets: ${{ matrix.target }} 38 | - run: cargo build --no-default-features --release --target ${{ matrix.target }} 39 | 40 | test: 41 | runs-on: ubuntu-latest 42 | strategy: 43 | matrix: 44 | include: 45 | # 32-bit Linux 46 | - target: i686-unknown-linux-gnu 47 | rust: 1.85.0 # MSRV 48 | deps: sudo apt update && sudo apt install gcc-multilib 49 | - target: i686-unknown-linux-gnu 50 | rust: stable 51 | deps: sudo apt update && sudo apt install gcc-multilib 52 | 53 | # 64-bit Linux 54 | - target: x86_64-unknown-linux-gnu 55 | rust: 1.85.0 # MSRV 56 | - target: x86_64-unknown-linux-gnu 57 | rust: stable 58 | steps: 59 | - uses: actions/checkout@v4 60 | - uses: dtolnay/rust-toolchain@master 61 | with: 62 | toolchain: ${{ matrix.rust }} 63 | targets: ${{ matrix.target }} 64 | - run: ${{ matrix.deps }} 65 | - run: cargo test --target ${{ matrix.target }} --release 66 | - run: cargo test --target ${{ matrix.target }} --release --features zeroize 67 | - run: cargo test --target ${{ matrix.target }} --release --all-features 68 | - run: cargo build --target ${{ matrix.target }} --benches 69 | -------------------------------------------------------------------------------- /.github/workflows/security-audit.yml: -------------------------------------------------------------------------------- 1 | name: Security Audit 2 | on: 3 | pull_request: 4 | paths: 5 | - Cargo.lock 6 | - .github/workflows/security-audit.yml 7 | push: 8 | branches: master 9 | paths: Cargo.lock 10 | schedule: 11 | - cron: "0 0 * * *" 12 | 13 | jobs: 14 | security_audit: 15 | name: Security Audit 16 | runs-on: ubuntu-24.04 17 | steps: 18 | - uses: actions/checkout@v4 19 | - name: Cache cargo bin 20 | uses: actions/cache@v4 21 | with: 22 | path: ~/.cargo/bin 23 | key: ${{ runner.os }}-cargo-audit-v0.20-ubuntu-v24.04 24 | - uses: rustsec/audit-check@v2 25 | with: 26 | token: ${{ secrets.GITHUB_TOKEN }} 27 | -------------------------------------------------------------------------------- /.github/workflows/workspace.yml: -------------------------------------------------------------------------------- 1 | name: Workspace 2 | on: 3 | pull_request: 4 | paths-ignore: 5 | - README.md 6 | push: 7 | branches: master 8 | paths-ignore: 9 | - README.md 10 | 11 | env: 12 | CARGO_INCREMENTAL: 0 13 | RUSTFLAGS: "-Dwarnings" 14 | 15 | jobs: 16 | rustfmt: 17 | runs-on: ubuntu-latest 18 | steps: 19 | - uses: actions/checkout@v4 20 | - uses: dtolnay/rust-toolchain@master 21 | with: 22 | toolchain: stable 23 | components: rustfmt 24 | - run: cargo fmt --all -- --check 25 | clippy: 26 | runs-on: ubuntu-latest 27 | steps: 28 | - uses: actions/checkout@v4 29 | - uses: dtolnay/rust-toolchain@master 30 | with: 31 | toolchain: 1.85.0 32 | components: clippy 33 | - run: cargo clippy --all --all-features -- -D warnings 34 | -------------------------------------------------------------------------------- /.github/workflows/xaes-256-gcm.yml: -------------------------------------------------------------------------------- 1 | name: xaes-256-gcm 2 | 3 | on: 4 | pull_request: 5 | paths: 6 | - ".github/workflows/xaes-256-gcm.yml" 7 | - "xaes-256-gcm/**" 8 | - "Cargo.*" 9 | push: 10 | branches: master 11 | 12 | defaults: 13 | run: 14 | working-directory: xaes-256-gcm 15 | 16 | env: 17 | CARGO_INCREMENTAL: 0 18 | RUSTFLAGS: "-Dwarnings" 19 | 20 | jobs: 21 | build: 22 | runs-on: ubuntu-latest 23 | strategy: 24 | matrix: 25 | rust: 26 | - 1.85.0 # MSRV 27 | - stable 28 | target: 29 | - armv7a-none-eabi 30 | - thumbv7em-none-eabi 31 | - wasm32-unknown-unknown 32 | steps: 33 | - uses: actions/checkout@v4 34 | - uses: dtolnay/rust-toolchain@master 35 | with: 36 | toolchain: ${{ matrix.rust }} 37 | targets: ${{ matrix.target }} 38 | - run: cargo build --no-default-features --release --target ${{ matrix.target }} 39 | 40 | test: 41 | runs-on: ubuntu-latest 42 | strategy: 43 | matrix: 44 | include: 45 | # 32-bit Linux 46 | - target: i686-unknown-linux-gnu 47 | rust: 1.85.0 # MSRV 48 | deps: sudo apt update && sudo apt install gcc-multilib 49 | - target: i686-unknown-linux-gnu 50 | rust: stable 51 | deps: sudo apt update && sudo apt install gcc-multilib 52 | 53 | # 64-bit Linux 54 | - target: x86_64-unknown-linux-gnu 55 | rust: 1.85.0 # MSRV 56 | - target: x86_64-unknown-linux-gnu 57 | rust: stable 58 | steps: 59 | - uses: actions/checkout@v4 60 | - uses: dtolnay/rust-toolchain@master 61 | with: 62 | toolchain: ${{ matrix.rust }} 63 | targets: ${{ matrix.target }} 64 | - run: ${{ matrix.deps }} 65 | - run: cargo test --target ${{ matrix.target }} --release --no-default-features --lib 66 | - run: cargo test --target ${{ matrix.target }} --release 67 | - run: cargo test --target ${{ matrix.target }} --release --all-features 68 | - run: cargo build --target ${{ matrix.target }} --benches 69 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | target/ 2 | benches/Cargo.lock 3 | -------------------------------------------------------------------------------- /Cargo.toml: -------------------------------------------------------------------------------- 1 | [workspace] 2 | resolver = "3" 3 | members = [ 4 | "aead-stream", 5 | "aes-gcm", 6 | "aes-gcm-siv", 7 | "aes-siv", 8 | "ascon-aead128", 9 | "belt-dwp", 10 | "ccm", 11 | "chacha20poly1305", 12 | "deoxys", 13 | "eax", 14 | "ocb3", 15 | "xaes-256-gcm", 16 | ] 17 | 18 | [patch.crates-io] 19 | aead-stream = { path = "aead-stream" } 20 | aes-gcm = { path = "aes-gcm" } 21 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security Policy 2 | 3 | ## Supported Versions 4 | 5 | Security updates are applied only to the most recent release. 6 | 7 | ## Reporting a Vulnerability 8 | 9 | If you have discovered a security vulnerability in this project, please report 10 | it privately. **Do not disclose it as a public issue.** This gives us time to 11 | work with you to fix the issue before public exposure, reducing the chance that 12 | the exploit will be used before a patch is released. 13 | 14 | Please disclose it at [security advisory](https://github.com/RustCrypto/AEADs/security/advisories/new). 15 | 16 | This project is maintained by a team of volunteers on a reasonable-effort basis. 17 | As such, please give us at least 90 days to work on a fix before public exposure. 18 | -------------------------------------------------------------------------------- /aead-stream/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | All notable changes to this project will be documented in this file. 3 | 4 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 5 | and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 6 | 7 | ## UNRELEASED 8 | - Initial release 9 | -------------------------------------------------------------------------------- /aead-stream/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "aead-stream" 3 | version = "0.6.0-rc.0" 4 | description = "Generic implementation of the STREAM online authenticated encryption construction" 5 | authors = ["RustCrypto Developers"] 6 | edition = "2024" 7 | license = "Apache-2.0 OR MIT" 8 | readme = "README.md" 9 | documentation = "https://docs.rs/aead-stream" 10 | repository = "https://github.com/RustCrypto/AEADs" 11 | keywords = ["aead", "stream", "encryption"] 12 | categories = ["cryptography", "no-std"] 13 | rust-version = "1.85" 14 | 15 | [dependencies] 16 | aead = { version = "0.6.0-rc.1", default-features = false } 17 | 18 | [features] 19 | alloc = ["aead/alloc"] 20 | -------------------------------------------------------------------------------- /aead-stream/LICENSE-MIT: -------------------------------------------------------------------------------- 1 | Copyright (c) 2024 The RustCrypto Project Developers 2 | 3 | Permission is hereby granted, free of charge, to any 4 | person obtaining a copy of this software and associated 5 | documentation files (the "Software"), to deal in the 6 | Software without restriction, including without 7 | limitation the rights to use, copy, modify, merge, 8 | publish, distribute, sublicense, and/or sell copies of 9 | the Software, and to permit persons to whom the Software 10 | is furnished to do so, subject to the following 11 | conditions: 12 | 13 | The above copyright notice and this permission notice 14 | shall be included in all copies or substantial portions 15 | of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF 18 | ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED 19 | TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 20 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT 21 | SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 22 | CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 23 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR 24 | IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 25 | DEALINGS IN THE SOFTWARE. 26 | -------------------------------------------------------------------------------- /aead-stream/README.md: -------------------------------------------------------------------------------- 1 | # RustCrypto: AEAD-STREAM 2 | 3 | [![crate][crate-image]][crate-link] 4 | [![Docs][docs-image]][docs-link] 5 | ![Apache2/MIT licensed][license-image] 6 | ![Rust Version][rustc-image] 7 | [![Project Chat][chat-image]][chat-link] 8 | [![Build Status][build-image]][build-link] 9 | 10 | Generic pure-Rust implementation of the STREAM online authenticated encryption construction 11 | as described in the paper [Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance][1]. 12 | 13 | ## About 14 | 15 | The STREAM construction supports encrypting/decrypting sequences of AEAD 16 | message segments, which is useful in cases where the overall message is too 17 | large to fit in a single buffer and needs to be processed incrementally. 18 | 19 | STREAM defends against reordering and truncation attacks which are common 20 | in naive schemes which attempt to provide these properties, and is proven 21 | to meet the security definition of "nonce-based online authenticated 22 | encryption" (nOAE) as given in the aforementioned paper. 23 | 24 | ## Diagram 25 | 26 | ![STREAM Diagram](https://raw.githubusercontent.com/RustCrypto/media/8f1a9894/img/AEADs/rogaway-stream.svg) 27 | 28 | Legend: 29 | 30 | - 𝐄k: AEAD encryption under key `k` 31 | - 𝐌: message 32 | - 𝐍: nonce 33 | - 𝐀: additional associated data 34 | - 𝐂: ciphertext 35 | - 𝜏: MAC tag 36 | 37 | ## License 38 | 39 | Licensed under either of: 40 | 41 | * [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0) 42 | * [MIT license](http://opensource.org/licenses/MIT) 43 | 44 | at your option. 45 | 46 | ### Contribution 47 | 48 | Unless you explicitly state otherwise, any contribution intentionally submitted 49 | for inclusion in the work by you, as defined in the Apache-2.0 license, shall be 50 | dual licensed as above, without any additional terms or conditions. 51 | 52 | [//]: # (badges) 53 | 54 | [crate-image]: https://img.shields.io/crates/v/aead-stream 55 | [crate-link]: https://crates.io/crates/aead-stream 56 | [docs-image]: https://docs.rs/aead-stream/badge.svg 57 | [docs-link]: https://docs.rs/aead-stream/ 58 | [license-image]: https://img.shields.io/badge/license-Apache2.0/MIT-blue.svg 59 | [rustc-image]: https://img.shields.io/badge/rustc-1.85+-blue.svg 60 | [chat-image]: https://img.shields.io/badge/zulip-join_chat-blue.svg 61 | [chat-link]: https://rustcrypto.zulipchat.com/#narrow/stream/260038-AEADs 62 | [build-image]: https://github.com/RustCrypto/AEADs/workflows/aead-stream/badge.svg?branch=master&event=push 63 | [build-link]: https://github.com/RustCrypto/AEADs/actions 64 | 65 | [//]: # (general links) 66 | 67 | [1]: https://eprint.iacr.org/2015/189.pdf 68 | -------------------------------------------------------------------------------- /aes-gcm-siv/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | All notable changes to this project will be documented in this file. 3 | 4 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 5 | and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 6 | 7 | ## 0.12.0 (UNRELEASED) 8 | ### Added 9 | - `arrayvec` support ([#503]) 10 | - re-export `aes` ([#603]) 11 | - `bytes` feature passthrough ([#631]) 12 | 13 | ### Changed 14 | - Bump `aead` from `0.5` to `0.6` ([#583]) 15 | - Bump `aes` from `0.8` to `0.9` ([#583]) 16 | - Bump `cipher` from `0.4` to `0.5` ([#583]) 17 | - Bump `ctr` from `0.9` to `0.10` ([#583]) 18 | - Bump `ghash` from `0.5` to `0.6` ([#583]) 19 | - Bump `polyval` from `0.6` to `0.7` ([#583]) 20 | - Edition changed to 2024 and MSRV bumped to 1.85 ([#662]) 21 | - Relax MSRV policy and allow MSRV bumps in patch releases 22 | - `getrandom` feature renamed as `os_rng` ([#662]) 23 | 24 | ## Removed 25 | - `std` and `stream` features ([#662]) 26 | 27 | [#503]: https://github.com/RustCrypto/AEADs/pull/503 28 | [#583]: https://github.com/RustCrypto/AEADs/pull/583 29 | [#603]: https://github.com/RustCrypto/AEADs/pull/603 30 | [#631]: https://github.com/RustCrypto/AEADs/pull/631 31 | [#662]: https://github.com/RustCrypto/AEADs/pull/662 32 | 33 | ## 0.11.1 (2022-07-31) 34 | ### Fixed 35 | - rustdoc typos and formatting ([#460], [#461], [#462]) 36 | 37 | [#460]: https://github.com/RustCrypto/AEADs/pull/460 38 | [#461]: https://github.com/RustCrypto/AEADs/pull/461 39 | [#462]: https://github.com/RustCrypto/AEADs/pull/462 40 | 41 | ## 0.11.0 (2022-07-31) 42 | ### Added 43 | - `getrandom` feature ([#446]) 44 | 45 | ### Changed 46 | - Rust 2021 edition upgrade; MSRV 1.56+ ([#435]) 47 | - Bump `aead` dependency to v0.5 ([#444]) 48 | - Bump `polyval` dependency to v0.6 ([#454]) 49 | 50 | [#435]: https://github.com/RustCrypto/AEADs/pull/435 51 | [#444]: https://github.com/RustCrypto/AEADs/pull/444 52 | [#446]: https://github.com/RustCrypto/AEADs/pull/446 53 | [#454]: https://github.com/RustCrypto/AEADs/pull/454 54 | 55 | ## 0.10.3 (2021-08-28) 56 | ### Changed 57 | - Relax `subtle` and `zeroize` requirements ([#360]) 58 | 59 | [#360]: https://github.com/RustCrypto/AEADs/pull/360 60 | 61 | ## 0.10.2 (2021-07-20) 62 | ### Changed 63 | - Pin `zeroize` dependency to v1.3 and `subtle` to v2.4 ([#349]) 64 | 65 | [#349]: https://github.com/RustCrypto/AEADs/pull/349 66 | 67 | ## 0.10.1 (2021-05-31) 68 | ### Added 69 | - Nightly-only `armv8` feature ([#318]) 70 | 71 | [#318]: https://github.com/RustCrypto/AEADs/pull/318 72 | 73 | ## 0.10.0 (2021-04-29) 74 | ### Added 75 | - Wycheproof test vectors ([#274]) 76 | 77 | ### Changed 78 | - Bump `aead` crate dependency to v0.4 ([#270]) 79 | - Bump `aes` and `ctr` crate dependencies to v0.7 ([#283]) 80 | - Bump `polyval` to v0.5 ([#284]) 81 | 82 | ### Fixed 83 | - Interleaved buffer size ([#235]) 84 | 85 | [#235]: https://github.com/RustCrypto/AEADs/pull/235 86 | [#270]: https://github.com/RustCrypto/AEADs/pull/270 87 | [#274]: https://github.com/RustCrypto/AEADs/pull/274 88 | [#283]: https://github.com/RustCrypto/AEADs/pull/283 89 | [#284]: https://github.com/RustCrypto/AEADs/pull/284 90 | 91 | ## 0.9.0 (2020-10-16) 92 | ### Changed 93 | - Replace `block-cipher`/`stream-cipher` with `cipher` crate ([#229]) 94 | - Bump `aes` dependency to v0.6 ([#229]) 95 | - Use `ctr::Ctr32LE` ([#227]) 96 | 97 | [#229]: https://github.com/RustCrypto/AEADs/pull/229 98 | [#227]: https://github.com/RustCrypto/AEADs/pull/227 99 | 100 | ## 0.8.0 (2020-09-17) 101 | ### Added 102 | - Optional `std` feature; disabled by default ([#217]) 103 | 104 | ### Changed 105 | - Upgrade `aes` to v0.5; `block-cipher` to v0.8 ([#209]) 106 | 107 | [#217]: https://github.com/RustCrypto/AEADs/pull/217 108 | [#209]: https://github.com/RustCrypto/AEADs/pull/209 109 | 110 | ## 0.7.0 (skipped) 111 | 112 | ## 0.6.0 (skipped) 113 | 114 | ## 0.5.0 (2020-06-06) 115 | ### Changed 116 | - Bump `aead` crate dependency to v0.3.0; MSRV 1.41+ ([#142]) 117 | 118 | [#142]: https://github.com/RustCrypto/AEADs/pull/143 119 | 120 | ## 0.4.1 (2020-03-09) 121 | ### Fixed 122 | - Off-by-one error in `debug_assert` for `BlockCipher::ParBlocks` ([#104]) 123 | 124 | [#104]: https://github.com/RustCrypto/AEADs/pull/104 125 | 126 | ## 0.4.0 (2020-03-07) - YANKED, see [#104] 127 | ### Added 128 | - `aes` cargo feature; 3rd-party AES crate support ([#90]) 129 | 130 | ### Changed 131 | - Make generic around `BlockCipher::ParBlocks` ([#91], [#93]) 132 | 133 | [#90]: https://github.com/RustCrypto/AEADs/pull/90 134 | [#91]: https://github.com/RustCrypto/AEADs/pull/91 135 | [#93]: https://github.com/RustCrypto/AEADs/pull/93 136 | 137 | ## 0.3.0 (2019-11-26) 138 | ### Added 139 | - `heapless` feature ([#51]) 140 | 141 | ### Changed 142 | - Upgrade `aead` crate to v0.2; `alloc` now optional ([#43]) 143 | 144 | [#51]: https://github.com/RustCrypto/AEADs/pull/51 145 | [#43]: https://github.com/RustCrypto/AEADs/pull/43 146 | 147 | ## 0.2.1 (2019-11-14) 148 | ### Changed 149 | - Upgrade to `zeroize` 1.0 ([#36]) 150 | 151 | [#36]: https://github.com/RustCrypto/AEADs/pull/36 152 | 153 | ## 0.2.0 (2019-10-06) 154 | ### Added 155 | - Expose "detached" in-place encryption/decryption APIs ([#21]) 156 | 157 | ### Changed 158 | - Upgrade to `polyval` v0.3 ([#25]) 159 | 160 | [#25]: https://github.com/RustCrypto/AEADs/pull/25 161 | [#21]: https://github.com/RustCrypto/AEADs/pull/21 162 | 163 | ## 0.1.0 (2019-09-28) 164 | - Initial release 165 | -------------------------------------------------------------------------------- /aes-gcm-siv/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "aes-gcm-siv" 3 | version = "0.12.0-rc.0" 4 | description = """ 5 | Pure Rust implementation of the AES-GCM-SIV Misuse-Resistant Authenticated 6 | Encryption Cipher (RFC 8452) with optional architecture-specific 7 | hardware acceleration 8 | """ 9 | authors = ["RustCrypto Developers"] 10 | edition = "2024" 11 | license = "MIT OR Apache-2.0" 12 | readme = "README.md" 13 | documentation = "https://docs.rs/aes-gcm-siv" 14 | repository = "https://github.com/RustCrypto/AEADs" 15 | keywords = ["aead", "aes", "aes-gcm", "encryption", "siv"] 16 | categories = ["cryptography", "no-std"] 17 | rust-version = "1.85" 18 | 19 | [dependencies] 20 | aead = { version = "0.6.0-rc.1", default-features = false } 21 | aes = { version = "0.9.0-rc.0", optional = true } 22 | cipher = "0.5.0-rc.0" 23 | ctr = "0.10.0-rc.0" 24 | polyval = { version = "0.7.0-rc.1", default-features = false } 25 | subtle = { version = "2", default-features = false } 26 | zeroize = { version = "1", optional = true, default-features = false } 27 | 28 | [dev-dependencies] 29 | aead = { version = "0.6.0-rc.1", features = ["dev"], default-features = false } 30 | 31 | [features] 32 | default = ["aes", "alloc", "os_rng"] 33 | alloc = ["aead/alloc"] 34 | arrayvec = ["aead/arrayvec"] 35 | bytes = ["aead/bytes"] 36 | os_rng = ["aead/os_rng", "rand_core"] 37 | heapless = ["aead/heapless"] 38 | rand_core = ["aead/rand_core"] 39 | 40 | [package.metadata.docs.rs] 41 | all-features = true 42 | rustdoc-args = ["--cfg", "docsrs"] 43 | -------------------------------------------------------------------------------- /aes-gcm-siv/LICENSE-MIT: -------------------------------------------------------------------------------- 1 | Copyright (c) 2019 The RustCrypto Project Developers 2 | 3 | Permission is hereby granted, free of charge, to any 4 | person obtaining a copy of this software and associated 5 | documentation files (the "Software"), to deal in the 6 | Software without restriction, including without 7 | limitation the rights to use, copy, modify, merge, 8 | publish, distribute, sublicense, and/or sell copies of 9 | the Software, and to permit persons to whom the Software 10 | is furnished to do so, subject to the following 11 | conditions: 12 | 13 | The above copyright notice and this permission notice 14 | shall be included in all copies or substantial portions 15 | of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF 18 | ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED 19 | TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 20 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT 21 | SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 22 | CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 23 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR 24 | IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 25 | DEALINGS IN THE SOFTWARE. 26 | -------------------------------------------------------------------------------- /aes-gcm-siv/README.md: -------------------------------------------------------------------------------- 1 | # RustCrypto: AES-GCM-SIV (Misuse-Resistant Authenticated Encryption Cipher) 2 | 3 | [![crate][crate-image]][crate-link] 4 | [![Docs][docs-image]][docs-link] 5 | ![Apache2/MIT licensed][license-image] 6 | ![Rust Version][rustc-image] 7 | [![Project Chat][chat-image]][chat-link] 8 | [![Build Status][build-image]][build-link] 9 | 10 | [AES-GCM-SIV][1] ([RFC 8452][2]) is a state-of-the-art high-performance 11 | [Authenticated Encryption with Associated Data (AEAD)][3] cipher which also 12 | provides [nonce reuse misuse resistance][4]. 13 | 14 | Suitable as a general purpose symmetric encryption cipher, AES-GCM-SIV also 15 | removes many of the "sharp edges" of AES-GCM, providing significantly better 16 | security bounds while simultaneously eliminating the most catastrophic risks 17 | of nonce reuse that exist in AES-GCM. 18 | 19 | Decryption performance is equivalent to AES-GCM. 20 | Encryption is marginally slower. 21 | 22 | See also: 23 | 24 | - [Adam Langley: AES-GCM-SIV][5] 25 | - [Coda Hale: Towards A Safer Footgun][6] 26 | 27 | [Documentation][docs-link] 28 | 29 | ## Security Warning 30 | 31 | No security audits of this crate have ever been performed. 32 | 33 | Some of this crate's dependencies were [audited by by NCC Group][7] as part of 34 | an audit of the `aes-gcm` crate, including the AES implementations (both AES-NI 35 | and a portable software implementation), as well as the `polyval` crate which 36 | is used as an authenticator. There were no significant findings. 37 | 38 | All implementations contained in the crate are designed to execute in constant 39 | time, either by relying on hardware intrinsics (i.e. AES-NI and CLMUL on 40 | x86/x86_64), or using a portable implementation which is only constant time 41 | on processors which implement constant-time multiplication. 42 | 43 | It is not suitable for use on processors with a variable-time multiplication 44 | operation (e.g. short circuit on multiply-by-zero / multiply-by-one, such as 45 | certain 32-bit PowerPC CPUs and some non-ARM microcontrollers). 46 | 47 | USE AT YOUR OWN RISK! 48 | 49 | ## License 50 | 51 | Licensed under either of: 52 | 53 | - [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0) 54 | - [MIT license](http://opensource.org/licenses/MIT) 55 | 56 | at your option. 57 | 58 | ### Contribution 59 | 60 | Unless you explicitly state otherwise, any contribution intentionally submitted 61 | for inclusion in the work by you, as defined in the Apache-2.0 license, shall be 62 | dual licensed as above, without any additional terms or conditions. 63 | 64 | [//]: # (badges) 65 | 66 | [crate-image]: https://img.shields.io/crates/v/aes-gcm-siv 67 | [crate-link]: https://crates.io/crates/aes-gcm-siv 68 | [docs-image]: https://docs.rs/aes-gcm-siv/badge.svg 69 | [docs-link]: https://docs.rs/aes-gcm-siv/ 70 | [license-image]: https://img.shields.io/badge/license-Apache2.0/MIT-blue.svg 71 | [rustc-image]: https://img.shields.io/badge/rustc-1.85+-blue.svg 72 | [chat-image]: https://img.shields.io/badge/zulip-join_chat-blue.svg 73 | [chat-link]: https://rustcrypto.zulipchat.com/#narrow/stream/260038-AEADs 74 | [build-image]: https://github.com/RustCrypto/AEADs/workflows/aes-gcm-siv/badge.svg?branch=master&event=push 75 | [build-link]: https://github.com/RustCrypto/AEADs/actions 76 | 77 | [//]: # (general links) 78 | 79 | [1]: https://en.wikipedia.org/wiki/AES-GCM-SIV 80 | [2]: https://tools.ietf.org/html/rfc8452 81 | [3]: https://en.wikipedia.org/wiki/Authenticated_encryption 82 | [4]: https://github.com/miscreant/meta/wiki/Nonce-Reuse-Misuse-Resistance 83 | [5]: https://www.imperialviolet.org/2017/05/14/aesgcmsiv.html 84 | [6]: https://codahale.com/towards-a-safer-footgun/ 85 | [7]: https://research.nccgroup.com/2020/02/26/public-report-rustcrypto-aes-gcm-and-chacha20poly1305-implementation-review/ 86 | -------------------------------------------------------------------------------- /aes-gcm-siv/tests/common/mod.rs: -------------------------------------------------------------------------------- 1 | //! Common functionality shared by tests 2 | 3 | /// Test vectors 4 | #[derive(Debug)] 5 | pub struct TestVector { 6 | pub key: &'static K, 7 | pub nonce: &'static [u8; 12], 8 | pub aad: &'static [u8], 9 | pub plaintext: &'static [u8], 10 | pub ciphertext: &'static [u8], 11 | } 12 | 13 | #[macro_export] 14 | macro_rules! tests { 15 | ($aead:ty, $vectors:expr) => { 16 | #[test] 17 | fn encrypt() { 18 | for vector in $vectors { 19 | let key = Array(*vector.key); 20 | let nonce = Array(*vector.nonce); 21 | let payload = Payload { 22 | msg: vector.plaintext, 23 | aad: vector.aad, 24 | }; 25 | 26 | let cipher = <$aead>::new(&key); 27 | let ciphertext = cipher.encrypt(&nonce, payload).unwrap(); 28 | 29 | assert_eq!(vector.ciphertext, ciphertext.as_slice()); 30 | } 31 | } 32 | 33 | #[test] 34 | fn decrypt() { 35 | for vector in $vectors { 36 | let key = Array(*vector.key); 37 | let nonce = Array(*vector.nonce); 38 | 39 | let payload = Payload { 40 | msg: vector.ciphertext, 41 | aad: vector.aad, 42 | }; 43 | 44 | let cipher = <$aead>::new(&key); 45 | let plaintext = cipher.decrypt(&nonce, payload).unwrap(); 46 | 47 | assert_eq!(vector.plaintext, plaintext.as_slice()); 48 | } 49 | } 50 | 51 | #[test] 52 | fn decrypt_modified() { 53 | let vector = &$vectors[1]; 54 | let key = Array(*vector.key); 55 | let nonce = Array(*vector.nonce); 56 | 57 | let mut ciphertext = Vec::from(vector.ciphertext); 58 | 59 | // Tweak the first byte 60 | ciphertext[0] ^= 0xaa; 61 | 62 | let payload = Payload { 63 | msg: &ciphertext, 64 | aad: vector.aad, 65 | }; 66 | 67 | let cipher = <$aead>::new(&key); 68 | assert!(cipher.decrypt(&nonce, payload).is_err()); 69 | 70 | // TODO(tarcieri): test ciphertext is unmodified in in-place API 71 | } 72 | }; 73 | } 74 | -------------------------------------------------------------------------------- /aes-gcm-siv/tests/ctr_wrap.rs: -------------------------------------------------------------------------------- 1 | //! Counter Wrap Tests 2 | //! 3 | //! The tests use `Aes256GcmSiv` and are crafted to test correct wrapping of 4 | //! the block counter. 5 | 6 | #![cfg(all(feature = "aes", feature = "alloc"))] 7 | 8 | #[macro_use] 9 | mod common; 10 | 11 | use self::common::TestVector; 12 | use aes_gcm_siv::Aes256GcmSiv; 13 | use aes_gcm_siv::aead::{Aead, KeyInit, Payload, array::Array}; 14 | 15 | /// Test vectors from RFC8452 Appendix C.3. Counter Wrap Tests 16 | /// 17 | const TEST_VECTORS: &[TestVector<[u8; 32]>] = &[ 18 | TestVector { 19 | key: b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 20 | nonce: b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 21 | aad: b"", 22 | plaintext: b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4d\xb9\x23\xdc\x79\x3e\xe6\x49\x7c\x76\xdc\xc0\x3a\x98\xe1\x08", 23 | ciphertext: b"\xf3\xf8\x0f\x2c\xf0\xcb\x2d\xd9\xc5\x98\x4f\xcd\xa9\x08\x45\x6c\xc5\x37\x70\x3b\x5b\xa7\x03\x24\xa6\x79\x3a\x7b\xf2\x18\xd3\xea\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 24 | }, 25 | TestVector { 26 | key: b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 27 | nonce: b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 28 | aad: b"", 29 | plaintext: b"\xeb\x36\x40\x27\x7c\x7f\xfd\x13\x03\xc7\xa5\x42\xd0\x2d\x3e\x4c\x00\x00\x00\x00\x00\x00\x00\x00", 30 | ciphertext: b"\x18\xce\x4f\x0b\x8c\xb4\xd0\xca\xc6\x5f\xea\x8f\x79\x25\x7b\x20\x88\x8e\x53\xe7\x22\x99\xe5\x6d\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 31 | }, 32 | ]; 33 | 34 | tests!(Aes256GcmSiv, TEST_VECTORS); 35 | -------------------------------------------------------------------------------- /aes-gcm-siv/tests/data/wycheproof-128.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/aes-gcm-siv/tests/data/wycheproof-128.blb -------------------------------------------------------------------------------- /aes-gcm-siv/tests/data/wycheproof-256.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/aes-gcm-siv/tests/data/wycheproof-256.blb -------------------------------------------------------------------------------- /aes-gcm/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "aes-gcm" 3 | version = "0.11.0-rc.0" 4 | description = """ 5 | Pure Rust implementation of the AES-GCM (Galois/Counter Mode) 6 | Authenticated Encryption with Associated Data (AEAD) Cipher 7 | with optional architecture-specific hardware acceleration 8 | """ 9 | authors = ["RustCrypto Developers"] 10 | edition = "2024" 11 | license = "Apache-2.0 OR MIT" 12 | readme = "README.md" 13 | documentation = "https://docs.rs/aes-gcm" 14 | repository = "https://github.com/RustCrypto/AEADs" 15 | keywords = ["aead", "aes", "encryption", "gcm", "ghash"] 16 | categories = ["cryptography", "no-std"] 17 | rust-version = "1.85" 18 | 19 | [dependencies] 20 | aead = { version = "0.6.0-rc.1", default-features = false } 21 | aes = { version = "0.9.0-rc.0", optional = true } 22 | cipher = "0.5.0-rc.0" 23 | ctr = "0.10.0-rc.0" 24 | ghash = { version = "0.6.0-rc.1", default-features = false } 25 | subtle = { version = "2", default-features = false } 26 | zeroize = { version = "1", optional = true, default-features = false } 27 | 28 | [dev-dependencies] 29 | aead = { version = "0.6.0-rc.1", features = ["alloc", "dev"], default-features = false } 30 | hex-literal = "1" 31 | 32 | [features] 33 | default = ["aes", "alloc", "os_rng"] 34 | alloc = ["aead/alloc"] 35 | arrayvec = ["aead/arrayvec"] 36 | bytes = ["aead/bytes"] 37 | os_rng = ["aead/os_rng", "rand_core"] 38 | heapless = ["aead/heapless"] 39 | rand_core = ["aead/rand_core"] 40 | 41 | [package.metadata.docs.rs] 42 | all-features = true 43 | rustdoc-args = ["--cfg", "docsrs"] 44 | -------------------------------------------------------------------------------- /aes-gcm/LICENSE-MIT: -------------------------------------------------------------------------------- 1 | Copyright (c) 2019 The RustCrypto Project Developers 2 | 3 | Permission is hereby granted, free of charge, to any 4 | person obtaining a copy of this software and associated 5 | documentation files (the "Software"), to deal in the 6 | Software without restriction, including without 7 | limitation the rights to use, copy, modify, merge, 8 | publish, distribute, sublicense, and/or sell copies of 9 | the Software, and to permit persons to whom the Software 10 | is furnished to do so, subject to the following 11 | conditions: 12 | 13 | The above copyright notice and this permission notice 14 | shall be included in all copies or substantial portions 15 | of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF 18 | ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED 19 | TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 20 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT 21 | SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 22 | CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 23 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR 24 | IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 25 | DEALINGS IN THE SOFTWARE. 26 | -------------------------------------------------------------------------------- /aes-gcm/README.md: -------------------------------------------------------------------------------- 1 | # RustCrypto: AES-GCM 2 | 3 | [![crate][crate-image]][crate-link] 4 | [![Docs][docs-image]][docs-link] 5 | ![Apache2/MIT licensed][license-image] 6 | ![Rust Version][rustc-image] 7 | [![Project Chat][chat-image]][chat-link] 8 | [![Build Status][build-image]][build-link] 9 | 10 | Pure Rust implementation of the AES-GCM 11 | [Authenticated Encryption with Associated Data (AEAD)][1] cipher. 12 | 13 | [Documentation][docs-link] 14 | 15 | ## Security Notes 16 | 17 | This crate has received one [security audit by NCC Group][2], with no significant 18 | findings. We would like to thank [MobileCoin][3] for funding the audit. 19 | 20 | All implementations contained in the crate are designed to execute in constant 21 | time, either by relying on hardware intrinsics (i.e. AES-NI and CLMUL on 22 | x86/x86_64), or using a portable implementation which is only constant time 23 | on processors which implement constant-time multiplication. 24 | 25 | It is not suitable for use on processors with a variable-time multiplication 26 | operation (e.g. short circuit on multiply-by-zero / multiply-by-one, such as 27 | certain 32-bit PowerPC CPUs and some non-ARM microcontrollers). 28 | 29 | ## License 30 | 31 | Licensed under either of: 32 | 33 | * [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0) 34 | * [MIT license](http://opensource.org/licenses/MIT) 35 | 36 | at your option. 37 | 38 | ### Contribution 39 | 40 | Unless you explicitly state otherwise, any contribution intentionally submitted 41 | for inclusion in the work by you, as defined in the Apache-2.0 license, shall be 42 | dual licensed as above, without any additional terms or conditions. 43 | 44 | [//]: # (badges) 45 | 46 | [crate-image]: https://img.shields.io/crates/v/aes-gcm 47 | [crate-link]: https://crates.io/crates/aes-gcm 48 | [docs-image]: https://docs.rs/aes-gcm/badge.svg 49 | [docs-link]: https://docs.rs/aes-gcm/ 50 | [license-image]: https://img.shields.io/badge/license-Apache2.0/MIT-blue.svg 51 | [rustc-image]: https://img.shields.io/badge/rustc-1.85+-blue.svg 52 | [chat-image]: https://img.shields.io/badge/zulip-join_chat-blue.svg 53 | [chat-link]: https://rustcrypto.zulipchat.com/#narrow/stream/260038-AEADs 54 | [build-image]: https://github.com/RustCrypto/AEADs/workflows/aes-gcm/badge.svg?branch=master&event=push 55 | [build-link]: https://github.com/RustCrypto/AEADs/actions 56 | 57 | [//]: # (general links) 58 | 59 | [1]: https://en.wikipedia.org/wiki/Authenticated_encryption 60 | [2]: https://web.archive.org/web/20240108154854/https://research.nccgroup.com/wp-content/uploads/2020/02/NCC_Group_MobileCoin_RustCrypto_AESGCM_ChaCha20Poly1305_Implementation_Review_2020-02-12_v1.0.pdf 61 | [3]: https://www.mobilecoin.com/ 62 | -------------------------------------------------------------------------------- /aes-gcm/tests/common/mod.rs: -------------------------------------------------------------------------------- 1 | //! Common functionality shared by tests 2 | 3 | /// Test vectors 4 | #[derive(Debug)] 5 | pub struct TestVector { 6 | pub key: &'static K, 7 | pub nonce: &'static N, 8 | pub aad: &'static [u8], 9 | pub plaintext: &'static [u8], 10 | pub ciphertext: &'static [u8], 11 | pub tag: &'static [u8; 16], 12 | } 13 | 14 | #[macro_export] 15 | macro_rules! tests { 16 | ($aead:ty, $vectors:expr) => { 17 | #[test] 18 | fn encrypt() { 19 | for vector in $vectors { 20 | let key = Array(*vector.key); 21 | let nonce = Array(*vector.nonce); 22 | let payload = Payload { 23 | msg: vector.plaintext, 24 | aad: vector.aad, 25 | }; 26 | 27 | let cipher = <$aead>::new(&key); 28 | let ciphertext = cipher.encrypt(&nonce, payload).unwrap(); 29 | let (ct, tag) = ciphertext.split_at(ciphertext.len() - 16); 30 | assert_eq!( 31 | vector.ciphertext, ct, 32 | "ciphertext mismatch (expected != actual)" 33 | ); 34 | assert_eq!(vector.tag, tag, "tag mismatch (expected != actual)"); 35 | } 36 | } 37 | 38 | #[test] 39 | fn decrypt() { 40 | for vector in $vectors { 41 | let key = Array(*vector.key); 42 | let nonce = Array(*vector.nonce); 43 | let mut ciphertext = Vec::from(vector.ciphertext); 44 | ciphertext.extend_from_slice(vector.tag); 45 | 46 | let payload = Payload { 47 | msg: &ciphertext, 48 | aad: vector.aad, 49 | }; 50 | 51 | let cipher = <$aead>::new(&key); 52 | let plaintext = cipher.decrypt(&nonce, payload).unwrap(); 53 | 54 | assert_eq!(vector.plaintext, plaintext.as_slice(), "plaintext mismatch"); 55 | } 56 | } 57 | 58 | #[test] 59 | fn decrypt_modified() { 60 | let vector = &$vectors[0]; 61 | let key = Array(*vector.key); 62 | let nonce = Array(*vector.nonce); 63 | 64 | let mut ciphertext = Vec::from(vector.ciphertext); 65 | ciphertext.extend_from_slice(vector.tag); 66 | 67 | // Tweak the first byte 68 | ciphertext[0] ^= 0xaa; 69 | 70 | let payload = Payload { 71 | msg: &ciphertext, 72 | aad: vector.aad, 73 | }; 74 | 75 | let cipher = <$aead>::new(&key); 76 | assert!(cipher.decrypt(&nonce, payload).is_err()); 77 | } 78 | 79 | #[test] 80 | fn decrypt_in_place_detached_modified() { 81 | let vector = &$vectors.iter().last().unwrap(); 82 | let key = Array(*vector.key); 83 | let nonce = Array(*vector.nonce); 84 | 85 | let mut buffer = Vec::from(vector.ciphertext); 86 | assert!(!buffer.is_empty()); 87 | 88 | // Tweak the first byte 89 | let mut tag = Array(*vector.tag); 90 | tag[0] ^= 0xaa; 91 | 92 | let cipher = <$aead>::new(&key); 93 | assert!( 94 | cipher 95 | .decrypt_inout_detached(&nonce, &[], buffer.as_mut_slice().into(), &tag) 96 | .is_err() 97 | ); 98 | 99 | assert_eq!(vector.ciphertext, buffer); 100 | } 101 | }; 102 | } 103 | -------------------------------------------------------------------------------- /aes-gcm/tests/data/wycheproof-128.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/aes-gcm/tests/data/wycheproof-128.blb -------------------------------------------------------------------------------- /aes-gcm/tests/data/wycheproof-256.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/aes-gcm/tests/data/wycheproof-256.blb -------------------------------------------------------------------------------- /aes-gcm/tests/other_ivlen.rs: -------------------------------------------------------------------------------- 1 | //! Tests for AES-GCM when used with non-96-bit nonces. 2 | //! 3 | //! Vectors taken from NIST CAVS vectors' `gcmEncryptExtIV128.rsp` file: 4 | //! 5 | 6 | #![cfg(all(feature = "aes", feature = "alloc"))] 7 | 8 | use aead::{ 9 | Aead, KeyInit, 10 | array::{Array, typenum}, 11 | }; 12 | use aes::Aes128; 13 | use aes_gcm::AesGcm; 14 | use hex_literal::hex; 15 | 16 | /// Based on the following `gcmEncryptExtIV128.rsp` test vector: 17 | /// 18 | /// [Keylen = 128] 19 | /// [IVlen = 8] 20 | /// [PTlen = 128] 21 | /// [AADlen = 0] 22 | /// [Taglen = 128] 23 | /// 24 | /// Count = 0 25 | mod ivlen8 { 26 | use super::*; 27 | 28 | type Aes128GcmWith8BitNonce = AesGcm; 29 | 30 | #[test] 31 | fn encrypt() { 32 | let key = hex!("15b2d414826453f9e1c7dd0b69d8d1eb"); 33 | let nonce = hex!("b6"); 34 | let plaintext = hex!("8cfa255530c6fbc19d51bd4aeb39c91b"); 35 | 36 | let ciphertext = Aes128GcmWith8BitNonce::new(&key.into()) 37 | .encrypt(&Array(nonce), &plaintext[..]) 38 | .unwrap(); 39 | 40 | let (ct, tag) = ciphertext.split_at(ciphertext.len() - 16); 41 | assert_eq!(hex!("4822cb98bd5f5d921ee19285c9032375"), ct); 42 | assert_eq!(hex!("8a40670ebac98cf4e9cc1bf8f803167d"), tag); 43 | } 44 | } 45 | 46 | /// Based on the following `gcmEncryptExtIV128.rsp` test vector: 47 | /// 48 | /// [Keylen = 128] 49 | /// [IVlen = 1024] 50 | /// [PTlen = 128] 51 | /// [AADlen = 0] 52 | /// [Taglen = 128] 53 | /// 54 | /// Count = 0 55 | mod ivlen1024 { 56 | use super::*; 57 | 58 | type Aes128GcmWith1024BitNonce = AesGcm; 59 | 60 | #[test] 61 | fn encrypt() { 62 | let key = hex!("71eebc49c8fb773b2224eaff3ad68714"); 63 | let nonce = hex!( 64 | "07e961e67784011f72faafd95b0eb64089c8de15ad685ec57e63d56e679d3e20 65 | 2b18b75fcbbec3185ffc41653bc2ac4ae6ae8be8c85636f353a9d19a86100d0b 66 | d035cc6bdefcab4318ac7b1a08b819427ad8f6abc782466c6ebd4d6a0dd76e78 67 | 389b0a2a66506bb85f038ffc1da220c24f3817c7b2d02c5e8fc5e7e3be5074bc" 68 | ); 69 | let plaintext = hex!("705da82292143d2c949dc4ba014f6396"); 70 | 71 | let ciphertext = Aes128GcmWith1024BitNonce::new(&key.into()) 72 | .encrypt(&Array(nonce), &plaintext[..]) 73 | .unwrap(); 74 | 75 | let (ct, tag) = ciphertext.split_at(ciphertext.len() - 16); 76 | assert_eq!(hex!("032363cf0828a03553478bec0f51f372"), ct); 77 | assert_eq!(hex!("c681b2c568feaa21900bc44b86aeb946"), tag); 78 | } 79 | } 80 | -------------------------------------------------------------------------------- /aes-siv/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | All notable changes to this project will be documented in this file. 3 | 4 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 5 | and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 6 | 7 | ## 0.8.0 (UNRELEASED) 8 | ### Added 9 | - `arrayvec` support ([#503]) 10 | 11 | ### Changed 12 | - Bump `aead` from `0.5` to `0.6` ([#583]) 13 | - Bump `aes` from `0.8` to `0.9` ([#583]) 14 | - Bump `cipher` from `0.4` to `0.5` ([#583]) 15 | - Bump `ctr` from `0.9` to `0.10` ([#583]) 16 | - Bump `dbl` from `0.3` to `0.4` ([#583]) 17 | - Bump `digest` from `0.10` to `0.11` ([#583]) 18 | - Bump `pmac` from `0.7` to `0.8` ([#583]) 19 | - Edition changed to 2024 and MSRV bumped to 1.85 ([#662]) 20 | - Relax MSRV policy and allow MSRV bumps in patch releases 21 | - `getrandom` feature renamed as `os_rng` ([#662]) 22 | 23 | ## Removed 24 | - `std` and `stream` features ([#662]) 25 | 26 | [#503]: https://github.com/RustCrypto/AEADs/pull/503 27 | [#583]: https://github.com/RustCrypto/AEADs/pull/583 28 | [#662]: https://github.com/RustCrypto/AEADs/pull/662 29 | 30 | ## 0.7.0 (2022-07-30) 31 | ### Added 32 | - `getrandom` feature ([#446]) 33 | 34 | ### Changed 35 | - Relax `zeroize` requirement to `^1` ([#360], [#401]) 36 | - Bump `aes` crate to v0.8 ([#431]) 37 | - Rust 2021 edition upgrade; MSRV 1.56+ ([#435]) 38 | - Bump `aead` crate dependency to v0.5 ([#444]) 39 | 40 | [#360]: https://github.com/RustCrypto/AEADs/pull/360 41 | [#401]: https://github.com/RustCrypto/AEADs/pull/401 42 | [#431]: https://github.com/RustCrypto/AEADs/pull/431 43 | [#435]: https://github.com/RustCrypto/AEADs/pull/435 44 | [#444]: https://github.com/RustCrypto/AEADs/pull/444 45 | [#446]: https://github.com/RustCrypto/AEADs/pull/446 46 | 47 | ## 0.6.2 (2021-07-20) 48 | ### Changed 49 | - Pin `zeroize` dependency to v1.3 ([#349]) 50 | 51 | [#349]: https://github.com/RustCrypto/AEADs/pull/349 52 | 53 | ## 0.6.1 (2021-06-26) 54 | ### Fixed 55 | - `pmac` crate feature ([#321]) 56 | 57 | [#321]: https://github.com/RustCrypto/AEADs/pull/321 58 | 59 | ## 0.6.0 (2021-04-29) 60 | ### Added 61 | - AES-SIV-CMAC Wycheproof test vectors ([#276]) 62 | 63 | ### Changed 64 | - Bump `aead` crate dependency to v0.4 ([#270]) 65 | - Bump `aes` and `ctr` crate dependencies to v0.7 ([#283]) 66 | - Bump `cmac` and `pmac` deps to v0.6 releases ([#285]) 67 | 68 | [#270]: https://github.com/RustCrypto/AEADs/pull/270 69 | [#276]: https://github.com/RustCrypto/AEADs/pull/276 70 | [#283]: https://github.com/RustCrypto/AEADs/pull/283 71 | [#285]: https://github.com/RustCrypto/AEADs/pull/285 72 | 73 | ## 0.5.0 (2020-10-16) 74 | ### Changed 75 | - Replace `block-cipher`/`stream-cipher` with `cipher` crate ([#229]) 76 | - Bump `aes` dependency to v0.6 ([#229]) 77 | 78 | [#229]: https://github.com/RustCrypto/AEADs/pull/229 79 | 80 | ## 0.4.0 (2020-09-17) 81 | ### Added 82 | - Optional `std` feature; disabled by default ([#217]) 83 | 84 | ### Changed 85 | - Upgrade `aes` to v0.5; `block-cipher` to v0.8 ([#209]) 86 | 87 | [#217]: https://github.com/RustCrypto/AEADs/pull/217 88 | [#209]: https://github.com/RustCrypto/AEADs/pull/209 89 | 90 | ## 0.3.0 (2019-06-06) 91 | ### Changed 92 | - Bump `aead` crate dependency to v0.3.0; MSRV 1.41+ ([#143]) 93 | - Use `copy_within` ([#57]) 94 | 95 | [#143]: https://github.com/RustCrypto/AEADs/pull/143 96 | [#57]: https://github.com/RustCrypto/AEADs/pull/57 97 | 98 | ## 0.2.0 (2019-11-26) 99 | ### Added 100 | - `heapless` feature ([#51]) 101 | 102 | ### Changed 103 | - Switch from `AeadMut` to `Aead` ([#47]) 104 | - Make `Siv::new` type-safe via `typenum` arithmetic ([#45]) 105 | - Upgrade `aead` crate to v0.2; `alloc` now optional ([#44]) 106 | 107 | [#51]: https://github.com/RustCrypto/AEADs/pull/51 108 | [#47]: https://github.com/RustCrypto/AEADs/pull/47 109 | [#45]: https://github.com/RustCrypto/AEADs/pull/45 110 | [#44]: https://github.com/RustCrypto/AEADs/pull/44 111 | 112 | ## 0.1.2 (2019-11-14) 113 | ### Changed 114 | - Upgrade to `zeroize` 1.0 ([#36]) 115 | 116 | [#36]: https://github.com/RustCrypto/AEADs/pull/36 117 | 118 | ## 0.1.1 (2019-10-06) 119 | 120 | - Initial release 121 | -------------------------------------------------------------------------------- /aes-siv/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "aes-siv" 3 | version = "0.8.0-rc.0" 4 | description = """ 5 | Pure Rust implementation of the AES-SIV Misuse-Resistant Authenticated 6 | Encryption Cipher (RFC 5297) with optional architecture-specific 7 | hardware acceleration 8 | """ 9 | authors = ["RustCrypto Developers"] 10 | edition = "2024" 11 | license = "Apache-2.0 OR MIT" 12 | readme = "README.md" 13 | documentation = "https://docs.rs/aes-siv" 14 | repository = "https://github.com/RustCrypto/AEADs" 15 | keywords = ["aead", "aes", "encryption", "siv"] 16 | categories = ["cryptography", "no-std"] 17 | rust-version = "1.85" 18 | 19 | [dependencies] 20 | aead = "0.6.0-rc.1" 21 | aes = "0.9.0-rc.0" 22 | cipher = "0.5.0-rc.0" 23 | cmac = "0.8.0-rc.0" 24 | ctr = "0.10.0-rc.0" 25 | dbl = "0.4.0-rc.1" 26 | digest = { version = "0.11.0-rc.0", features = ["mac"] } 27 | zeroize = { version = "1", optional = true, default-features = false } 28 | 29 | # optional dependencies 30 | pmac = { version = "0.8.0-rc.0", optional = true } 31 | 32 | [dev-dependencies] 33 | aead = { version = "0.6.0-rc.1", features = ["alloc", "dev"], default-features = false } 34 | blobby = "0.4.0-pre.0" 35 | hex-literal = "1" 36 | 37 | [features] 38 | default = ["alloc", "os_rng"] 39 | alloc = ["aead/alloc"] 40 | arrayvec = ["aead/arrayvec"] 41 | bytes = ["aead/bytes"] 42 | os_rng = ["aead/os_rng", "rand_core"] 43 | heapless = ["aead/heapless"] 44 | rand_core = ["aead/rand_core"] 45 | 46 | [package.metadata.docs.rs] 47 | all-features = true 48 | rustdoc-args = ["--cfg", "docsrs"] 49 | -------------------------------------------------------------------------------- /aes-siv/LICENSE-MIT: -------------------------------------------------------------------------------- 1 | Copyright (c) 2019 The RustCrypto Project Developers 2 | 3 | Permission is hereby granted, free of charge, to any 4 | person obtaining a copy of this software and associated 5 | documentation files (the "Software"), to deal in the 6 | Software without restriction, including without 7 | limitation the rights to use, copy, modify, merge, 8 | publish, distribute, sublicense, and/or sell copies of 9 | the Software, and to permit persons to whom the Software 10 | is furnished to do so, subject to the following 11 | conditions: 12 | 13 | The above copyright notice and this permission notice 14 | shall be included in all copies or substantial portions 15 | of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF 18 | ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED 19 | TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 20 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT 21 | SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 22 | CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 23 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR 24 | IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 25 | DEALINGS IN THE SOFTWARE. 26 | -------------------------------------------------------------------------------- /aes-siv/README.md: -------------------------------------------------------------------------------- 1 | # RustCrypto: AES-SIV (Misuse-Resistant Authenticated Encryption Cipher) 2 | 3 | [![crate][crate-image]][crate-link] 4 | [![Docs][docs-image]][docs-link] 5 | ![Apache2/MIT licensed][license-image] 6 | ![Rust Version][rustc-image] 7 | [![Project Chat][chat-image]][chat-link] 8 | [![Build Status][build-image]][build-link] 9 | 10 | [AES-SIV][1] ([RFC 5297][2]) is an [Authenticated Encryption with Associated Data (AEAD)][3] 11 | cipher which also provides [nonce reuse misuse resistance][4]. 12 | 13 | [Documentation][docs-link] 14 | 15 | ## Security Warning 16 | 17 | No security audits of this crate have ever been performed, and it has not been 18 | thoroughly assessed to ensure its operation is constant-time on common CPU 19 | architectures. 20 | 21 | USE AT YOUR OWN RISK! 22 | 23 | ## License 24 | 25 | Licensed under either of: 26 | 27 | * [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0) 28 | * [MIT license](http://decryptsource.org/licenses/MIT) 29 | 30 | at your option. 31 | 32 | ### Contribution 33 | 34 | Unless you explicitly state otherwise, any contribution intentionally submitted 35 | for inclusion in the work by you, as defined in the Apache-2.0 license, shall be 36 | dual licensed as above, without any additional terms or conditions. 37 | 38 | [//]: # (badges) 39 | 40 | [crate-image]: https://img.shields.io/crates/v/aes-siv 41 | [crate-link]: https://crates.io/crates/aes-siv 42 | [docs-image]: https://docs.rs/aes-siv/badge.svg 43 | [docs-link]: https://docs.rs/aes-siv/ 44 | [license-image]: https://img.shields.io/badge/license-Apache2.0/MIT-blue.svg 45 | [rustc-image]: https://img.shields.io/badge/rustc-1.85+-blue.svg 46 | [chat-image]: https://img.shields.io/badge/zulip-join_chat-blue.svg 47 | [chat-link]: https://rustcrypto.zulipchat.com/#narrow/stream/260038-AEADs 48 | [build-image]: https://github.com/RustCrypto/AEADs/workflows/aes-siv/badge.svg?branch=master&event=push 49 | [build-link]: https://github.com/RustCrypto/AEADs/actions 50 | 51 | [//]: # (general links) 52 | 53 | [1]: https://github.com/miscreant/meta/wiki/AES-SIV 54 | [2]: https://tools.ietf.org/html/rfc5297 55 | [3]: https://en.wikipedia.org/wiki/Authenticated_encryption 56 | [4]: https://github.com/miscreant/meta/wiki/Nonce-Reuse-Misuse-Resistance 57 | [5]: https://www.imperialviolet.org/2017/05/14/aesgcmsiv.html 58 | [6]: https://codahale.com/towards-a-safer-footgun/ 59 | -------------------------------------------------------------------------------- /aes-siv/tests/data/wycheproof-256.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/aes-siv/tests/data/wycheproof-256.blb -------------------------------------------------------------------------------- /aes-siv/tests/data/wycheproof-512.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/aes-siv/tests/data/wycheproof-512.blb -------------------------------------------------------------------------------- /ascon-aead128/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | All notable changes to this project will be documented in this file. 3 | 4 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 5 | and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 6 | 7 | ## 0.5.0 (UNRELEASED) 8 | ### Changed 9 | - Bump `aead` from `0.5` to `0.6` ([#583]) 10 | - Edition changed to 2024 and MSRV bumped to 1.85 ([#662]) 11 | - Relax MSRV policy and allow MSRV bumps in patch releases 12 | - `getrandom` feature renamed as `os_rng` ([#662]) 13 | - Update for compliance with NIST [draft] 14 | - Rename `Ascon128` to `AsconAead128` 15 | 16 | ## Removed 17 | - `std` and `stream` features ([#662]) 18 | - `Ascon80pq` and `Ascon128a` 19 | 20 | [#583]: https://github.com/RustCrypto/AEADs/pull/583 21 | [#662]: https://github.com/RustCrypto/AEADs/pull/662 22 | [draft]: https://doi.org/10.6028/NIST.SP.800-232.ipd 23 | 24 | ## 0.4.3 (2025-03-03) 25 | ### Fixed 26 | - Zeroize buffer during decryption on failed tag check ([#659]) 27 | 28 | [#659]: https://github.com/RustCrypto/AEADs/pull/659 29 | 30 | ## 0.4.2 (2023-03-21) 31 | ### Changed 32 | - Drop MSRV back to 1.56 and keep it in sync with `ascon` ([#514]) 33 | - Relicense as Apache-2.0 or MIT ([#514]) 34 | 35 | [#514]: https://github.com/RustCrypto/AEADs/pull/514 36 | 37 | ## 0.4.1 (2023-03-17) 38 | 39 | * Replace `ascon-core` with `ascon`. 40 | * Bump MSRV to 1.60. 41 | 42 | ## 0.4 (2022-08-01) 43 | 44 | * Port to aead 0.5. 45 | 46 | ## 0.3 (2022-06-03) 47 | 48 | * Remove implementation of the Ascon permutation 49 | * Add dependency on `ascon-core` 50 | * Remove parameters from the public interface 51 | 52 | ## 0.2 (2022-05-28) 53 | 54 | * Implement support for Ascon-80pq 55 | * Change interface to closer resemble `aead` 56 | * `Key`, `Tag` and `Nonce` are now re-exported from `aead` 57 | * Reduce the number of re-exports 58 | * Bump `zeroize` dependency to 1.5 59 | 60 | ## 0.1.4 (2022-03-14) 61 | 62 | * Bump edition to 2021 and MSRV to 1.56 63 | * Remove dependency on `cipher` 64 | 65 | ## 0.1.3 (2021-10-22) 66 | 67 | * Declare MSRV as 1.51 68 | * Avoid `>=` dependencies 69 | 70 | ## 0.1.2 (2021-10-19) 71 | 72 | * Bump `aead` dependency to 0.4 73 | * Bump `cipher` dependency to 0.3 74 | 75 | ## 0.1.1 (2021-10-19) 76 | 77 | * Add benchmarks 78 | * Minor code improvements 79 | 80 | ## 0.1 (2021-04-28) 81 | 82 | * Initial release 83 | -------------------------------------------------------------------------------- /ascon-aead128/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "ascon-aead128" 3 | version = "0.1.0-pre" 4 | description = "Implementation of the Ascon-AEAD128 authenticated encryption scheme" 5 | authors = ["RustCrypto Developers"] 6 | edition = "2024" 7 | license = "Apache-2.0 OR MIT" 8 | readme = "README.md" 9 | repository = "https://github.com/RustCrypto/AEADs" 10 | keywords = ["AEAD", "ascon", "encryption"] 11 | categories = ["cryptography", "no-std"] 12 | rust-version = "1.85" 13 | 14 | [dependencies] 15 | aead = { version = "0.6.0-rc.1", default-features = false } 16 | subtle = { version = "2", default-features = false } 17 | zeroize = { version = "1.6", optional = true, default-features = false, features = ["derive"] } 18 | ascon = "0.4" 19 | 20 | [dev-dependencies] 21 | aead = { version = "0.6.0-rc.1", features = ["dev"] } 22 | 23 | [features] 24 | default = ["alloc", "os_rng"] 25 | alloc = ["aead/alloc"] 26 | arrayvec = ["aead/arrayvec"] 27 | bytes = ["aead/bytes"] 28 | os_rng = ["aead/os_rng", "rand_core"] 29 | heapless = ["aead/heapless"] 30 | rand_core = ["aead/rand_core"] 31 | zeroize = ["dep:zeroize", "ascon/zeroize"] 32 | 33 | [package.metadata.docs.rs] 34 | all-features = true 35 | rustdoc-args = ["--cfg", "docsrs"] 36 | -------------------------------------------------------------------------------- /ascon-aead128/LICENSE-MIT: -------------------------------------------------------------------------------- 1 | Copyright (c) 2021-2023 Sebastian Ramacher 2 | Copyright (c) 2023 The RustCrypto Project Developers 3 | 4 | Permission is hereby granted, free of charge, to any 5 | person obtaining a copy of this software and associated 6 | documentation files (the "Software"), to deal in the 7 | Software without restriction, including without 8 | limitation the rights to use, copy, modify, merge, 9 | publish, distribute, sublicense, and/or sell copies of 10 | the Software, and to permit persons to whom the Software 11 | is furnished to do so, subject to the following 12 | conditions: 13 | 14 | The above copyright notice and this permission notice 15 | shall be included in all copies or substantial portions 16 | of the Software. 17 | 18 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF 19 | ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED 20 | TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 21 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT 22 | SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 23 | CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 24 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR 25 | IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 26 | DEALINGS IN THE SOFTWARE. 27 | -------------------------------------------------------------------------------- /ascon-aead128/README.md: -------------------------------------------------------------------------------- 1 | # RustCrypto: Ascon 2 | 3 | [![crate][crate-image]][crate-link] 4 | [![Docs][docs-image]][docs-link] 5 | ![Apache2/MIT licensed][license-image] 6 | ![Rust Version][rustc-image] 7 | [![Project Chat][chat-image]][chat-link] 8 | [![Build Status][build-image]][build-link] 9 | 10 | Pure Rust implementation of the lightweight 11 | [Authenticated Encryption with Associated Data (AEAD)][1] algorithm 12 | [Ascon-AEAD128][2]. 13 | 14 | ## Security Notes 15 | 16 | No security audits of this crate have ever been performed. 17 | 18 | USE AT YOUR OWN RISK! 19 | 20 | ## License 21 | 22 | Licensed under either of: 23 | 24 | * [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0) 25 | * [MIT license](http://opensource.org/licenses/MIT) 26 | 27 | at your option. 28 | 29 | ### Contribution 30 | 31 | Unless you explicitly state otherwise, any contribution intentionally submitted 32 | for inclusion in the work by you, as defined in the Apache-2.0 license, shall be 33 | dual licensed as above, without any additional terms or conditions. 34 | 35 | [//]: # (badges) 36 | 37 | [crate-image]: https://img.shields.io/crates/v/ascon-aead128 38 | [crate-link]: https://crates.io/crates/ascon-aead128 39 | [docs-image]: https://docs.rs/ascon-aead128/badge.svg 40 | [docs-link]: https://docs.rs/ascon-aead128 41 | [license-image]: https://img.shields.io/badge/license-Apache2.0/MIT-blue.svg 42 | [rustc-image]: https://img.shields.io/badge/rustc-1.85+-blue.svg 43 | [chat-image]: https://img.shields.io/badge/zulip-join_chat-blue.svg 44 | [chat-link]: https://rustcrypto.zulipchat.com/#narrow/stream/260038-AEADs 45 | [build-image]: https://github.com/RustCrypto/AEADs/workflows/ascon-aead128/badge.svg?branch=master&event=push 46 | [build-link]: https://github.com/RustCrypto/AEADs/actions 47 | 48 | [//]: # (general links) 49 | 50 | [1]: https://en.wikipedia.org/wiki/Authenticated_encryption 51 | [2]: https://doi.org/10.6028/NIST.SP.800-232.ipd 52 | -------------------------------------------------------------------------------- /ascon-aead128/tests/data/reference_kats.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ascon-aead128/tests/data/reference_kats.blb -------------------------------------------------------------------------------- /ascon-aead128/tests/reference_kats.rs: -------------------------------------------------------------------------------- 1 | #![cfg(feature = "alloc")] // TODO: remove after migration to the new `aead` crate 2 | use ascon_aead128::{ 3 | AsconAead128, 4 | aead::{Aead, KeyInit, Nonce, Payload, dev::blobby}, 5 | }; 6 | 7 | fn run_pass_test( 8 | cipher: &C, 9 | nonce: &Nonce, 10 | aad: &[u8], 11 | pt: &[u8], 12 | ct: &[u8], 13 | ) -> Result<(), &'static str> { 14 | let res = cipher 15 | .encrypt(nonce, Payload { aad, msg: pt }) 16 | .map_err(|_| "encryption failure")?; 17 | if res != ct { 18 | return Err("encrypted data is different from target ciphertext"); 19 | } 20 | 21 | let res = cipher 22 | .decrypt(nonce, Payload { aad, msg: ct }) 23 | .map_err(|_| "decryption failure")?; 24 | if res != pt { 25 | return Err("decrypted data is different from target plaintext"); 26 | } 27 | 28 | Ok(()) 29 | } 30 | 31 | #[macro_export] 32 | macro_rules! new_pass_test { 33 | ($name:ident, $test_name:expr, $cipher:ty $(,)?) => { 34 | #[test] 35 | fn $name() { 36 | use blobby::Blob5Iterator; 37 | use $crate::KeyInit; 38 | 39 | let data = include_bytes!(concat!("data/", $test_name, ".blb")); 40 | for (i, row) in Blob5Iterator::new(data).unwrap().enumerate() { 41 | let [key, nonce, aad, pt, ct] = row.unwrap(); 42 | let key = key.try_into().expect("wrong key size"); 43 | let nonce = nonce.try_into().expect("wrong nonce size"); 44 | let cipher = <$cipher as KeyInit>::new(key); 45 | let res = run_pass_test(&cipher, nonce, aad, pt, ct); 46 | if let Err(reason) = res { 47 | panic!( 48 | "\n\ 49 | Failed (pass) test #{i}\n\ 50 | reason:\t{reason:?}\n\ 51 | key:\t{key:?}\n\ 52 | nonce:\t{nonce:?}\n\ 53 | aad:\t{aad:?}\n\ 54 | plaintext:\t{pt:?}\n\ 55 | ciphertext:\t{ct:?}\n" 56 | ); 57 | } 58 | } 59 | } 60 | }; 61 | } 62 | 63 | // Test vectors are taken from the reference Ascon implementation: 64 | // https://github.com/ascon/ascon-c/blob/fdfca408/crypto_aead/asconaead128/LWC_AEAD_KAT_128_128.txt 65 | new_pass_test!(ascon_aead_reference_kats, "reference_kats", AsconAead128); 66 | -------------------------------------------------------------------------------- /belt-dwp/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | All notable changes to this project will be documented in this file. 3 | 4 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 5 | and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 6 | 7 | ## 0.1.0 (UNRELEASED) 8 | - Initial release 9 | -------------------------------------------------------------------------------- /belt-dwp/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "belt-dwp" 3 | version = "0.1.0-pre" 4 | description = "Pure Rust implementation of the Belt-DWP authenticated encryption algorithm (STB 34.101.31-2020)" 5 | edition = "2024" 6 | license = "Apache-2.0 OR MIT" 7 | readme = "README.md" 8 | documentation = "https://docs.rs/belt-dwp" 9 | repository = "https://github.com/RustCrypto/AEADs/tree/master/belt-dwp" 10 | keywords = ["aead", "belt-dwp"] 11 | categories = ["cryptography", "no-std"] 12 | rust-version = "1.85" 13 | 14 | [dependencies] 15 | aead = { version = "0.6.0-rc.1", default-features = false } 16 | zeroize = { version = "1.7", default-features = false, optional = true } 17 | universal-hash = { version = "0.6.0-rc.1" } 18 | opaque-debug = { version = "0.3" } 19 | subtle = { version = "2", default-features = false } 20 | 21 | belt-block = { version = "0.2.0-rc.0" } 22 | belt-ctr = { version = "0.2.0-rc.0" } 23 | 24 | [dev-dependencies] 25 | hex-literal = "1" 26 | 27 | [features] 28 | default = ["alloc", "os_rng"] 29 | alloc = ["aead/alloc"] 30 | arrayvec = ["aead/arrayvec"] 31 | bytes = ["aead/bytes"] 32 | os_rng = ["aead/os_rng", "rand_core"] 33 | heapless = ["aead/heapless"] 34 | rand_core = ["aead/rand_core"] 35 | reduced-round = [] 36 | zeroize = ["dep:zeroize", "belt-ctr/zeroize"] 37 | 38 | [package.metadata.docs.rs] 39 | all-features = true 40 | -------------------------------------------------------------------------------- /belt-dwp/LICENSE-MIT: -------------------------------------------------------------------------------- 1 | Copyright (c) 2025 The RustCrypto Project Developers 2 | Copyright (c) 2025 Alexandr Kitaev 3 | 4 | Permission is hereby granted, free of charge, to any 5 | person obtaining a copy of this software and associated 6 | documentation files (the "Software"), to deal in the 7 | Software without restriction, including without 8 | limitation the rights to use, copy, modify, merge, 9 | publish, distribute, sublicense, and/or sell copies of 10 | the Software, and to permit persons to whom the Software 11 | is furnished to do so, subject to the following 12 | conditions: 13 | 14 | The above copyright notice and this permission notice 15 | shall be included in all copies or substantial portions 16 | of the Software. 17 | 18 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF 19 | ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED 20 | TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 21 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT 22 | SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 23 | CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 24 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR 25 | IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 26 | DEALINGS IN THE SOFTWARE. 27 | -------------------------------------------------------------------------------- /belt-dwp/README.md: -------------------------------------------------------------------------------- 1 | # RustCrypto: BeltDwp 2 | 3 | [![crate][crate-image]][crate-link] 4 | [![Docs][docs-image]][docs-link] 5 | ![Apache2/MIT licensed][license-image] 6 | ![Rust Version][rustc-image] 7 | [![Project Chat][chat-image]][chat-link] 8 | [![Build Status][build-image]][build-link] 9 | 10 | Pure Rust implementation of the `belt-dwp` [AEAD] algorithm 11 | specified in the republic of Belarus standard [STB 34.101.31-2020]. 12 | 13 | ## Security Notes 14 | 15 | No security audits of this crate have ever been performed, and it has not been thoroughly assessed to ensure its operation is constant-time on common CPU architectures. 16 | 17 | USE AT YOUR OWN RISK! 18 | 19 | ## License 20 | 21 | Licensed under either of: 22 | 23 | * [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0) 24 | * [MIT license](http://opensource.org/licenses/MIT) 25 | 26 | at your option. 27 | 28 | ### Contribution 29 | 30 | Unless you explicitly state otherwise, any contribution intentionally submitted 31 | for inclusion in the work by you, as defined in the Apache-2.0 license, shall be 32 | dual licensed as above, without any additional terms or conditions. 33 | 34 | [//]: # (badges) 35 | 36 | [crate-image]: https://buildstats.info/crate/belt-dwp 37 | [crate-link]: https://crates.io/crates/belt-dwp 38 | [docs-image]: https://docs.rs/belt-dwp/badge.svg 39 | [docs-link]: https://docs.rs/belt-dwp/ 40 | [license-image]: https://img.shields.io/badge/license-Apache2.0/MIT-blue.svg 41 | [rustc-image]: https://img.shields.io/badge/rustc-1.85+-blue.svg 42 | [chat-image]: https://img.shields.io/badge/zulip-join_chat-blue.svg 43 | [chat-link]: https://rustcrypto.zulipchat.com/#narrow/stream/260038-AEADs 44 | [downloads-image]: https://img.shields.io/crates/d/chacha20poly1305.svg 45 | [build-image]: https://github.com/RustCrypto/AEADs/workflows/belt-dwp/badge.svg?branch=master&event=push 46 | [build-link]: https://github.com/RustCrypto/AEADs/actions 47 | 48 | [//]: # (general links) 49 | 50 | [STB 34.101.31-2020]: https://apmi.bsu.by/assets/files/std/belt-spec372.pdf 51 | [AEAD]: https://en.wikipedia.org/wiki/Authenticated_encryption 52 | -------------------------------------------------------------------------------- /belt-dwp/src/gf.rs: -------------------------------------------------------------------------------- 1 | use aead::array::{Array, ArraySize}; 2 | 3 | mod utils; 4 | 5 | pub(crate) mod gf128_soft64; 6 | 7 | pub trait GfElement { 8 | type N: ArraySize; 9 | 10 | fn new() -> Self; 11 | fn into_bytes(self) -> Array; 12 | fn mul_sum(&mut self, a: &Array, b: &Array); 13 | } 14 | 15 | /// Tests from Appendix A, table 18 of [STB 34.101.31-2020](https://apmi.bsu.by/assets/files/std/belt-spec372.pdf) 16 | #[test] 17 | fn test_a18() { 18 | use crate::gf::gf128_soft64::Element; 19 | use aead::consts::U16; 20 | use hex_literal::hex; 21 | 22 | type Block = Array; 23 | 24 | let test_vectors = [ 25 | ( 26 | hex!("34904055 11BE3297 1343724C 5AB793E9"), 27 | hex!("22481783 8761A9D6 E3EC9689 110FB0F3"), 28 | hex!("0001D107 FC67DE40 04DC2C80 3DFD95C3"), 29 | ), 30 | ( 31 | hex!("703FCCF0 95EE8DF1 C1ABF8EE 8DF1C1AB"), 32 | hex!("2055704E 2EDB48FE 87E74075 A5E77EB1"), 33 | hex!("4A5C9593 8B3FE8F6 74D59BC1 EB356079"), 34 | ), 35 | ]; 36 | for (u, v, w) in test_vectors { 37 | let a = Block::try_from(&u[..]).unwrap(); 38 | let b = Block::try_from(&v[..]).unwrap(); 39 | let c = Block::try_from(&w[..]).unwrap(); 40 | 41 | let mut elem = Element::new(); 42 | elem.mul_sum(&a, &b); 43 | 44 | assert_eq!(c, elem.into_bytes()); 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /belt-dwp/src/gf/gf128_soft64.rs: -------------------------------------------------------------------------------- 1 | use aead::{array::Array, consts::U16}; 2 | use core::ops::{Add, Mul}; 3 | 4 | use super::{GfElement, utils::bmul64}; 5 | 6 | #[derive(Copy, Clone, Debug, Default, Eq, PartialEq)] 7 | pub struct Element(u64, u64); 8 | 9 | type Block = Array; 10 | 11 | impl GfElement for Element { 12 | type N = U16; 13 | 14 | #[inline(always)] 15 | fn new() -> Self { 16 | Self(0, 0) 17 | } 18 | 19 | #[inline(always)] 20 | fn into_bytes(self) -> Block { 21 | let mut block = Block::default(); 22 | block[8..].copy_from_slice(&self.0.to_le_bytes()); 23 | block[..8].copy_from_slice(&self.1.to_le_bytes()); 24 | block 25 | } 26 | 27 | #[allow(clippy::many_single_char_names)] 28 | fn mul_sum(&mut self, a: &Block, b: &Block) { 29 | let [a1, a0] = from_block(a); 30 | let [b1, b0] = from_block(b); 31 | 32 | let a2 = a1 ^ a0; 33 | let b2 = b1 ^ b0; 34 | 35 | // Multiply using Karatsuba multiplication 36 | let c = bmul64(a1, b1); 37 | let d = bmul64(a0, b0); 38 | let e = bmul64(a2, b2); 39 | let t = c ^ d ^ e; 40 | let v0 = d as u64; 41 | let v1 = ((d >> 64) ^ t) as u64; 42 | let v2 = (c ^ (t >> 64)) as u64; 43 | let v3 = (c >> 64) as u64; 44 | 45 | // reduce over polynominal f(w) = w^128 + w^7 + w^2 + w + 1 46 | let d = v2 ^ (v3 >> 63) ^ (v3 >> 62) ^ (v3 >> 57); 47 | self.1 ^= v0 ^ d ^ (d << 1) ^ (d << 2) ^ (d << 7); 48 | self.0 ^= v1 ^ v3 ^ (v3 << 1) ^ (v3 << 2) ^ (v3 << 7) ^ (d >> 63) ^ (d >> 62) ^ (d >> 57); 49 | } 50 | } 51 | 52 | impl From for Element { 53 | fn from(x: u128) -> Self { 54 | Self((x >> 64) as u64, x as u64) 55 | } 56 | } 57 | 58 | impl From for Element { 59 | fn from(block: Block) -> Self { 60 | let [a, b] = from_block(&block); 61 | Self(a, b) 62 | } 63 | } 64 | 65 | impl From for Block { 66 | fn from(element: Element) -> Self { 67 | element.into_bytes() 68 | } 69 | } 70 | 71 | impl From<&Block> for Element { 72 | fn from(block: &Block) -> Self { 73 | let [a, b] = from_block(block); 74 | Self(a, b) 75 | } 76 | } 77 | 78 | #[inline(always)] 79 | fn from_block(block: &Block) -> [u64; 2] { 80 | let (a, b) = block.split_at(8); 81 | [ 82 | u64::from_le_bytes(b.try_into().unwrap()), 83 | u64::from_le_bytes(a.try_into().unwrap()), 84 | ] 85 | } 86 | 87 | impl Add for Element { 88 | type Output = Self; 89 | 90 | fn add(self, rhs: Self) -> Self { 91 | Self(self.0 ^ rhs.0, self.1 ^ rhs.1) 92 | } 93 | } 94 | 95 | impl Mul for Element { 96 | type Output = Self; 97 | 98 | fn mul(self, rhs: Self) -> Self { 99 | let mut res = Self::new(); 100 | res.mul_sum(&self.into_bytes(), &rhs.into_bytes()); 101 | res 102 | } 103 | } 104 | -------------------------------------------------------------------------------- /belt-dwp/src/gf/utils.rs: -------------------------------------------------------------------------------- 1 | #![allow(unused)] 2 | use core::num::Wrapping; 3 | 4 | /// Multiplication in GF(2)[X], truncated to the low 64-bits, with “holes” 5 | /// (sequences of zeroes) to avoid carry spilling. 6 | /// 7 | /// When carries do occur, they wind up in a "hole" and are subsequently masked 8 | /// out of the result. 9 | pub(super) fn bmul64(x: u64, y: u64) -> u128 { 10 | let x0 = Wrapping((x & 0x1111_1111_1111_1111) as u128); 11 | let x1 = Wrapping((x & 0x2222_2222_2222_2222) as u128); 12 | let x2 = Wrapping((x & 0x4444_4444_4444_4444) as u128); 13 | let x3 = Wrapping((x & 0x8888_8888_8888_8888) as u128); 14 | let y0 = Wrapping((y & 0x1111_1111_1111_1111) as u128); 15 | let y1 = Wrapping((y & 0x2222_2222_2222_2222) as u128); 16 | let y2 = Wrapping((y & 0x4444_4444_4444_4444) as u128); 17 | let y3 = Wrapping((y & 0x8888_8888_8888_8888) as u128); 18 | 19 | let mut z0 = ((x0 * y0) ^ (x1 * y3) ^ (x2 * y2) ^ (x3 * y1)).0; 20 | let mut z1 = ((x0 * y1) ^ (x1 * y0) ^ (x2 * y3) ^ (x3 * y2)).0; 21 | let mut z2 = ((x0 * y2) ^ (x1 * y1) ^ (x2 * y0) ^ (x3 * y3)).0; 22 | let mut z3 = ((x0 * y3) ^ (x1 * y2) ^ (x2 * y1) ^ (x3 * y0)).0; 23 | 24 | z0 &= 0x1111_1111_1111_1111_1111_1111_1111_1111; 25 | z1 &= 0x2222_2222_2222_2222_2222_2222_2222_2222; 26 | z2 &= 0x4444_4444_4444_4444_4444_4444_4444_4444; 27 | z3 &= 0x8888_8888_8888_8888_8888_8888_8888_8888; 28 | 29 | z0 | z1 | z2 | z3 30 | } 31 | -------------------------------------------------------------------------------- /belt-dwp/src/ghash.rs: -------------------------------------------------------------------------------- 1 | use aead::array::Array; 2 | use aead::consts::{U1, U16}; 3 | use aead::{KeyInit, KeySizeUser}; 4 | use belt_block::cipher::{BlockSizeUser, ParBlocksSizeUser}; 5 | use universal_hash::{Reset, UhfBackend, UhfClosure, UniversalHash}; 6 | 7 | use crate::gf::gf128_soft64::Element; 8 | 9 | /// GHASH keys (16-bytes) 10 | pub type Key = Array; 11 | 12 | /// GHASH blocks (16-bytes) 13 | pub type Block = Array; 14 | 15 | /// GHASH tags (16-bytes) 16 | pub type Tag = Array; 17 | 18 | #[derive(Clone)] 19 | pub struct GHash { 20 | s: Element, 21 | h: Element, 22 | } 23 | 24 | impl KeySizeUser for GHash { 25 | type KeySize = U16; 26 | } 27 | 28 | impl BlockSizeUser for GHash { 29 | type BlockSize = U16; 30 | } 31 | 32 | impl KeyInit for GHash { 33 | fn new(h: &Key) -> Self { 34 | Self::new_with_init_block(h, 0) 35 | } 36 | } 37 | 38 | impl GHash { 39 | pub(crate) fn new_with_init_block(h: &Key, s: u128) -> Self { 40 | Self { 41 | s: Element::from(s), 42 | h: Element::from(h), 43 | } 44 | } 45 | 46 | pub(crate) fn xor_s(&mut self, x: &Block) { 47 | self.s = self.s + Element::from(x); 48 | } 49 | } 50 | 51 | impl ParBlocksSizeUser for GHash { 52 | type ParBlocksSize = U1; 53 | } 54 | 55 | impl UhfBackend for GHash { 56 | fn proc_block(&mut self, x: &Block) { 57 | self.s = (self.s + Element::from(x)) * self.h; 58 | } 59 | } 60 | 61 | impl UniversalHash for GHash { 62 | fn update_with_backend(&mut self, f: impl UhfClosure) { 63 | f.call(self) 64 | } 65 | 66 | /// Get GHASH output 67 | #[inline] 68 | fn finalize(self) -> Tag { 69 | (self.s * self.h).into() 70 | } 71 | } 72 | 73 | impl Reset for GHash { 74 | fn reset(&mut self) { 75 | self.s = Element::default(); 76 | } 77 | } 78 | 79 | opaque_debug::implement!(GHash); 80 | -------------------------------------------------------------------------------- /belt-dwp/tests/belt.rs: -------------------------------------------------------------------------------- 1 | use aead::AeadInOut; 2 | use belt_dwp::{BeltDwp, KeyInit}; 3 | use hex_literal::hex; 4 | 5 | /// Test from Appendix A, tables 19-20 of STB 34.101.31-2020: 6 | /// https://apmi.bsu.by/assets/files/std/belt-spec372.pdf 7 | #[test] 8 | fn test_belt_dwp() { 9 | struct TestVector { 10 | i: [u8; 32], 11 | k: [u8; 32], 12 | s: [u8; 16], 13 | x: [u8; 16], 14 | y: [u8; 16], 15 | t: [u8; 8], 16 | } 17 | 18 | let test_vectors = [ 19 | TestVector { 20 | i: hex!("8504FA9D 1BB6C7AC 252E72C2 02FDCE0D 5BE3D612 17B96181 FE6786AD 716B890B"), 21 | k: hex!("E9DEE72C 8F0C0FA6 2DDB49F4 6F739647 06075316 ED247A37 39CBA383 03A98BF6"), 22 | s: hex!("BE329713 43FC9A48 A02A885F 194B09A1"), 23 | x: hex!("B194BAC8 0A08F53B 366D008E 584A5DE4"), 24 | y: hex!("52C9AF96 FF50F644 35FC43DE F56BD797"), 25 | t: hex!("3B2E0AEB 2B91854B"), 26 | }, 27 | TestVector { 28 | i: hex!("C1AB7638 9FE678CA F7C6F860 D5BB9C4F F33C657B 637C306A DD4EA779 9EB23D31"), 29 | k: hex!("92BD9B1C E5D14101 5445FBC9 5E4D0EF2 682080AA 227D642F 2687F934 90405511"), 30 | s: hex!("7ECDA4D0 1544AF8C A58450BF 66D2E88A"), 31 | x: hex!("DF181ED0 08A20F43 DCBBB936 50DAD34B"), 32 | y: hex!("E12BDC1A E28257EC 703FCCF0 95EE8DF1"), 33 | t: hex!("6A2C2C94 C4150DC0"), 34 | }, 35 | ]; 36 | 37 | for vec in test_vectors { 38 | let mut x = vec.x; 39 | let belt_dwp = BeltDwp::new_from_slice(&vec.k).unwrap(); 40 | let tag = belt_dwp.encrypt_inout_detached(&vec.s.into(), &vec.i, (&mut x[..]).into()); 41 | assert_eq!(vec.t, *tag.unwrap()); 42 | assert_eq!(vec.y, x); 43 | belt_dwp 44 | .decrypt_inout_detached(&vec.s.into(), &vec.i, (&mut x[..]).into(), &tag.unwrap()) 45 | .unwrap(); 46 | assert_eq!(x, vec.x); 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /benches/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "benches" 3 | version = "0.0.0" 4 | authors = ["RustCrypto Developers"] 5 | license = "Apache-2.0 OR MIT" 6 | description = "Criterion benchmarks of the AEAD crates" 7 | edition = "2021" 8 | publish = false 9 | rust-version = "1.56" 10 | 11 | [workspace] 12 | 13 | [dependencies] 14 | criterion = "0.4.0" 15 | rand = "0.9.0" 16 | aes = "=0.9.0-pre.3" 17 | aes-gcm = { path = "../aes-gcm/" } 18 | aes-gcm-siv = { path = "../aes-gcm-siv/" } 19 | ascon-aead = { path = "../ascon-aead/" } 20 | chacha20poly1305 = { path = "../chacha20poly1305/" } 21 | deoxys = { path = "../deoxys/" } 22 | eax = { path = "../eax/" } 23 | 24 | [target.'cfg(any(target_arch = "x86_64", target_arch = "x86"))'.dependencies] 25 | criterion-cycles-per-byte = "0.4.0" 26 | 27 | [[bench]] 28 | name = "aes-gcm" 29 | path = "src/aes-gcm.rs" 30 | harness = false 31 | 32 | [[bench]] 33 | name = "aes-gcm-siv" 34 | path = "src/aes-gcm-siv.rs" 35 | harness = false 36 | 37 | [[bench]] 38 | name = "ascon-aead" 39 | path = "src/ascon-aead.rs" 40 | harness = false 41 | 42 | [[bench]] 43 | name = "chacha20poly1305" 44 | path = "src/chacha20poly1305.rs" 45 | harness = false 46 | 47 | [[bench]] 48 | name = "deoxys" 49 | path = "src/deoxys.rs" 50 | harness = false 51 | 52 | [[bench]] 53 | name = "eax" 54 | path = "src/eax.rs" 55 | harness = false 56 | 57 | [patch.crates-io] 58 | aead-stream = { path = "../aead-stream" } 59 | 60 | crypto-common = { git = "https://github.com/RustCrypto/traits.git" } 61 | aead = { git = "https://github.com/RustCrypto/traits.git" } 62 | 63 | chacha20 = { git = "https://github.com/RustCrypto/stream-ciphers.git" } 64 | 65 | ctr = { git = "https://github.com/baloo/block-modes.git", branch = "baloo/edition-2024" } 66 | 67 | ghash = { git = "https://github.com/RustCrypto/universal-hashes.git" } 68 | polyval = { git = "https://github.com/RustCrypto/universal-hashes.git" } 69 | -------------------------------------------------------------------------------- /benches/src/aes-gcm-siv.rs: -------------------------------------------------------------------------------- 1 | use criterion::{criterion_group, criterion_main, BenchmarkId, Criterion, Throughput}; 2 | 3 | use aes_gcm_siv::aead::{Aead, KeyInit}; 4 | use aes_gcm_siv::{Aes128GcmSiv, Aes256GcmSiv}; 5 | 6 | const KB: usize = 1024; 7 | 8 | #[cfg(not(any(target_arch = "x86_64", target_arch = "x86")))] 9 | type Benchmarker = Criterion; 10 | #[cfg(any(target_arch = "x86_64", target_arch = "x86"))] 11 | type Benchmarker = Criterion; 12 | 13 | fn bench(c: &mut Benchmarker) { 14 | let mut group = c.benchmark_group("aes-gcm-siv"); 15 | 16 | for size in &[KB, 2 * KB, 4 * KB, 8 * KB, 16 * KB] { 17 | let buf = vec![0u8; *size]; 18 | 19 | group.throughput(Throughput::Bytes(*size as u64)); 20 | 21 | group.bench_function(BenchmarkId::new("encrypt-128", size), |b| { 22 | let cipher = Aes128GcmSiv::new(&Default::default()); 23 | b.iter(|| cipher.encrypt(&Default::default(), &*buf)) 24 | }); 25 | group.bench_function(BenchmarkId::new("decrypt-128", size), |b| { 26 | let cipher = Aes128GcmSiv::new(&Default::default()); 27 | b.iter(|| cipher.decrypt(&Default::default(), &*buf)) 28 | }); 29 | 30 | group.bench_function(BenchmarkId::new("encrypt-256", size), |b| { 31 | let cipher = Aes256GcmSiv::new(&Default::default()); 32 | b.iter(|| cipher.encrypt(&Default::default(), &*buf)) 33 | }); 34 | group.bench_function(BenchmarkId::new("decrypt-256", size), |b| { 35 | let cipher = Aes256GcmSiv::new(&Default::default()); 36 | b.iter(|| cipher.decrypt(&Default::default(), &*buf)) 37 | }); 38 | } 39 | 40 | group.finish(); 41 | } 42 | 43 | #[cfg(not(any(target_arch = "x86_64", target_arch = "x86")))] 44 | criterion_group!( 45 | name = benches; 46 | config = Criterion::default(); 47 | targets = bench 48 | ); 49 | 50 | #[cfg(any(target_arch = "x86_64", target_arch = "x86"))] 51 | criterion_group!( 52 | name = benches; 53 | config = Criterion::default().with_measurement(criterion_cycles_per_byte::CyclesPerByte); 54 | targets = bench 55 | ); 56 | 57 | criterion_main!(benches); 58 | -------------------------------------------------------------------------------- /benches/src/aes-gcm.rs: -------------------------------------------------------------------------------- 1 | use criterion::{criterion_group, criterion_main, BenchmarkId, Criterion, Throughput}; 2 | 3 | use aes_gcm::aead::{Aead, KeyInit}; 4 | use aes_gcm::{Aes128Gcm, Aes256Gcm}; 5 | 6 | const KB: usize = 1024; 7 | 8 | #[cfg(not(any(target_arch = "x86_64", target_arch = "x86")))] 9 | type Benchmarker = Criterion; 10 | #[cfg(any(target_arch = "x86_64", target_arch = "x86"))] 11 | type Benchmarker = Criterion; 12 | 13 | fn bench(c: &mut Benchmarker) { 14 | let mut group = c.benchmark_group("aes-gcm"); 15 | 16 | for size in &[KB, 2 * KB, 4 * KB, 8 * KB, 16 * KB] { 17 | let buf = vec![0u8; *size]; 18 | 19 | group.throughput(Throughput::Bytes(*size as u64)); 20 | 21 | group.bench_function(BenchmarkId::new("encrypt-128", size), |b| { 22 | let cipher = Aes128Gcm::new(&Default::default()); 23 | b.iter(|| cipher.encrypt(&Default::default(), &*buf)) 24 | }); 25 | group.bench_function(BenchmarkId::new("decrypt-128", size), |b| { 26 | let cipher = Aes128Gcm::new(&Default::default()); 27 | b.iter(|| cipher.decrypt(&Default::default(), &*buf)) 28 | }); 29 | 30 | group.bench_function(BenchmarkId::new("encrypt-256", size), |b| { 31 | let cipher = Aes256Gcm::new(&Default::default()); 32 | b.iter(|| cipher.encrypt(&Default::default(), &*buf)) 33 | }); 34 | group.bench_function(BenchmarkId::new("decrypt-256", size), |b| { 35 | let cipher = Aes256Gcm::new(&Default::default()); 36 | b.iter(|| cipher.decrypt(&Default::default(), &*buf)) 37 | }); 38 | } 39 | 40 | group.finish(); 41 | } 42 | 43 | #[cfg(not(any(target_arch = "x86_64", target_arch = "x86")))] 44 | criterion_group!( 45 | name = benches; 46 | config = Criterion::default(); 47 | targets = bench 48 | ); 49 | 50 | #[cfg(any(target_arch = "x86_64", target_arch = "x86"))] 51 | criterion_group!( 52 | name = benches; 53 | config = Criterion::default().with_measurement(criterion_cycles_per_byte::CyclesPerByte); 54 | targets = bench 55 | ); 56 | 57 | criterion_main!(benches); 58 | -------------------------------------------------------------------------------- /benches/src/ascon-aead.rs: -------------------------------------------------------------------------------- 1 | use criterion::{black_box, criterion_group, criterion_main, BenchmarkId, Criterion, Throughput}; 2 | 3 | use ascon_aead::aead::{AeadInPlaceDetached, KeyInit}; 4 | use ascon_aead::AsconAead128; 5 | 6 | const KB: usize = 1024; 7 | 8 | #[cfg(not(any(target_arch = "x86_64", target_arch = "x86")))] 9 | type Benchmarker = Criterion; 10 | #[cfg(any(target_arch = "x86_64", target_arch = "x86"))] 11 | type Benchmarker = Criterion; 12 | 13 | fn bench(name: &str, c: &mut Benchmarker) { 14 | let mut group = c.benchmark_group(name); 15 | let nonce = black_box(Default::default()); 16 | let cipher = black_box(A::new(&Default::default())); 17 | 18 | let mut buf = vec![0u8; 16 * KB]; 19 | for size in [KB, 2 * KB, 4 * KB, 8 * KB, 16 * KB] { 20 | let buf = &mut buf[..size]; 21 | let tag = cipher.encrypt_in_place_detached(&nonce, b"", buf).unwrap(); 22 | 23 | group.throughput(Throughput::Bytes(size as u64)); 24 | 25 | group.bench_function(BenchmarkId::new("encrypt-128", size), |b| { 26 | b.iter(|| cipher.encrypt_in_place_detached(&nonce, b"", buf)) 27 | }); 28 | group.bench_function(BenchmarkId::new("decrypt-128", size), |b| { 29 | b.iter(|| cipher.decrypt_in_place_detached(&nonce, b"", buf, &tag)) 30 | }); 31 | } 32 | 33 | group.finish(); 34 | } 35 | 36 | fn bench_ascon128(c: &mut Benchmarker) { 37 | bench::("Ascon-AEAD128", c); 38 | } 39 | 40 | #[cfg(not(any(target_arch = "x86_64", target_arch = "x86")))] 41 | criterion_group!( 42 | name = benches; 43 | config = Criterion::default(); 44 | targets = bench_ascon128, 45 | ); 46 | 47 | #[cfg(any(target_arch = "x86_64", target_arch = "x86"))] 48 | criterion_group!( 49 | name = benches; 50 | config = Criterion::default().with_measurement(criterion_cycles_per_byte::CyclesPerByte); 51 | targets = bench_ascon128, 52 | ); 53 | 54 | criterion_main!(benches); 55 | -------------------------------------------------------------------------------- /benches/src/belt-dwp.rs: -------------------------------------------------------------------------------- 1 | use criterion::{criterion_group, criterion_main, BenchmarkId, Criterion, Throughput}; 2 | 3 | use belt_dwp::aead::{Aead, KeyInit}; 4 | use belt_dwp::BeltDwp; 5 | 6 | const KB: usize = 1024; 7 | 8 | #[cfg(not(any(target_arch = "x86_64", target_arch = "x86")))] 9 | type Benchmarker = Criterion; 10 | #[cfg(any(target_arch = "x86_64", target_arch = "x86"))] 11 | type Benchmarker = Criterion; 12 | 13 | fn bench(c: &mut Benchmarker) { 14 | let mut group = c.benchmark_group("beltdwp"); 15 | 16 | for size in &[KB, 2 * KB, 4 * KB, 8 * KB, 16 * KB] { 17 | let buf = vec![0u8; *size]; 18 | 19 | group.throughput(Throughput::Bytes(*size as u64)); 20 | 21 | group.bench_function(BenchmarkId::new("encrypt", size), |b| { 22 | let cipher = BeltDwp::new(&Default::default()); 23 | b.iter(|| cipher.encrypt(&Default::default(), &*buf)) 24 | }); 25 | group.bench_function(BenchmarkId::new("decrypt", size), |b| { 26 | let cipher = BeltDwp::new(&Default::default()); 27 | b.iter(|| cipher.decrypt(&Default::default(), &*buf)) 28 | }); 29 | } 30 | 31 | group.finish(); 32 | } 33 | 34 | #[cfg(not(any(target_arch = "x86_64", target_arch = "x86")))] 35 | criterion_group!( 36 | name = benches; 37 | config = Criterion::default(); 38 | targets = bench 39 | ); 40 | 41 | #[cfg(any(target_arch = "x86_64", target_arch = "x86"))] 42 | criterion_group!( 43 | name = benches; 44 | config = Criterion::default().with_measurement(criterion_cycles_per_byte::CyclesPerByte); 45 | targets = bench 46 | ); 47 | 48 | criterion_main!(benches); 49 | -------------------------------------------------------------------------------- /benches/src/chacha20poly1305.rs: -------------------------------------------------------------------------------- 1 | use criterion::{criterion_group, criterion_main, BenchmarkId, Criterion, Throughput}; 2 | 3 | use chacha20poly1305::aead::{Aead, KeyInit}; 4 | use chacha20poly1305::ChaCha20Poly1305; 5 | 6 | const KB: usize = 1024; 7 | 8 | #[cfg(not(any(target_arch = "x86_64", target_arch = "x86")))] 9 | type Benchmarker = Criterion; 10 | #[cfg(any(target_arch = "x86_64", target_arch = "x86"))] 11 | type Benchmarker = Criterion; 12 | 13 | fn bench(c: &mut Benchmarker) { 14 | let mut group = c.benchmark_group("chacha20poly1305"); 15 | 16 | for size in &[KB, 2 * KB, 4 * KB, 8 * KB, 16 * KB] { 17 | let buf = vec![0u8; *size]; 18 | 19 | group.throughput(Throughput::Bytes(*size as u64)); 20 | 21 | group.bench_function(BenchmarkId::new("encrypt", size), |b| { 22 | let cipher = ChaCha20Poly1305::new(&Default::default()); 23 | b.iter(|| cipher.encrypt(&Default::default(), &*buf)) 24 | }); 25 | group.bench_function(BenchmarkId::new("decrypt", size), |b| { 26 | let cipher = ChaCha20Poly1305::new(&Default::default()); 27 | b.iter(|| cipher.decrypt(&Default::default(), &*buf)) 28 | }); 29 | } 30 | 31 | group.finish(); 32 | } 33 | 34 | #[cfg(not(any(target_arch = "x86_64", target_arch = "x86")))] 35 | criterion_group!( 36 | name = benches; 37 | config = Criterion::default(); 38 | targets = bench 39 | ); 40 | 41 | #[cfg(any(target_arch = "x86_64", target_arch = "x86"))] 42 | criterion_group!( 43 | name = benches; 44 | config = Criterion::default().with_measurement(criterion_cycles_per_byte::CyclesPerByte); 45 | targets = bench 46 | ); 47 | 48 | criterion_main!(benches); 49 | -------------------------------------------------------------------------------- /benches/src/deoxys.rs: -------------------------------------------------------------------------------- 1 | use criterion::{criterion_group, criterion_main, BenchmarkId, Criterion, Throughput}; 2 | 3 | use deoxys::aead::{Aead, KeyInit}; 4 | use deoxys::{DeoxysI128, DeoxysI256, DeoxysII128, DeoxysII256}; 5 | 6 | const KB: usize = 1024; 7 | 8 | #[cfg(not(any(target_arch = "x86_64", target_arch = "x86")))] 9 | type Benchmarker = Criterion; 10 | #[cfg(any(target_arch = "x86_64", target_arch = "x86"))] 11 | type Benchmarker = Criterion; 12 | 13 | fn bench(c: &mut Benchmarker) { 14 | let mut group = c.benchmark_group("deoxys"); 15 | 16 | for size in &[KB, 2 * KB, 4 * KB, 8 * KB, 16 * KB] { 17 | let buf = vec![0u8; *size]; 18 | 19 | group.throughput(Throughput::Bytes(*size as u64)); 20 | 21 | group.bench_function(BenchmarkId::new("encrypt-I-128", size), |b| { 22 | let cipher = DeoxysI128::new(&Default::default()); 23 | b.iter(|| cipher.encrypt(&Default::default(), &*buf)) 24 | }); 25 | group.bench_function(BenchmarkId::new("decrypt-I-128", size), |b| { 26 | let cipher = DeoxysI128::new(&Default::default()); 27 | b.iter(|| cipher.decrypt(&Default::default(), &*buf)) 28 | }); 29 | 30 | group.bench_function(BenchmarkId::new("encrypt-I-256", size), |b| { 31 | let cipher = DeoxysI256::new(&Default::default()); 32 | b.iter(|| cipher.encrypt(&Default::default(), &*buf)) 33 | }); 34 | group.bench_function(BenchmarkId::new("decrypt-I-256", size), |b| { 35 | let cipher = DeoxysI256::new(&Default::default()); 36 | b.iter(|| cipher.decrypt(&Default::default(), &*buf)) 37 | }); 38 | 39 | group.bench_function(BenchmarkId::new("encrypt-II-128", size), |b| { 40 | let cipher = DeoxysII128::new(&Default::default()); 41 | b.iter(|| cipher.encrypt(&Default::default(), &*buf)) 42 | }); 43 | group.bench_function(BenchmarkId::new("decrypt-II-128", size), |b| { 44 | let cipher = DeoxysII128::new(&Default::default()); 45 | b.iter(|| cipher.decrypt(&Default::default(), &*buf)) 46 | }); 47 | 48 | group.bench_function(BenchmarkId::new("encrypt-II-256", size), |b| { 49 | let cipher = DeoxysII256::new(&Default::default()); 50 | b.iter(|| cipher.encrypt(&Default::default(), &*buf)) 51 | }); 52 | group.bench_function(BenchmarkId::new("decrypt-II-256", size), |b| { 53 | let cipher = DeoxysII256::new(&Default::default()); 54 | b.iter(|| cipher.decrypt(&Default::default(), &*buf)) 55 | }); 56 | } 57 | 58 | group.finish(); 59 | } 60 | 61 | #[cfg(not(any(target_arch = "x86_64", target_arch = "x86")))] 62 | criterion_group!( 63 | name = benches; 64 | config = Criterion::default(); 65 | targets = bench 66 | ); 67 | 68 | #[cfg(any(target_arch = "x86_64", target_arch = "x86"))] 69 | criterion_group!( 70 | name = benches; 71 | config = Criterion::default().with_measurement(criterion_cycles_per_byte::CyclesPerByte); 72 | targets = bench 73 | ); 74 | 75 | criterion_main!(benches); 76 | -------------------------------------------------------------------------------- /benches/src/eax.rs: -------------------------------------------------------------------------------- 1 | use criterion::{criterion_group, criterion_main, BenchmarkId, Criterion, Throughput}; 2 | 3 | use eax::aead::{Aead, KeyInit}; 4 | 5 | type EaxAes128 = eax::Eax; 6 | type EaxAes256 = eax::Eax; 7 | 8 | const KB: usize = 1024; 9 | 10 | #[cfg(not(any(target_arch = "x86_64", target_arch = "x86")))] 11 | type Benchmarker = Criterion; 12 | #[cfg(any(target_arch = "x86_64", target_arch = "x86"))] 13 | type Benchmarker = Criterion; 14 | 15 | fn bench(c: &mut Benchmarker) { 16 | let mut group = c.benchmark_group("eax"); 17 | 18 | for size in &[KB, 2 * KB, 4 * KB, 8 * KB, 16 * KB] { 19 | let buf = vec![0u8; *size]; 20 | 21 | group.throughput(Throughput::Bytes(*size as u64)); 22 | 23 | group.bench_function(BenchmarkId::new("encrypt-128", size), |b| { 24 | let cipher = EaxAes128::new(&Default::default()); 25 | b.iter(|| cipher.encrypt(&Default::default(), &*buf)) 26 | }); 27 | group.bench_function(BenchmarkId::new("decrypt-128", size), |b| { 28 | let cipher = EaxAes128::new(&Default::default()); 29 | b.iter(|| cipher.decrypt(&Default::default(), &*buf)) 30 | }); 31 | 32 | group.bench_function(BenchmarkId::new("encrypt-256", size), |b| { 33 | let cipher = EaxAes256::new(&Default::default()); 34 | b.iter(|| cipher.encrypt(&Default::default(), &*buf)) 35 | }); 36 | group.bench_function(BenchmarkId::new("decrypt-256", size), |b| { 37 | let cipher = EaxAes256::new(&Default::default()); 38 | b.iter(|| cipher.decrypt(&Default::default(), &*buf)) 39 | }); 40 | } 41 | 42 | group.finish(); 43 | } 44 | 45 | #[cfg(not(any(target_arch = "x86_64", target_arch = "x86")))] 46 | criterion_group!( 47 | name = benches; 48 | config = Criterion::default(); 49 | targets = bench 50 | ); 51 | 52 | #[cfg(any(target_arch = "x86_64", target_arch = "x86"))] 53 | criterion_group!( 54 | name = benches; 55 | config = Criterion::default().with_measurement(criterion_cycles_per_byte::CyclesPerByte); 56 | targets = bench 57 | ); 58 | 59 | criterion_main!(benches); 60 | -------------------------------------------------------------------------------- /ccm/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | All notable changes to this project will be documented in this file. 3 | 4 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 5 | and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 6 | 7 | ## 0.6.0 (UNRELEASED) 8 | ### Added 9 | - `rand_core` feature ([#467]) 10 | - `arrayvec` support ([#503]) 11 | 12 | ### Changed 13 | - Bump `aead` from `0.5` to `0.6` ([#583]) 14 | - Bump `cipher` from `0.4` to `0.5` ([#583]) 15 | - Bump `ctr` from `0.9` to `0.10` ([#583]) 16 | - Edition changed to 2024 and MSRV bumped to 1.85 ([#662]) 17 | - Relax MSRV policy and allow MSRV bumps in patch releases 18 | - `getrandom` feature renamed as `os_rng` ([#662]) 19 | 20 | ## Removed 21 | - `std` and `stream` features ([#662]) 22 | 23 | [#467]: https://github.com/RustCrypto/AEADs/pull/467 24 | [#503]: https://github.com/RustCrypto/AEADs/pull/503 25 | [#583]: https://github.com/RustCrypto/AEADs/pull/583 26 | [#662]: https://github.com/RustCrypto/AEADs/pull/662 27 | 28 | ## 0.5.0 (2022-07-30) 29 | ### Added 30 | - `getrandom` feature ([#446]) 31 | 32 | ### Changed 33 | - Relax `zeroize` requirement to `^1` ([#360]) 34 | - Bump `ctr`, `cipher`, annd `hex-literal` dependencies ([#432]) 35 | - Rust 2021 edition upgrade; MSRV 1.56+ ([#435]) 36 | - Bump `aead` crate dependency to v0.5 ([#444]) 37 | 38 | ### Removed 39 | - `subtle` pinning ([#408]) 40 | 41 | [#360]: https://github.com/RustCrypto/AEADs/pull/360 42 | [#408]: https://github.com/RustCrypto/AEADs/pull/408 43 | [#432]: https://github.com/RustCrypto/AEADs/pull/432 44 | [#435]: https://github.com/RustCrypto/AEADs/pull/435 45 | [#444]: https://github.com/RustCrypto/AEADs/pull/444 46 | [#446]: https://github.com/RustCrypto/AEADs/pull/446 47 | 48 | ## 0.4.4 (2021-07-20) 49 | ### Changed 50 | - Pin `subtle` dependency to v2.4 ([#349]) 51 | 52 | [#349]: https://github.com/RustCrypto/AEADs/pull/349 53 | 54 | ## 0.4.3 (2021-07-09) 55 | ### Fixed 56 | - Doc links to `typenum` constants. ([#333]) 57 | 58 | [#333]: https://github.com/RustCrypto/AEADs/pull/333 59 | 60 | ## 0.4.2 (2021-07-09) 61 | ### Added 62 | - `From` and `Clone` impls. ([#332]) 63 | 64 | ### Changed 65 | - Use the `ctr` crate for encryption and decryption. ([#332]) 66 | 67 | [#332]: https://github.com/RustCrypto/AEADs/pull/332 68 | 69 | ## 0.4.1 (2021-07-09) 70 | ### Added 71 | - Make `NonceSize` and `TagSize` traits publicly visible. ([#331]) 72 | 73 | [#331]: https://github.com/RustCrypto/AEADs/pull/331 74 | 75 | ## 0.4.0 (2021-04-29) 76 | ### Changed 77 | - Bump `aead` dependency to v0.4 ([#270]) 78 | - Bump `cipher` dependency to v0.3 ([#283]) 79 | 80 | ### Fixed 81 | - Panic on 32-bit targets ([#263]) 82 | 83 | [#263]: https://github.com/RustCrypto/AEADs/pull/263 84 | [#270]: https://github.com/RustCrypto/AEADs/pull/270 85 | [#283]: https://github.com/RustCrypto/AEADs/pull/283 86 | 87 | ## 0.3.0 (2020-10-16) 88 | ### Changed 89 | - Replace `block-cipher`/`stream-cipher` with `cipher` crate ([#229]) 90 | 91 | [#229]: https://github.com/RustCrypto/AEADs/pull/229 92 | 93 | ## 0.2.0 (2020-09-17) 94 | ### Added 95 | - Optional `std` feature; disabled by default ([#217]) 96 | 97 | ### Changed 98 | - Upgrade `aes` to v0.5; `block-cipher` to v0.8 ([#209]) 99 | 100 | [#217]: https://github.com/RustCrypto/AEADs/pull/217 101 | [#209]: https://github.com/RustCrypto/AEADs/pull/209 102 | 103 | ## 0.1.0 (2020-07-01) 104 | - Initial release ([#174]) 105 | 106 | [#174]: https://github.com/RustCrypto/AEADs/pull/174 107 | -------------------------------------------------------------------------------- /ccm/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "ccm" 3 | version = "0.6.0-pre" 4 | description = "Generic implementation of the Counter with CBC-MAC (CCM) mode" 5 | authors = ["RustCrypto Developers"] 6 | edition = "2024" 7 | license = "Apache-2.0 OR MIT" 8 | readme = "README.md" 9 | documentation = "https://docs.rs/ccm" 10 | homepage = "https://github.com/RustCrypto/AEADs/tree/master/ccm" 11 | repository = "https://github.com/RustCrypto/AEADs" 12 | categories = ["cryptography", "no-std"] 13 | keywords = ["encryption", "aead"] 14 | rust-version = "1.85" 15 | 16 | [dependencies] 17 | aead = { version = "0.6.0-rc.1", default-features = false } 18 | cipher = { version = "0.5.0-rc.0", default-features = false } 19 | ctr = { version = "0.10.0-rc.0", default-features = false } 20 | subtle = { version = "2", default-features = false } 21 | 22 | [dev-dependencies] 23 | aead = { version = "0.6.0-rc.1", features = ["dev"], default-features = false } 24 | aes = { version = "0.9.0-rc.0" } 25 | hex-literal = "1" 26 | 27 | [features] 28 | default = ["alloc", "os_rng"] 29 | alloc = ["aead/alloc"] 30 | arrayvec = ["aead/arrayvec"] 31 | bytes = ["aead/bytes"] 32 | os_rng = ["aead/os_rng", "rand_core"] 33 | heapless = ["aead/heapless"] 34 | rand_core = ["aead/rand_core"] 35 | -------------------------------------------------------------------------------- /ccm/LICENSE-MIT: -------------------------------------------------------------------------------- 1 | Copyright (c) 2020 The RustCrypto Project Developers 2 | 3 | Permission is hereby granted, free of charge, to any 4 | person obtaining a copy of this software and associated 5 | documentation files (the "Software"), to deal in the 6 | Software without restriction, including without 7 | limitation the rights to use, copy, modify, merge, 8 | publish, distribute, sublicense, and/or sell copies of 9 | the Software, and to permit persons to whom the Software 10 | is furnished to do so, subject to the following 11 | conditions: 12 | 13 | The above copyright notice and this permission notice 14 | shall be included in all copies or substantial portions 15 | of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF 18 | ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED 19 | TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 20 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT 21 | SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 22 | CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 23 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR 24 | IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 25 | DEALINGS IN THE SOFTWARE. 26 | -------------------------------------------------------------------------------- /ccm/README.md: -------------------------------------------------------------------------------- 1 | # RustCrypto: CCM 2 | 3 | [![crate][crate-image]][crate-link] 4 | [![Docs][docs-image]][docs-link] 5 | ![Apache2/MIT licensed][license-image] 6 | ![Rust Version][rustc-image] 7 | [![Project Chat][chat-image]][chat-link] 8 | [![Build Status][build-image]][build-link] 9 | 10 | Pure Rust implementation of the Counter with CBC-MAC ([CCM]) mode ([RFC 3610]): an 11 | Authenticated Encryption with Associated Data ([AEAD]) algorithm generic over 12 | block ciphers with block size equal to 128 bits. 13 | 14 | For example, it can be combined with AES into the various parametrizations of 15 | AES-CCM. 16 | 17 | [Documentation][docs-link] 18 | 19 | ## Security Notes 20 | 21 | No security audits of this crate have ever been performed, and it has not been 22 | thoroughly assessed to ensure its operation is constant-time on common CPU 23 | architectures. 24 | 25 | USE AT YOUR OWN RISK! 26 | 27 | ## License 28 | 29 | Licensed under either of: 30 | 31 | * [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0) 32 | * [MIT license](http://opensource.org/licenses/MIT) 33 | 34 | at your option. 35 | 36 | ### Contribution 37 | 38 | Unless you explicitly state otherwise, any contribution intentionally submitted 39 | for inclusion in the work by you, as defined in the Apache-2.0 license, shall be 40 | dual licensed as above, without any additional terms or conditions. 41 | 42 | [//]: # (badges) 43 | 44 | [crate-image]: https://img.shields.io/crates/v/ccm 45 | [crate-link]: https://crates.io/crates/ccm 46 | [docs-image]: https://docs.rs/ccm/badge.svg 47 | [docs-link]: https://docs.rs/ccm 48 | [license-image]: https://img.shields.io/badge/license-Apache2.0/MIT-blue.svg 49 | [rustc-image]: https://img.shields.io/badge/rustc-1.85+-blue.svg 50 | [chat-image]: https://img.shields.io/badge/zulip-join_chat-blue.svg 51 | [chat-link]: https://rustcrypto.zulipchat.com/#narrow/stream/260038-AEADs 52 | [build-image]: https://github.com/RustCrypto/AEADs/workflows/ccm/badge.svg?branch=master&event=push 53 | [build-link]: https://github.com/RustCrypto/AEADs/actions 54 | 55 | [//]: # (general links) 56 | 57 | [RFC 3610]: https://tools.ietf.org/html/rfc3610 58 | [CCM]: https://en.wikipedia.org/wiki/CCM_mode 59 | [AEAD]: https://en.wikipedia.org/wiki/Authenticated_encryption 60 | -------------------------------------------------------------------------------- /ccm/src/private.rs: -------------------------------------------------------------------------------- 1 | use aead::{array::typenum::Unsigned, consts}; 2 | 3 | // Sealed traits stop other crates from implementing any traits that use it. 4 | pub trait SealedTag: Unsigned { 5 | fn get_m_tick() -> u8 { 6 | (Self::to_u8() - 2) / 2 7 | } 8 | } 9 | pub trait SealedNonce: Unsigned { 10 | fn get_l() -> u8 { 11 | 15 - Self::to_u8() 12 | } 13 | 14 | fn get_max_len() -> usize { 15 | // a somewhat ugly code to prevent overlfow. 16 | // compiler should be able to completely optimize it out 17 | let l = Self::get_l() as u128; 18 | let v = (1 << (8 * l)) - 1; 19 | core::cmp::min(v, usize::MAX as u128) as usize 20 | } 21 | } 22 | 23 | impl SealedTag for consts::U4 {} 24 | impl SealedTag for consts::U6 {} 25 | impl SealedTag for consts::U8 {} 26 | impl SealedTag for consts::U10 {} 27 | impl SealedTag for consts::U12 {} 28 | impl SealedTag for consts::U14 {} 29 | impl SealedTag for consts::U16 {} 30 | 31 | impl SealedNonce for consts::U7 {} 32 | impl SealedNonce for consts::U8 {} 33 | impl SealedNonce for consts::U9 {} 34 | impl SealedNonce for consts::U10 {} 35 | impl SealedNonce for consts::U11 {} 36 | impl SealedNonce for consts::U12 {} 37 | impl SealedNonce for consts::U13 {} 38 | -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes128_10_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes128_10_13.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes128_12_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes128_12_13.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes128_14_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes128_14_13.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes128_16_10.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes128_16_10.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes128_16_11.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes128_16_11.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes128_16_12.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes128_16_12.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes128_16_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes128_16_13.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes128_16_7.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes128_16_7.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes128_16_8.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes128_16_8.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes128_16_9.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes128_16_9.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes128_4_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes128_4_13.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes128_4_7.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes128_4_7.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes128_6_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes128_6_13.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes128_8_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes128_8_13.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes192_10_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes192_10_13.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes192_12_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes192_12_13.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes192_14_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes192_14_13.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes192_16_10.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes192_16_10.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes192_16_11.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes192_16_11.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes192_16_12.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes192_16_12.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes192_16_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes192_16_13.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes192_16_7.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes192_16_7.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes192_16_8.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes192_16_8.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes192_16_9.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes192_16_9.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes192_4_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes192_4_13.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes192_4_7.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes192_4_7.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes192_6_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes192_6_13.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes192_8_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes192_8_13.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes256_10_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes256_10_13.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes256_12_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes256_12_13.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes256_14_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes256_14_13.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes256_16_10.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes256_16_10.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes256_16_11.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes256_16_11.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes256_16_12.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes256_16_12.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes256_16_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes256_16_13.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes256_16_7.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes256_16_7.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes256_16_8.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes256_16_8.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes256_16_9.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes256_16_9.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes256_4_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes256_4_13.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes256_4_7.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes256_4_7.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes256_6_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes256_6_13.blb -------------------------------------------------------------------------------- /ccm/tests/data/cavp_ccm_aes256_8_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/cavp_ccm_aes256_8_13.blb -------------------------------------------------------------------------------- /ccm/tests/data/rfc3610_ccm_aes128_10_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/rfc3610_ccm_aes128_10_13.blb -------------------------------------------------------------------------------- /ccm/tests/data/rfc3610_ccm_aes128_8_13.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ccm/tests/data/rfc3610_ccm_aes128_8_13.blb -------------------------------------------------------------------------------- /chacha20poly1305/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "chacha20poly1305" 3 | version = "0.11.0-rc.0" 4 | description = """ 5 | Pure Rust implementation of the ChaCha20Poly1305 Authenticated Encryption 6 | with Additional Data Cipher (RFC 8439) with optional architecture-specific 7 | hardware acceleration. Also contains implementations of the XChaCha20Poly1305 8 | extended nonce variant of ChaCha20Poly1305, and the reduced-round 9 | ChaCha8Poly1305 and ChaCha12Poly1305 lightweight variants. 10 | """ 11 | authors = ["RustCrypto Developers"] 12 | edition = "2024" 13 | license = "Apache-2.0 OR MIT" 14 | readme = "README.md" 15 | documentation = "https://docs.rs/chacha20poly1305" 16 | homepage = "https://github.com/RustCrypto/AEADs/tree/master/chacha20poly1305" 17 | repository = "https://github.com/RustCrypto/AEADs" 18 | keywords = ["aead", "chacha20", "poly1305", "xchacha20", "xchacha20poly1305"] 19 | categories = ["cryptography", "no-std"] 20 | rust-version = "1.85" 21 | 22 | [dependencies] 23 | aead = { version = "0.6.0-rc.1", default-features = false } 24 | chacha20 = { version = "0.10.0-rc.0", default-features = false, features = ["xchacha"] } 25 | cipher = "0.5.0-rc.0" 26 | poly1305 = "0.9.0-rc.1" 27 | zeroize = { version = "1.8", optional = true, default-features = false } 28 | 29 | [dev-dependencies] 30 | aead = { version = "0.6.0-rc.1", features = ["dev"], default-features = false } 31 | 32 | [features] 33 | default = ["alloc", "os_rng"] 34 | alloc = ["aead/alloc"] 35 | arrayvec = ["aead/arrayvec"] 36 | bytes = ["aead/bytes"] 37 | os_rng = ["aead/os_rng", "rand_core"] 38 | heapless = ["aead/heapless"] 39 | rand_core = ["aead/rand_core"] 40 | reduced-round = [] 41 | zeroize = ["dep:zeroize", "chacha20/zeroize"] 42 | 43 | [package.metadata.docs.rs] 44 | all-features = true 45 | rustdoc-args = ["--cfg", "docsrs"] 46 | -------------------------------------------------------------------------------- /chacha20poly1305/LICENSE-MIT: -------------------------------------------------------------------------------- 1 | Copyright (c) 2019 The RustCrypto Project Developers 2 | 3 | Permission is hereby granted, free of charge, to any 4 | person obtaining a copy of this software and associated 5 | documentation files (the "Software"), to deal in the 6 | Software without restriction, including without 7 | limitation the rights to use, copy, modify, merge, 8 | publish, distribute, sublicense, and/or sell copies of 9 | the Software, and to permit persons to whom the Software 10 | is furnished to do so, subject to the following 11 | conditions: 12 | 13 | The above copyright notice and this permission notice 14 | shall be included in all copies or substantial portions 15 | of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF 18 | ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED 19 | TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 20 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT 21 | SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 22 | CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 23 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR 24 | IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 25 | DEALINGS IN THE SOFTWARE. 26 | -------------------------------------------------------------------------------- /chacha20poly1305/README.md: -------------------------------------------------------------------------------- 1 | # RustCrypto: ChaCha20Poly1305 2 | 3 | [![crate][crate-image]][crate-link] 4 | [![Docs][docs-image]][docs-link] 5 | ![Apache2/MIT licensed][license-image] 6 | ![Rust Version][rustc-image] 7 | [![Project Chat][chat-image]][chat-link] 8 | [![Build Status][build-image]][build-link] 9 | 10 | Pure Rust implementation of **ChaCha20Poly1305** ([RFC 8439][1]): an 11 | [Authenticated Encryption with Associated Data (AEAD)][2] cipher amenable to 12 | fast, constant-time implementations in software, based on the [ChaCha20][3] 13 | stream cipher and [Poly1305][4] universal hash function. 14 | 15 | This crate also contains an implementation of **XChaCha20Poly1305**: a variant 16 | of ChaCha20Poly1305 with an extended 192-bit (24-byte) nonce. 17 | 18 | [Documentation][docs-link] 19 | 20 | ## About 21 | 22 | ChaCha20Poly1305 is notable for being simple and fast when implemented in pure 23 | software. The underlying ChaCha20 stream cipher uses a simple combination of 24 | add, rotate, and XOR instructions (a.k.a. "ARX"), and the Poly1305 hash 25 | function is likewise extremely simple. 26 | 27 | While it hasn't received approval from certain standards bodies (i.e. NIST) 28 | the algorithm is widely used and deployed. Notably it's mandatory to implement 29 | in the Transport Layer Security (TLS) protocol. The underlying ChaCha20 cipher 30 | is also widely used as a cryptographically secure random number generator, 31 | including internal use by the Rust standard library. 32 | 33 | ## Security Notes 34 | 35 | This crate has received one [security audit by NCC Group][5], with no significant 36 | findings. We would like to thank [MobileCoin][6] for funding the audit. 37 | 38 | All implementations contained in the crate are designed to execute in constant 39 | time, either by relying on hardware intrinsics (i.e. AVX2 on x86/x86_64), or 40 | using a portable implementation which is only constant time on processors which 41 | implement constant-time multiplication. 42 | 43 | It is not suitable for use on processors with a variable-time multiplication 44 | operation (e.g. short circuit on multiply-by-zero / multiply-by-one, such as 45 | certain 32-bit PowerPC CPUs and some non-ARM microcontrollers). 46 | 47 | ## License 48 | 49 | Licensed under either of: 50 | 51 | * [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0) 52 | * [MIT license](http://opensource.org/licenses/MIT) 53 | 54 | at your option. 55 | 56 | ### Contribution 57 | 58 | Unless you explicitly state otherwise, any contribution intentionally submitted 59 | for inclusion in the work by you, as defined in the Apache-2.0 license, shall be 60 | dual licensed as above, without any additional terms or conditions. 61 | 62 | [//]: # (badges) 63 | 64 | [crate-image]: https://img.shields.io/crates/v/chacha20poly1305 65 | [crate-link]: https://crates.io/crates/chacha20poly1305 66 | [docs-image]: https://docs.rs/chacha20poly1305/badge.svg 67 | [docs-link]: https://docs.rs/chacha20poly1305/ 68 | [license-image]: https://img.shields.io/badge/license-Apache2.0/MIT-blue.svg 69 | [rustc-image]: https://img.shields.io/badge/rustc-1.85+-blue.svg 70 | [chat-image]: https://img.shields.io/badge/zulip-join_chat-blue.svg 71 | [chat-link]: https://rustcrypto.zulipchat.com/#narrow/stream/260038-AEADs 72 | [downloads-image]: https://img.shields.io/crates/d/chacha20poly1305.svg 73 | [build-image]: https://github.com/RustCrypto/AEADs/workflows/chacha20poly1305/badge.svg?branch=master&event=push 74 | [build-link]: https://github.com/RustCrypto/AEADs/actions 75 | 76 | [//]: # (general links) 77 | 78 | [1]: https://tools.ietf.org/html/rfc8439 79 | [2]: https://en.wikipedia.org/wiki/Authenticated_encryption 80 | [3]: https://github.com/RustCrypto/stream-ciphers/tree/master/chacha20 81 | [4]: https://github.com/RustCrypto/universal-hashes/tree/master/poly1305 82 | [5]: https://web.archive.org/web/20200606025324/https://research.nccgroup.com/2020/02/26/public-report-rustcrypto-aes-gcm-and-chacha20poly1305-implementation-review/ 83 | [6]: https://www.mobilecoin.com/ 84 | -------------------------------------------------------------------------------- /chacha20poly1305/src/cipher.rs: -------------------------------------------------------------------------------- 1 | //! Core AEAD cipher implementation for (X)ChaCha20Poly1305. 2 | 3 | use ::cipher::{StreamCipher, StreamCipherSeek}; 4 | use aead::Error; 5 | use aead::{array::Array, inout::InOutBuf}; 6 | use poly1305::{ 7 | Poly1305, 8 | universal_hash::{KeyInit, UniversalHash}, 9 | }; 10 | 11 | use super::Tag; 12 | 13 | /// Size of a ChaCha20 block in bytes 14 | const BLOCK_SIZE: usize = 64; 15 | 16 | /// Maximum number of blocks that can be encrypted with ChaCha20 before the 17 | /// counter overflows. 18 | const MAX_BLOCKS: usize = u32::MAX as usize; 19 | 20 | /// ChaCha20Poly1305 instantiated with a particular nonce 21 | pub(crate) struct Cipher 22 | where 23 | C: StreamCipher + StreamCipherSeek, 24 | { 25 | cipher: C, 26 | mac: Poly1305, 27 | } 28 | 29 | impl Cipher 30 | where 31 | C: StreamCipher + StreamCipherSeek, 32 | { 33 | /// Instantiate the underlying cipher with a particular nonce 34 | pub(crate) fn new(mut cipher: C) -> Self { 35 | // Derive Poly1305 key from the first 32-bytes of the ChaCha20 keystream 36 | let mut mac_key = poly1305::Key::default(); 37 | cipher.apply_keystream(&mut mac_key); 38 | 39 | let mac = Poly1305::new(&mac_key); 40 | #[cfg(feature = "zeroize")] 41 | { 42 | use zeroize::Zeroize; 43 | mac_key.zeroize(); 44 | } 45 | 46 | // Set ChaCha20 counter to 1 47 | cipher.seek(BLOCK_SIZE as u64); 48 | 49 | Self { cipher, mac } 50 | } 51 | 52 | /// Encrypt the given message in-place, returning the authentication tag 53 | pub(crate) fn encrypt_inout_detached( 54 | mut self, 55 | associated_data: &[u8], 56 | mut buffer: InOutBuf<'_, '_, u8>, 57 | ) -> Result { 58 | if buffer.len() / BLOCK_SIZE >= MAX_BLOCKS { 59 | return Err(Error); 60 | } 61 | 62 | self.mac.update_padded(associated_data); 63 | 64 | // TODO(tarcieri): interleave encryption with Poly1305 65 | // See: 66 | self.cipher.apply_keystream_inout(buffer.reborrow()); 67 | self.mac.update_padded(buffer.get_out()); 68 | 69 | self.authenticate_lengths(associated_data, buffer.get_out())?; 70 | Ok(self.mac.finalize()) 71 | } 72 | 73 | /// Decrypt the given message, first authenticating ciphertext integrity 74 | /// and returning an error if it's been tampered with. 75 | pub(crate) fn decrypt_inout_detached( 76 | mut self, 77 | associated_data: &[u8], 78 | buffer: InOutBuf<'_, '_, u8>, 79 | tag: &Tag, 80 | ) -> Result<(), Error> { 81 | if buffer.len() / BLOCK_SIZE >= MAX_BLOCKS { 82 | return Err(Error); 83 | } 84 | 85 | self.mac.update_padded(associated_data); 86 | self.mac.update_padded(buffer.get_in()); 87 | self.authenticate_lengths(associated_data, buffer.get_in())?; 88 | 89 | // This performs a constant-time comparison using the `subtle` crate 90 | if self.mac.verify(tag).is_ok() { 91 | // TODO(tarcieri): interleave decryption with Poly1305 92 | // See: 93 | self.cipher.apply_keystream_inout(buffer); 94 | Ok(()) 95 | } else { 96 | Err(Error) 97 | } 98 | } 99 | 100 | /// Authenticate the lengths of the associated data and message 101 | fn authenticate_lengths(&mut self, associated_data: &[u8], buffer: &[u8]) -> Result<(), Error> { 102 | let associated_data_len: u64 = associated_data.len().try_into().map_err(|_| Error)?; 103 | let buffer_len: u64 = buffer.len().try_into().map_err(|_| Error)?; 104 | 105 | let mut block = Array::default(); 106 | block[..8].copy_from_slice(&associated_data_len.to_le_bytes()); 107 | block[8..].copy_from_slice(&buffer_len.to_le_bytes()); 108 | self.mac.update(&[block]); 109 | 110 | Ok(()) 111 | } 112 | } 113 | -------------------------------------------------------------------------------- /chacha20poly1305/tests/data/wycheproof_chacha20poly1305.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/chacha20poly1305/tests/data/wycheproof_chacha20poly1305.blb -------------------------------------------------------------------------------- /chacha20poly1305/tests/data/wycheproof_xchacha20poly1305.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/chacha20poly1305/tests/data/wycheproof_xchacha20poly1305.blb -------------------------------------------------------------------------------- /deoxys/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | All notable changes to this project will be documented in this file. 3 | 4 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 5 | and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 6 | 7 | ## 0.2.0 (UNRELEASED) 8 | ### Added 9 | - `rand_core` feature ([#467]) 10 | - `arrayvec` support ([#503]) 11 | 12 | ### Changed 13 | - Zeroize is now optional ([#644]) 14 | - Bump `aead` from `0.5` to `0.6` ([#583]) 15 | - Bump `aes` from `0.8` to `0.9` ([#583]) 16 | - Edition changed to 2024 and MSRV bumped to 1.85 ([#662]) 17 | - Relax MSRV policy and allow MSRV bumps in patch releases 18 | - `getrandom` feature renamed as `os_rng` ([#662]) 19 | 20 | ## Removed 21 | - `std` and `stream` features ([#662]) 22 | 23 | [#467]: https://github.com/RustCrypto/AEADs/pull/467 24 | [#503]: https://github.com/RustCrypto/AEADs/pull/503 25 | [#583]: https://github.com/RustCrypto/AEADs/pull/583 26 | [#644]: https://github.com/RustCrypto/AEADs/pull/644 27 | [#662]: https://github.com/RustCrypto/AEADs/pull/662 28 | 29 | ## 0.1.0 (2022-07-30) 30 | ### Added 31 | - `getrandom` feature ([#446]) 32 | 33 | ### Changed 34 | - Relax `subtle` and `zeroize` requirements ([#360]) 35 | - Rust 2021 edition upgrade; MSRV 1.56+ ([#435]) 36 | - Bump `aead` crate dependency to v0.5 ([#444]) 37 | - Bump `aes` dependency to v0.8 ([#450]) 38 | 39 | [#360]: https://github.com/RustCrypto/AEADs/pull/360 40 | [#435]: https://github.com/RustCrypto/AEADs/pull/435 41 | [#444]: https://github.com/RustCrypto/AEADs/pull/444 42 | [#446]: https://github.com/RustCrypto/AEADs/pull/446 43 | [#450]: https://github.com/RustCrypto/AEADs/pull/450 44 | 45 | ## 0.0.2 (2021-07-20) 46 | ### Changed 47 | - Pin `zeroize` dependency to v1.3 and `subtle` to v2.4 ([#349]) 48 | 49 | [#349]: https://github.com/RustCrypto/AEADs/pull/349 50 | 51 | ## 0.0.1 (2021-06-26) 52 | - Initial release 53 | -------------------------------------------------------------------------------- /deoxys/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "deoxys" 3 | version = "0.2.0-pre" 4 | description = """ 5 | Pure Rust implementation of the Deoxys Authenticated Encryption with Associated 6 | Data (AEAD) cipher, including the Deoxys-II variant which was selected by the 7 | CAESAR competition as the first choice for in-depth security 8 | """ 9 | authors = ["RustCrypto Developers, zer0x64"] 10 | license = "Apache-2.0 OR MIT" 11 | documentation = "https://docs.rs/deoxys" 12 | homepage = "https://github.com/RustCrypto/AEADs/tree/master/deoxys" 13 | repository = "https://github.com/RustCrypto/AEADs" 14 | keywords = ["aead", "deoxys", "deoxys-i", "deoxys-ii"] 15 | categories = ["cryptography", "no-std"] 16 | readme = "README.md" 17 | edition = "2024" 18 | rust-version = "1.85" 19 | 20 | [dependencies] 21 | aead = { version = "0.6.0-rc.1", default-features = false } 22 | aes = { version = "0.9.0-rc.0", features = ["hazmat"], default-features = false } 23 | subtle = { version = "2", default-features = false } 24 | zeroize = { version = "1", optional = true, default-features = false } 25 | 26 | [dev-dependencies] 27 | aead = { version = "0.6.0-rc.1", features = ["dev"], default-features = false } 28 | hex-literal = "1" 29 | 30 | [features] 31 | default = ["alloc", "os_rng"] 32 | alloc = ["aead/alloc"] 33 | arrayvec = ["aead/arrayvec"] 34 | bytes = ["aead/bytes"] 35 | os_rng = ["aead/os_rng", "rand_core"] 36 | heapless = ["aead/heapless"] 37 | rand_core = ["aead/rand_core"] 38 | 39 | [package.metadata.docs.rs] 40 | all-features = true 41 | rustdoc-args = ["--cfg", "docsrs"] 42 | -------------------------------------------------------------------------------- /deoxys/LICENSE-MIT: -------------------------------------------------------------------------------- 1 | Copyright (c) 2021 The RustCrypto Project Developers 2 | 3 | Permission is hereby granted, free of charge, to any 4 | person obtaining a copy of this software and associated 5 | documentation files (the "Software"), to deal in the 6 | Software without restriction, including without 7 | limitation the rights to use, copy, modify, merge, 8 | publish, distribute, sublicense, and/or sell copies of 9 | the Software, and to permit persons to whom the Software 10 | is furnished to do so, subject to the following 11 | conditions: 12 | 13 | The above copyright notice and this permission notice 14 | shall be included in all copies or substantial portions 15 | of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF 18 | ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED 19 | TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 20 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT 21 | SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 22 | CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 23 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR 24 | IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 25 | DEALINGS IN THE SOFTWARE. 26 | -------------------------------------------------------------------------------- /deoxys/README.md: -------------------------------------------------------------------------------- 1 | # RustCrypto: Deoxys Cipher 2 | 3 | [![crate][crate-image]][crate-link] 4 | [![Docs][docs-image]][docs-link] 5 | ![Apache2/MIT licensed][license-image] 6 | ![Rust Version][rustc-image] 7 | [![Project Chat][chat-image]][chat-link] 8 | [![Build Status][build-image]][build-link] 9 | 10 | Pure Rust implementation of the [Deoxys][1] 11 | [Authenticated Encryption with Associated Data (AEAD)][2] cipher, 12 | including the [Deoxys-II][3] variant which was selected by the 13 | [CAESAR competition][4] as the best choice for in-depth security. 14 | 15 | [Documentation][docs-link] 16 | 17 | ## Security Notes 18 | 19 | This crate has *NOT* received any security audit. 20 | 21 | Although encryption and decryption passes the test vector, there is no guarantee 22 | of constant-time operation. 23 | 24 | **USE AT YOUR OWN RISK.** 25 | 26 | ## License 27 | 28 | Licensed under either of: 29 | 30 | * [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0) 31 | * [MIT license](http://opensource.org/licenses/MIT) 32 | 33 | at your option. 34 | 35 | ### Contribution 36 | 37 | Unless you explicitly state otherwise, any contribution intentionally submitted 38 | for inclusion in the work by you, as defined in the Apache-2.0 license, shall be 39 | dual licensed as above, without any additional terms or conditions. 40 | 41 | [//]: # (badges) 42 | 43 | [crate-image]: https://img.shields.io/crates/v/deoxys 44 | [crate-link]: https://crates.io/crates/deoxys 45 | [docs-image]: https://docs.rs/deoxys/badge.svg 46 | [docs-link]: https://docs.rs/deoxys/ 47 | [license-image]: https://img.shields.io/badge/license-Apache2.0/MIT-blue.svg 48 | [rustc-image]: https://img.shields.io/badge/rustc-1.85+-blue.svg 49 | [chat-image]: https://img.shields.io/badge/zulip-join_chat-blue.svg 50 | [chat-link]: https://rustcrypto.zulipchat.com/#narrow/stream/260038-AEADs 51 | [build-image]: https://github.com/RustCrypto/AEADs/workflows/deoxys/badge.svg?branch=master&event=push 52 | [build-link]: https://github.com/RustCrypto/AEADs/actions 53 | 54 | [//]: # (general links) 55 | 56 | [1]: https://sites.google.com/view/deoxyscipher 57 | [2]: https://en.wikipedia.org/wiki/Authenticated_encryption 58 | [3]: https://competitions.cr.yp.to/round3/deoxysv141.pdf 59 | [4]: https://competitions.cr.yp.to/index.html 60 | -------------------------------------------------------------------------------- /deoxys/src/deoxys_bc.rs: -------------------------------------------------------------------------------- 1 | use aead::{ 2 | array::{Array, ArraySize}, 3 | consts::{U15, U16, U17, U32, U48}, 4 | }; 5 | 6 | use crate::{DeoxysBcType, DeoxysKey, Tweak}; 7 | 8 | const H_PERM: [u8; 16] = [1, 6, 11, 12, 5, 10, 15, 0, 9, 14, 3, 4, 13, 2, 7, 8]; 9 | 10 | macro_rules! gen_rcon { 11 | ($value:expr) => { 12 | [ 13 | 1, 2, 4, 8, $value, $value, $value, $value, 0, 0, 0, 0, 0, 0, 0, 0, 14 | ] 15 | }; 16 | } 17 | 18 | const RCON: [[u8; 16]; 17] = [ 19 | gen_rcon!(0x2f), 20 | gen_rcon!(0x5e), 21 | gen_rcon!(0xbc), 22 | gen_rcon!(0x63), 23 | gen_rcon!(0xc6), 24 | gen_rcon!(0x97), 25 | gen_rcon!(0x35), 26 | gen_rcon!(0x6a), 27 | gen_rcon!(0xd4), 28 | gen_rcon!(0xb3), 29 | gen_rcon!(0x7d), 30 | gen_rcon!(0xfa), 31 | gen_rcon!(0xef), 32 | gen_rcon!(0xc5), 33 | gen_rcon!(0x91), 34 | gen_rcon!(0x39), 35 | gen_rcon!(0x72), 36 | ]; 37 | 38 | /// Implementation of the Deoxys-BC256 block cipher 39 | pub struct DeoxysBc256; 40 | 41 | /// Implementation of the Deoxys-BC384 block cipher 42 | pub struct DeoxysBc384; 43 | 44 | pub trait DeoxysBcInternal { 45 | type SubkeysSize: ArraySize; 46 | type TweakKeySize: ArraySize; 47 | 48 | fn key_schedule( 49 | tweak: &Tweak, 50 | subkeys: &Array, 51 | ) -> Array { 52 | let mut subtweakeys: Array = Default::default(); 53 | let mut tweak = *tweak; 54 | 55 | // First key 56 | for (i, (s, t)) in tweak.iter().zip(subkeys[0].iter()).enumerate() { 57 | subtweakeys[0][i] = s ^ t 58 | } 59 | 60 | // Other keys 61 | for (stk, sk) in subtweakeys[1..].iter_mut().zip(subkeys[1..].iter()) { 62 | h_substitution((&mut tweak).into()); 63 | 64 | for i in 0..16 { 65 | stk[i] = sk[i] ^ tweak[i]; 66 | } 67 | } 68 | 69 | subtweakeys 70 | } 71 | } 72 | 73 | impl DeoxysBcInternal for DeoxysBc256 { 74 | type SubkeysSize = U15; 75 | type TweakKeySize = U32; 76 | } 77 | 78 | impl DeoxysBcType for DeoxysBc256 { 79 | type KeySize = U16; 80 | 81 | fn precompute_subkeys(key: &Array) -> Array { 82 | let mut subkeys: Array = Default::default(); 83 | 84 | let mut tk2 = [0u8; 16]; 85 | 86 | tk2.copy_from_slice(key); 87 | 88 | // First key 89 | let rcon = RCON[0]; 90 | 91 | for i in 0..16 { 92 | subkeys[0][i] = tk2[i] ^ rcon[i]; 93 | } 94 | 95 | // Other keys 96 | for (index, subkey) in subkeys[1..].iter_mut().enumerate() { 97 | h_substitution(&mut tk2); 98 | lfsr2(&mut tk2); 99 | 100 | let rcon = RCON[index + 1]; 101 | 102 | for i in 0..16 { 103 | subkey[i] = tk2[i] ^ rcon[i]; 104 | } 105 | } 106 | 107 | subkeys 108 | } 109 | } 110 | 111 | impl DeoxysBcInternal for DeoxysBc384 { 112 | type SubkeysSize = U17; 113 | type TweakKeySize = U48; 114 | } 115 | 116 | impl DeoxysBcType for DeoxysBc384 { 117 | type KeySize = U32; 118 | 119 | fn precompute_subkeys(key: &Array) -> Array { 120 | let mut subkeys: Array = Default::default(); 121 | 122 | let mut tk3 = [0u8; 16]; 123 | let mut tk2 = [0u8; 16]; 124 | 125 | tk3.copy_from_slice(&key[..16]); 126 | tk2.copy_from_slice(&key[16..]); 127 | 128 | // First key 129 | let rcon = RCON[0]; 130 | 131 | for i in 0..16 { 132 | subkeys[0][i] = tk3[i] ^ tk2[i] ^ rcon[i]; 133 | } 134 | 135 | // Other keys 136 | for (index, subkey) in subkeys[1..].iter_mut().enumerate() { 137 | h_substitution(&mut tk2); 138 | lfsr2(&mut tk2); 139 | h_substitution(&mut tk3); 140 | lfsr3(&mut tk3); 141 | 142 | let rcon = RCON[index + 1]; 143 | 144 | for i in 0..16 { 145 | subkey[i] = tk3[i] ^ tk2[i] ^ rcon[i]; 146 | } 147 | } 148 | 149 | subkeys 150 | } 151 | } 152 | 153 | fn h_substitution(tk: &mut [u8; 16]) { 154 | let mut result = [0u8; 16]; 155 | 156 | for i in 0..16 { 157 | result[i] = tk[H_PERM[i] as usize]; 158 | } 159 | 160 | tk.copy_from_slice(&result); 161 | } 162 | 163 | fn lfsr2(tk: &mut [u8; 16]) { 164 | let mut data = u128::from_ne_bytes(*tk); 165 | data = ((data << 1) & 0xFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFE) 166 | | (((data >> 7) ^ (data >> 5)) & 0x01010101010101010101010101010101); 167 | 168 | tk.copy_from_slice(&data.to_ne_bytes()) 169 | } 170 | 171 | fn lfsr3(tk: &mut [u8; 16]) { 172 | let mut data = u128::from_ne_bytes(*tk); 173 | data = ((data >> 1) & 0x7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F) 174 | | (((data << 7) ^ (data << 1)) & 0x80808080808080808080808080808080); 175 | 176 | tk.copy_from_slice(&data.to_ne_bytes()) 177 | } 178 | -------------------------------------------------------------------------------- /eax/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | All notable changes to this project will be documented in this file. 3 | 4 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 5 | and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 6 | 7 | ## 0.6.0 (UNRELEASED) 8 | ### Added 9 | - `rand_core` feature ([#467]) 10 | - `arrayvec` support ([#503]) 11 | 12 | ### Changed 13 | - Bump `aead` from `0.5` to `0.6` ([#583]) 14 | - Bump `cipher` from `0.4` to `0.5` ([#583]) 15 | - Bump `cmac` from `0.8` to `0.9` ([#583]) 16 | - Bump `ctr` from `0.9` to `0.10` ([#583]) 17 | - Edition changed to 2024 and MSRV bumped to 1.85 ([#662]) 18 | - Relax MSRV policy and allow MSRV bumps in patch releases 19 | - `getrandom` feature renamed as `os_rng` ([#662]) 20 | 21 | ## Removed 22 | - `std` and `stream` features ([#662]) 23 | 24 | [#467]: https://github.com/RustCrypto/AEADs/pull/467 25 | [#503]: https://github.com/RustCrypto/AEADs/pull/503 26 | [#583]: https://github.com/RustCrypto/AEADs/pull/583 27 | [#662]: https://github.com/RustCrypto/AEADs/pull/662 28 | 29 | ## 0.5.0 (2022-07-30) 30 | ### Added 31 | - `getrandom` feature ([#446]) 32 | 33 | ### Changed 34 | - Relax `subtle` and `zeroize` requirements ([#360]) 35 | - Rust 2021 edition upgrade; MSRV 1.56+ ([#435]) 36 | - Bump `aead` crate dependency to v0.5 ([#444]) 37 | - Bump `cipher` to v0.4 ([#451]) 38 | 39 | [#360]: https://github.com/RustCrypto/AEADs/pull/360 40 | [#435]: https://github.com/RustCrypto/AEADs/pull/435 41 | [#444]: https://github.com/RustCrypto/AEADs/pull/444 42 | [#446]: https://github.com/RustCrypto/AEADs/pull/446 43 | [#451]: https://github.com/RustCrypto/AEADs/pull/451 44 | 45 | ## 0.4.1 (2021-07-20) 46 | ### Changed 47 | - Pin `subtle` dependency to v2.4 ([#349]) 48 | 49 | [#349]: https://github.com/RustCrypto/AEADs/pull/349 50 | 51 | ## 0.4.0 (2021-04-29) 52 | ### Added 53 | - Allow variable tag length ([#231]) 54 | 55 | ### Changed 56 | - Bump `aead` crate dependency to v0.4 ([#270]) 57 | - Bump `aes` and `ctr` crate dependencies to v0.7 ([#283]) 58 | - Bump `cmac` and `pmac` deps to v0.6 releases ([#285]) 59 | 60 | [#231]: https://github.com/RustCrypto/AEADs/pull/231 61 | [#270]: https://github.com/RustCrypto/AEADs/pull/270 62 | [#283]: https://github.com/RustCrypto/AEADs/pull/283 63 | [#285]: https://github.com/RustCrypto/AEADs/pull/285 64 | 65 | ## 0.3.0 (2020-10-16) 66 | ### Changed 67 | - Replace `block-cipher`/`stream-cipher` with `cipher` crate ([#229]) 68 | 69 | [#229]: https://github.com/RustCrypto/AEADs/pull/229 70 | 71 | ## 0.2.0 (2020-09-30 72 | ### Added 73 | - API for online encryption/decryption ([#214]) 74 | - Optional `std` feature; disabled by default ([#217]) 75 | 76 | ### Changed 77 | - Use `aead` crate; MSRV 1.41+ 78 | - Upgrade `aes` to v0.5, `block-cipher` to v0.8, `cmac` to v0.4, `ctr` to v0.5 ([#209]) 79 | 80 | [#217]: https://github.com/RustCrypto/AEADs/pull/217 81 | [#214]: https://github.com/RustCrypto/AEADs/pull/214 82 | [#209]: https://github.com/RustCrypto/AEADs/pull/209 83 | 84 | ## 0.1.0 (2019-03-29) 85 | - Initial release 86 | -------------------------------------------------------------------------------- /eax/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "eax" 3 | version = "0.6.0-pre" 4 | description = """ 5 | Pure Rust implementation of the EAX 6 | Authenticated Encryption with Associated Data (AEAD) Cipher 7 | with optional architecture-specific hardware acceleration 8 | 9 | This scheme is only based on a block cipher. It uses counter mode (CTR) for 10 | encryption and CBC mode for generating a OMAC/CMAC/CBCMAC (all names for the same thing). 11 | """ 12 | authors = ["RustCrypto Developers"] 13 | edition = "2024" 14 | license = "Apache-2.0 OR MIT" 15 | readme = "README.md" 16 | documentation = "https://docs.rs/eax" 17 | repository = "https://github.com/RustCrypto/AEADs" 18 | keywords = ["aead", "aes", "encryption"] 19 | categories = ["cryptography", "no-std"] 20 | rust-version = "1.85" 21 | 22 | [dependencies] 23 | aead = { version = "0.6.0-rc.1", default-features = false } 24 | cipher = "0.5.0-rc.0" 25 | cmac = "0.8.0-rc.0" 26 | ctr = "0.10.0-rc.0" 27 | subtle = { version = "2", default-features = false } 28 | 29 | [dev-dependencies] 30 | aead = { version = "0.6.0-rc.1", features = ["dev"], default-features = false } 31 | aes = "0.9.0-rc.0" 32 | 33 | [features] 34 | default = ["alloc", "os_rng"] 35 | alloc = ["aead/alloc"] 36 | arrayvec = ["aead/arrayvec"] 37 | bytes = ["aead/bytes"] 38 | os_rng = ["aead/os_rng", "rand_core"] 39 | heapless = ["aead/heapless"] 40 | rand_core = ["aead/rand_core"] 41 | 42 | [package.metadata.docs.rs] 43 | all-features = true 44 | rustdoc-args = ["--cfg", "docsrs"] 45 | -------------------------------------------------------------------------------- /eax/LICENSE-MIT: -------------------------------------------------------------------------------- 1 | Copyright (c) 2020 The RustCrypto Project Developers 2 | 3 | Permission is hereby granted, free of charge, to any 4 | person obtaining a copy of this software and associated 5 | documentation files (the "Software"), to deal in the 6 | Software without restriction, including without 7 | limitation the rights to use, copy, modify, merge, 8 | publish, distribute, sublicense, and/or sell copies of 9 | the Software, and to permit persons to whom the Software 10 | is furnished to do so, subject to the following 11 | conditions: 12 | 13 | The above copyright notice and this permission notice 14 | shall be included in all copies or substantial portions 15 | of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF 18 | ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED 19 | TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 20 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT 21 | SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 22 | CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 23 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR 24 | IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 25 | DEALINGS IN THE SOFTWARE. 26 | -------------------------------------------------------------------------------- /eax/README.md: -------------------------------------------------------------------------------- 1 | # RustCrypto: EAX 2 | 3 | [![crate][crate-image]][crate-link] 4 | [![Docs][docs-image]][docs-link] 5 | ![Apache2/MIT licensed][license-image] 6 | ![Rust Version][rustc-image] 7 | [![Project Chat][chat-image]][chat-link] 8 | [![Build Status][build-image]][build-link] 9 | 10 | Pure Rust implementation of the EAX 11 | [Authenticated Encryption with Associated Data (AEAD)][1] cipher. 12 | 13 | [Documentation][docs-link] 14 | 15 | ## License 16 | 17 | Licensed under either of: 18 | 19 | * [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0) 20 | * [MIT license](http://opensource.org/licenses/MIT) 21 | 22 | at your option. 23 | 24 | ### Contribution 25 | 26 | Unless you explicitly state otherwise, any contribution intentionally submitted 27 | for inclusion in the work by you, as defined in the Apache-2.0 license, shall be 28 | dual licensed as above, without any additional terms or conditions. 29 | 30 | [//]: # (badges) 31 | 32 | [crate-image]: https://img.shields.io/crates/v/eax 33 | [crate-link]: https://crates.io/crates/eax 34 | [docs-image]: https://docs.rs/eax/badge.svg 35 | [docs-link]: https://docs.rs/eax/ 36 | [license-image]: https://img.shields.io/badge/license-Apache2.0/MIT-blue.svg 37 | [rustc-image]: https://img.shields.io/badge/rustc-1.81+-blue.svg 38 | [chat-image]: https://img.shields.io/badge/zulip-join_chat-blue.svg 39 | [chat-link]: https://rustcrypto.zulipchat.com/#narrow/stream/260038-AEADs 40 | [build-image]: https://github.com/RustCrypto/AEADs/workflows/eax/badge.svg?branch=master&event=push 41 | [build-link]: https://github.com/RustCrypto/AEADs/actions 42 | 43 | [//]: # (general links) 44 | 45 | [1]: https://en.wikipedia.org/wiki/Authenticated_encryption 46 | -------------------------------------------------------------------------------- /eax/src/traits.rs: -------------------------------------------------------------------------------- 1 | use aead::array::ArraySize; 2 | use aead::array::typenum::Unsigned; 3 | use aead::array::typenum::type_operators::{IsGreaterOrEqual, IsLessOrEqual}; 4 | use aead::consts::{U4, U16}; 5 | 6 | mod private { 7 | // Sealed traits stop other crates from implementing any traits that use it. 8 | pub trait SealedTag {} 9 | 10 | impl SealedTag for T where 11 | T: super::IsGreaterOrEqual + super::IsLessOrEqual 12 | { 13 | } 14 | } 15 | 16 | pub trait TagSize: ArraySize + Unsigned + private::SealedTag {} 17 | 18 | impl TagSize for T where T: ArraySize + IsGreaterOrEqual + IsLessOrEqual {} 19 | -------------------------------------------------------------------------------- /eax/tests/aes128eax.rs: -------------------------------------------------------------------------------- 1 | //! Test vectors from Appendix G: 2 | //! https://web.cs.ucdavis.edu/~rogaway/papers/eax.pdf 3 | #![cfg(feature = "alloc")] 4 | 5 | use aes::Aes128; 6 | use eax::Eax; 7 | 8 | aead::new_test!(aes128eax, "aes128eax", Eax); 9 | -------------------------------------------------------------------------------- /eax/tests/common/mod.rs: -------------------------------------------------------------------------------- 1 | //! Common functionality shared by tests 2 | 3 | /// Test vectors 4 | #[derive(Debug)] 5 | pub struct TestVector { 6 | pub key: &'static K, 7 | pub nonce: &'static [u8; 16], 8 | pub aad: &'static [u8], 9 | pub plaintext: &'static [u8], 10 | pub ciphertext: &'static [u8], 11 | } 12 | 13 | #[macro_export] 14 | macro_rules! tests { 15 | ($aead:ty, $vectors:expr) => { 16 | #[test] 17 | fn encrypt() { 18 | for vector in $vectors { 19 | let key = Array::from_slice(vector.key); 20 | let nonce = Array::from_slice(vector.nonce); 21 | let payload = Payload { 22 | msg: vector.plaintext, 23 | aad: vector.aad, 24 | }; 25 | 26 | let cipher = <$aead>::new(key); 27 | let ciphertext = cipher.encrypt(nonce, payload).unwrap(); 28 | assert_eq!(vector.ciphertext, ciphertext); 29 | } 30 | } 31 | 32 | #[test] 33 | fn decrypt() { 34 | for vector in $vectors { 35 | let key = Array::from_slice(vector.key); 36 | let nonce = Array::from_slice(vector.nonce); 37 | let ciphertext = Vec::from(vector.ciphertext); 38 | 39 | let payload = Payload { 40 | msg: &ciphertext, 41 | aad: vector.aad, 42 | }; 43 | 44 | let cipher = <$aead>::new(key); 45 | let plaintext = cipher.decrypt(nonce, payload).unwrap(); 46 | 47 | assert_eq!(vector.plaintext, plaintext.as_slice()); 48 | } 49 | } 50 | 51 | #[test] 52 | fn decrypt_modified() { 53 | let vector = &$vectors[0]; 54 | let key = Array::from_slice(vector.key); 55 | let nonce = Array::from_slice(vector.nonce); 56 | 57 | let mut ciphertext = Vec::from(vector.ciphertext); 58 | 59 | // Tweak the first byte 60 | ciphertext[0] ^= 0xaa; 61 | 62 | let payload = Payload { 63 | msg: &ciphertext, 64 | aad: vector.aad, 65 | }; 66 | 67 | let cipher = <$aead>::new(key); 68 | assert!(cipher.decrypt(nonce, payload).is_err()); 69 | 70 | // TODO(tarcieri): test ciphertext is unmodified in in-place API 71 | } 72 | }; 73 | } 74 | -------------------------------------------------------------------------------- /eax/tests/data/aes128eax.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/eax/tests/data/aes128eax.blb -------------------------------------------------------------------------------- /mgm/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | All notable changes to this project will be documented in this file. 3 | 4 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 5 | and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 6 | 7 | ## 0.4.6 (2021-09-01) 8 | ### Added 9 | - Target feature autodetection on x86(-64) targets ([#371]) 10 | 11 | [#371]: https://github.com/RustCrypto/AEADs/pull/371 12 | 13 | ## 0.4.5 (2021-08-26) 14 | ### Added 15 | - Use parallel block encryption if possible ([#358]) 16 | 17 | [#358]: https://github.com/RustCrypto/AEADs/pull/358 18 | 19 | ## 0.4.4 (2021-08-24) 20 | ### Changed 21 | - Decrypt ciphertext only after tag verification ([#356]) 22 | 23 | [#356]: https://github.com/RustCrypto/AEADs/pull/356 24 | 25 | ## 0.4.3 (2021-07-20) 26 | ### Changed 27 | - Pin `subtle` dependency to v2.4 ([#349]) 28 | 29 | [#349]: https://github.com/RustCrypto/AEADs/pull/349 30 | 31 | ## 0.4.2 (2021-07-13) 32 | ### Added 33 | - Add support of 64 bit block ciphers ([#343]) 34 | 35 | [#343]: https://github.com/RustCrypto/AEADs/pull/343 36 | 37 | ## 0.4.1 (2021-05-20) 38 | ### Changed 39 | - Remove unnecessary `NewBlockCipher` bounds ([#314]) 40 | 41 | [#314]: https://github.com/RustCrypto/AEADs/pull/314 42 | 43 | ## 0.4.0 (2021-04-29) 44 | ### Changed 45 | - Bump `aead` dependency to v0.4.0 release ([#270]) 46 | 47 | [#270]: https://github.com/RustCrypto/AEADs/pull/270 48 | 49 | ## 0.3.0 (2020-10-16) 50 | ### Changed 51 | - Replace `block-cipher`/`stream-cipher` with `cipher` crate ([#229]) 52 | 53 | [#229]: https://github.com/RustCrypto/AEADs/pull/229 54 | 55 | ## 0.2.1 (2020-08-14) 56 | ### Added 57 | - `Clone` and `fmt::Debug` trait implementations ([#192]) 58 | 59 | [192]: https://github.com/RustCrypto/AEADs/pull/192 60 | 61 | ## 0.2.0 (2020-08-12) 62 | ### Changed 63 | - Bump `block-cipher` crate dependency to v0.8 ([#191]) 64 | 65 | ### Added 66 | - `From` trait implementation ([#191]) 67 | 68 | [191]: https://github.com/RustCrypto/AEADs/pull/191 69 | 70 | ## 0.1.1 (2020-08-01) 71 | - Fix README ([#187]) 72 | 73 | [187]: https://github.com/RustCrypto/AEADs/pull/187 74 | 75 | ## 0.1.0 (2020-08-01) 76 | - Initial release 77 | -------------------------------------------------------------------------------- /mgm/Cargo.toml: -------------------------------------------------------------------------------- 1 | [workspace] 2 | 3 | [package] 4 | name = "mgm" 5 | version = "0.5.0-pre.1" 6 | description = "Generic implementation of the Multilinear Galois Mode (MGM) cipher" 7 | authors = ["RustCrypto Developers"] 8 | edition = "2021" 9 | license = "Apache-2.0 OR MIT" 10 | readme = "README.md" 11 | documentation = "https://docs.rs/mgm" 12 | homepage = "https://github.com/RustCrypto/AEADs/tree/master/mgm" 13 | repository = "https://github.com/RustCrypto/AEADs" 14 | categories = ["cryptography", "no-std"] 15 | keywords = ["encryption", "aead"] 16 | rust-version = "1.81" 17 | 18 | [dependencies] 19 | aead = { version = "0.5", default-features = false } 20 | cipher = "0.3" 21 | subtle = { version = "2", default-features = false } 22 | cfg-if = "1" 23 | 24 | [target.'cfg(any(target_arch = "x86_64", target_arch = "x86"))'.dependencies] 25 | cpufeatures = "0.2" 26 | 27 | [dev-dependencies] 28 | aead = { version = "0.5", features = ["dev"], default-features = false } 29 | kuznyechik = "0.7" 30 | magma = "0.7" 31 | hex-literal = "0.2" 32 | 33 | [features] 34 | default = ["alloc", "getrandom"] 35 | std = ["aead/std", "alloc"] 36 | alloc = ["aead/alloc"] 37 | arrayvec = ["aead/arrayvec"] 38 | bytes = ["aead/bytes"] 39 | getrandom = ["aead/getrandom", "rand_core"] 40 | heapless = ["aead/heapless"] 41 | rand_core = ["aead/rand_core"] 42 | stream = ["aead/stream"] 43 | force-soft = [] # Disable support for hardware intrinsics 44 | -------------------------------------------------------------------------------- /mgm/LICENSE-MIT: -------------------------------------------------------------------------------- 1 | Copyright (c) 2020 The RustCrypto Project Developers 2 | Copyright (c) 2020 Artyom Pavlov 3 | 4 | Permission is hereby granted, free of charge, to any 5 | person obtaining a copy of this software and associated 6 | documentation files (the "Software"), to deal in the 7 | Software without restriction, including without 8 | limitation the rights to use, copy, modify, merge, 9 | publish, distribute, sublicense, and/or sell copies of 10 | the Software, and to permit persons to whom the Software 11 | is furnished to do so, subject to the following 12 | conditions: 13 | 14 | The above copyright notice and this permission notice 15 | shall be included in all copies or substantial portions 16 | of the Software. 17 | 18 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF 19 | ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED 20 | TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 21 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT 22 | SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 23 | CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 24 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR 25 | IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 26 | DEALINGS IN THE SOFTWARE. 27 | -------------------------------------------------------------------------------- /mgm/README.md: -------------------------------------------------------------------------------- 1 | # RustCrypto: Multilinear Galois Mode 2 | 3 | [![crate][crate-image]][crate-link] 4 | [![Docs][docs-image]][docs-link] 5 | ![Apache2/MIT licensed][license-image] 6 | ![Rust Version][rustc-image] 7 | [![Project Chat][chat-image]][chat-link] 8 | [![Build Status][build-image]][build-link] 9 | 10 | Pure Rust implementation of the Multilinear Galois Mode ([MGM]): an 11 | Authenticated Encryption with Associated Data ([AEAD]) algorithm generic over 12 | block ciphers with block size equal to 128 bits. 13 | 14 | ## Security Notes 15 | 16 | No security audits of this crate have ever been performed, and it has not been 17 | thoroughly assessed to ensure its operation is constant-time on common CPU 18 | architectures. 19 | 20 | USE AT YOUR OWN RISK! 21 | 22 | ## License 23 | 24 | Licensed under either of: 25 | 26 | * [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0) 27 | * [MIT license](http://opensource.org/licenses/MIT) 28 | 29 | at your option. 30 | 31 | ### Contribution 32 | 33 | Unless you explicitly state otherwise, any contribution intentionally submitted 34 | for inclusion in the work by you, as defined in the Apache-2.0 license, shall be 35 | dual licensed as above, without any additional terms or conditions. 36 | 37 | [//]: # (badges) 38 | 39 | [crate-image]: https://img.shields.io/crates/v/mgm 40 | [crate-link]: https://crates.io/crates/mgm 41 | [docs-image]: https://docs.rs/mgm/badge.svg 42 | [docs-link]: https://docs.rs/mgm 43 | [license-image]: https://img.shields.io/badge/license-Apache2.0/MIT-blue.svg 44 | [rustc-image]: https://img.shields.io/badge/rustc-1.81+-blue.svg 45 | [chat-image]: https://img.shields.io/badge/zulip-join_chat-blue.svg 46 | [chat-link]: https://rustcrypto.zulipchat.com/#narrow/stream/260038-AEADs 47 | [build-image]: https://github.com/RustCrypto/AEADs/workflows/mgm/badge.svg?branch=master&event=push 48 | [build-link]: https://github.com/RustCrypto/AEADs/actions 49 | 50 | [//]: # (general links) 51 | 52 | [RFC 3610]: https://tools.ietf.org/html/rfc3610 53 | [MGM]: https://eprint.iacr.org/2019/123.pdf 54 | [AEAD]: https://en.wikipedia.org/wiki/Authenticated_encryption 55 | -------------------------------------------------------------------------------- /mgm/benches/mod.rs: -------------------------------------------------------------------------------- 1 | #![feature(test)] 2 | extern crate test; 3 | 4 | use aead::{generic_array::GenericArray, AeadInPlace, KeyInit}; 5 | use hex_literal::hex; 6 | use kuznyechik::Kuznyechik; 7 | use mgm::Mgm; 8 | use test::Bencher; 9 | 10 | #[rustfmt::skip] 11 | const KEY: [u8; 32] = hex!(" 12 | 8899AABBCCDDEEFF0011223344556677 13 | FEDCBA98765432100123456789ABCDEF 14 | "); 15 | #[rustfmt::skip] 16 | const NONCE: [u8; 16] = hex!(" 17 | 1122334455667700FFEEDDCCBBAA9988 18 | "); 19 | 20 | #[bench] 21 | fn encrypt_aad_only_16kb(b: &mut Bencher) { 22 | let c = Mgm::::new(GenericArray::from_slice(&KEY)); 23 | let nonce = GenericArray::from_slice(&NONCE); 24 | let aad = vec![0; 16 * 1024]; 25 | let mut buf = []; 26 | 27 | b.iter(|| { 28 | let (aad, buf) = test::black_box((&aad, &mut buf)); 29 | let res = c.encrypt_in_place_detached(nonce, aad, buf).unwrap(); 30 | test::black_box(res); 31 | }); 32 | 33 | b.bytes = 16 * 1024; 34 | } 35 | 36 | #[bench] 37 | fn encrypt_msg_only_16kb(b: &mut Bencher) { 38 | let c = Mgm::::new(GenericArray::from_slice(&KEY)); 39 | let nonce = GenericArray::from_slice(&NONCE); 40 | let aad = []; 41 | let mut buf = vec![0; 16 * 1024]; 42 | 43 | b.iter(|| { 44 | let (aad, buf) = test::black_box((&aad, &mut buf)); 45 | let res = c.encrypt_in_place_detached(nonce, aad, buf).unwrap(); 46 | test::black_box(res); 47 | }); 48 | 49 | b.bytes = 16 * 1024; 50 | } 51 | 52 | #[bench] 53 | fn decrypt_aad_only_16kb(b: &mut Bencher) { 54 | let c = Mgm::::new(GenericArray::from_slice(&KEY)); 55 | let nonce = GenericArray::from_slice(&NONCE); 56 | let aad = vec![0; 16 * 1024]; 57 | let mut buf = []; 58 | let tag = c.encrypt_in_place_detached(nonce, &aad, &mut []).unwrap(); 59 | 60 | #[allow(unused_must_use)] 61 | b.iter(|| { 62 | let (aad, buf, tag) = test::black_box((&aad, &mut buf, &tag)); 63 | let res = c.decrypt_in_place_detached(nonce, aad, buf, tag); 64 | test::black_box(res); 65 | }); 66 | 67 | b.bytes = 16 * 1024; 68 | } 69 | 70 | #[bench] 71 | fn decrypt_msg_only_16kb(b: &mut Bencher) { 72 | let c = Mgm::::new(GenericArray::from_slice(&KEY)); 73 | let nonce = GenericArray::from_slice(&NONCE); 74 | let aad = []; 75 | let mut buf = vec![0u8; 16 * 1024]; 76 | let tag = c.encrypt_in_place_detached(nonce, &aad, &mut buf).unwrap(); 77 | 78 | #[allow(unused_must_use)] 79 | b.iter(|| { 80 | let mut buf_cpy = buf.clone(); 81 | let (aad, buf, tag) = test::black_box((&aad, &mut buf_cpy, &tag)); 82 | let res = c.decrypt_in_place_detached(nonce, aad, buf, tag); 83 | test::black_box(res); 84 | }); 85 | 86 | b.bytes = 16 * 1024; 87 | } 88 | -------------------------------------------------------------------------------- /mgm/src/gf.rs: -------------------------------------------------------------------------------- 1 | use aead::generic_array::{ArrayLength, GenericArray}; 2 | 3 | mod utils; 4 | 5 | #[cfg(all( 6 | any(target_arch = "x86_64", target_arch = "x86"), 7 | not(feature = "force-soft") 8 | ))] 9 | pub(crate) mod gf128_pclmul; 10 | 11 | pub(crate) mod gf128_soft64; 12 | 13 | #[cfg(all( 14 | any(target_arch = "x86_64", target_arch = "x86"), 15 | not(feature = "force-soft") 16 | ))] 17 | pub(crate) mod gf64_pclmul; 18 | 19 | pub(crate) mod gf64_soft64; 20 | 21 | pub trait GfElement { 22 | type N: ArrayLength; 23 | 24 | fn new() -> Self; 25 | fn into_bytes(self) -> GenericArray; 26 | fn mul_sum(&mut self, a: &GenericArray, b: &GenericArray); 27 | } 28 | -------------------------------------------------------------------------------- /mgm/src/gf/gf128_pclmul.rs: -------------------------------------------------------------------------------- 1 | //! Carryless multiplication over GF(2^128) based on the PCLMULQDQ CPU intrinsics 2 | //! on `x86` and `x86_64` target architectures. 3 | //! 4 | //! More information can be found in the Intel whitepaper: 5 | //! https://software.intel.com/sites/default/files/managed/72/cc/clmul-wp-rev-2.02-2014-04-20.pdf 6 | use super::GfElement; 7 | use aead::{consts::U16, generic_array::GenericArray}; 8 | 9 | #[cfg(target_arch = "x86")] 10 | use core::arch::x86::*; 11 | #[cfg(target_arch = "x86_64")] 12 | use core::arch::x86_64::*; 13 | 14 | type Block = GenericArray; 15 | 16 | const BS_MASK1: i64 = 0x0001_0203_0405_0607; 17 | const BS_MASK2: i64 = 0x0809_0A0B_0C0D_0E0F; 18 | 19 | macro_rules! xor { 20 | ($e1:expr, $e2:expr $(,)?) => { 21 | _mm_xor_si128($e1, $e2) 22 | }; 23 | ($head:expr, $($tail:expr),* $(,)?) => { 24 | _mm_xor_si128($head, xor!($($tail ,)*)) 25 | }; 26 | } 27 | 28 | pub struct Element(__m128i); 29 | 30 | impl GfElement for Element { 31 | type N = U16; 32 | 33 | #[inline(always)] 34 | fn new() -> Self { 35 | Self(unsafe { _mm_setzero_si128() }) 36 | } 37 | 38 | #[allow(clippy::many_single_char_names)] 39 | fn mul_sum(&mut self, a: &Block, b: &Block) { 40 | unsafe { 41 | let bs_mask = _mm_set_epi64x(BS_MASK1, BS_MASK2); 42 | 43 | let a = _mm_loadu_si128(a.as_ptr() as *const _); 44 | let b = _mm_loadu_si128(b.as_ptr() as *const _); 45 | let a = _mm_shuffle_epi8(a, bs_mask); 46 | let b = _mm_shuffle_epi8(b, bs_mask); 47 | 48 | // Multiply using Karatsuba multiplication 49 | let a2 = xor!(a, _mm_shuffle_epi32(a, 0x0E)); 50 | let b2 = xor!(b, _mm_shuffle_epi32(b, 0x0E)); 51 | let c = _mm_clmulepi64_si128(a, b, 0x11); 52 | let d = _mm_clmulepi64_si128(a, b, 0x00); 53 | let e = _mm_clmulepi64_si128(a2, b2, 0x00); 54 | let t = xor!(c, d, e); 55 | let v0 = d; 56 | let v1 = xor!(_mm_shuffle_epi32(d, 0x0E), t); 57 | let v2 = xor!(c, _mm_shuffle_epi32(t, 0x0E)); 58 | let v3 = _mm_shuffle_epi32(c, 0x0E); 59 | 60 | // reduce over polynominal f(w) = w^128 + w^7 + w^2 + w + 1 61 | let d = xor!( 62 | v2, 63 | _mm_srli_epi64(v3, 63), 64 | _mm_srli_epi64(v3, 62), 65 | _mm_srli_epi64(v3, 57) 66 | ); 67 | let lo = xor!( 68 | v0, 69 | d, 70 | _mm_slli_epi64(d, 1), 71 | _mm_slli_epi64(d, 2), 72 | _mm_slli_epi64(d, 7), 73 | ); 74 | let hi = xor!( 75 | v1, 76 | v3, 77 | _mm_slli_epi64(v3, 1), 78 | _mm_slli_epi64(v3, 2), 79 | _mm_slli_epi64(v3, 7), 80 | _mm_srli_epi64(d, 63), 81 | _mm_srli_epi64(d, 62), 82 | _mm_srli_epi64(d, 57), 83 | ); 84 | let res = _mm_unpacklo_epi64(lo, hi); 85 | 86 | self.0 = xor!(self.0, res); 87 | } 88 | } 89 | 90 | #[inline(always)] 91 | fn into_bytes(self) -> Block { 92 | unsafe { 93 | let bs_mask = _mm_set_epi64x(BS_MASK1, BS_MASK2); 94 | core::mem::transmute(_mm_shuffle_epi8(self.0, bs_mask)) 95 | } 96 | } 97 | } 98 | -------------------------------------------------------------------------------- /mgm/src/gf/gf128_soft64.rs: -------------------------------------------------------------------------------- 1 | use super::{utils::bmul64, GfElement}; 2 | use aead::{consts::U16, generic_array::GenericArray}; 3 | 4 | pub struct Element(u64, u64); 5 | 6 | type Block = GenericArray; 7 | 8 | impl GfElement for Element { 9 | type N = U16; 10 | 11 | #[inline(always)] 12 | fn new() -> Self { 13 | Self(0, 0) 14 | } 15 | 16 | #[allow(clippy::many_single_char_names)] 17 | fn mul_sum(&mut self, a: &Block, b: &Block) { 18 | let [a1, a0] = from_block(a); 19 | let [b1, b0] = from_block(b); 20 | let a2 = a1 ^ a0; 21 | let b2 = b1 ^ b0; 22 | 23 | // Multiply using Karatsuba multiplication 24 | let c = bmul64(a1, b1); 25 | let d = bmul64(a0, b0); 26 | let e = bmul64(a2, b2); 27 | let t = c ^ d ^ e; 28 | let v0 = d as u64; 29 | let v1 = ((d >> 64) ^ t) as u64; 30 | let v2 = (c ^ (t >> 64)) as u64; 31 | let v3 = (c >> 64) as u64; 32 | 33 | // reduce over polynominal f(w) = w^128 + w^7 + w^2 + w + 1 34 | let d = v2 ^ (v3 >> 63) ^ (v3 >> 62) ^ (v3 >> 57); 35 | self.1 ^= v0 ^ d ^ (d << 1) ^ (d << 2) ^ (d << 7); 36 | self.0 ^= v1 ^ v3 ^ (v3 << 1) ^ (v3 << 2) ^ (v3 << 7) ^ (d >> 63) ^ (d >> 62) ^ (d >> 57); 37 | } 38 | 39 | #[inline(always)] 40 | fn into_bytes(self) -> Block { 41 | let mut block = Block::default(); 42 | block[..8].copy_from_slice(&self.0.to_be_bytes()); 43 | block[8..].copy_from_slice(&self.1.to_be_bytes()); 44 | block 45 | } 46 | } 47 | 48 | #[inline(always)] 49 | fn from_block(block: &Block) -> [u64; 2] { 50 | let (a, b) = block.split_at(8); 51 | [ 52 | u64::from_be_bytes(a.try_into().unwrap()), 53 | u64::from_be_bytes(b.try_into().unwrap()), 54 | ] 55 | } 56 | -------------------------------------------------------------------------------- /mgm/src/gf/gf64_pclmul.rs: -------------------------------------------------------------------------------- 1 | //! Carryless multiplication over GF(2^64) based on the PCLMULQDQ CPU intrinsics 2 | //! on `x86` and `x86_64` target architectures. 3 | 4 | use super::GfElement; 5 | use aead::{consts::U8, generic_array::GenericArray}; 6 | 7 | #[cfg(target_arch = "x86")] 8 | use core::arch::x86::*; 9 | #[cfg(target_arch = "x86_64")] 10 | use core::arch::x86_64::*; 11 | 12 | type Block = GenericArray; 13 | 14 | pub struct Element(u64); 15 | 16 | impl GfElement for Element { 17 | type N = U8; 18 | 19 | #[inline(always)] 20 | fn new() -> Self { 21 | Self(0) 22 | } 23 | 24 | #[allow(clippy::many_single_char_names)] 25 | fn mul_sum(&mut self, a: &Block, b: &Block) { 26 | let a = u64::from_be_bytes(a[..].try_into().unwrap()); 27 | let b = u64::from_be_bytes(b[..].try_into().unwrap()); 28 | let [d, e]: [u64; 2] = unsafe { 29 | let a = _mm_set_epi64x(0, a as i64); 30 | let b = _mm_set_epi64x(0, b as i64); 31 | let c = _mm_clmulepi64_si128(a, b, 0x00); 32 | core::mem::transmute(c) 33 | }; 34 | 35 | // reduce over polynominal f(w) = w^64 + w^4 + w^3 + w + 1 36 | let t = e ^ (e >> 63) ^ (e >> 61) ^ (e >> 60); 37 | self.0 ^= d ^ t ^ (t << 1) ^ (t << 3) ^ (t << 4); 38 | } 39 | 40 | #[inline(always)] 41 | fn into_bytes(self) -> Block { 42 | let mut block = Block::default(); 43 | block.copy_from_slice(&self.0.to_be_bytes()); 44 | block 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /mgm/src/gf/gf64_soft64.rs: -------------------------------------------------------------------------------- 1 | use super::{utils::bmul64, GfElement}; 2 | use aead::{consts::U8, generic_array::GenericArray}; 3 | 4 | pub struct Element(u64); 5 | 6 | type Block = GenericArray; 7 | 8 | impl GfElement for Element { 9 | type N = U8; 10 | 11 | #[inline(always)] 12 | fn new() -> Self { 13 | Self(0) 14 | } 15 | 16 | #[allow(clippy::many_single_char_names)] 17 | fn mul_sum(&mut self, a: &Block, b: &Block) { 18 | let a = from_block(a); 19 | let b = from_block(b); 20 | let c = bmul64(a, b); 21 | 22 | let d = c as u64; 23 | let e = (c >> 64) as u64; 24 | 25 | // reduce over polynominal f(w) = w^64 + w^4 + w^3 + w + 1 26 | let t = e ^ (e >> 63) ^ (e >> 61) ^ (e >> 60); 27 | self.0 ^= d ^ t ^ (t << 1) ^ (t << 3) ^ (t << 4); 28 | } 29 | 30 | #[inline(always)] 31 | fn into_bytes(self) -> Block { 32 | let mut block = Block::default(); 33 | block.copy_from_slice(&self.0.to_be_bytes()); 34 | block 35 | } 36 | } 37 | 38 | #[inline(always)] 39 | fn from_block(block: &Block) -> u64 { 40 | u64::from_be_bytes(block[..].try_into().unwrap()) 41 | } 42 | -------------------------------------------------------------------------------- /mgm/src/gf/utils.rs: -------------------------------------------------------------------------------- 1 | #![allow(unused)] 2 | use core::num::Wrapping; 3 | 4 | /// Multiplication in GF(2)[X], truncated to the low 64-bits, with “holes” 5 | /// (sequences of zeroes) to avoid carry spilling. 6 | /// 7 | /// When carries do occur, they wind up in a "hole" and are subsequently masked 8 | /// out of the result. 9 | pub(super) fn bmul64(x: u64, y: u64) -> u128 { 10 | let x0 = Wrapping((x & 0x1111_1111_1111_1111) as u128); 11 | let x1 = Wrapping((x & 0x2222_2222_2222_2222) as u128); 12 | let x2 = Wrapping((x & 0x4444_4444_4444_4444) as u128); 13 | let x3 = Wrapping((x & 0x8888_8888_8888_8888) as u128); 14 | let y0 = Wrapping((y & 0x1111_1111_1111_1111) as u128); 15 | let y1 = Wrapping((y & 0x2222_2222_2222_2222) as u128); 16 | let y2 = Wrapping((y & 0x4444_4444_4444_4444) as u128); 17 | let y3 = Wrapping((y & 0x8888_8888_8888_8888) as u128); 18 | 19 | let mut z0 = ((x0 * y0) ^ (x1 * y3) ^ (x2 * y2) ^ (x3 * y1)).0; 20 | let mut z1 = ((x0 * y1) ^ (x1 * y0) ^ (x2 * y3) ^ (x3 * y2)).0; 21 | let mut z2 = ((x0 * y2) ^ (x1 * y1) ^ (x2 * y0) ^ (x3 * y3)).0; 22 | let mut z3 = ((x0 * y3) ^ (x1 * y2) ^ (x2 * y1) ^ (x3 * y0)).0; 23 | 24 | z0 &= 0x1111_1111_1111_1111_1111_1111_1111_1111; 25 | z1 &= 0x2222_2222_2222_2222_2222_2222_2222_2222; 26 | z2 &= 0x4444_4444_4444_4444_4444_4444_4444_4444; 27 | z3 &= 0x8888_8888_8888_8888_8888_8888_8888_8888; 28 | 29 | z0 | z1 | z2 | z3 30 | } 31 | -------------------------------------------------------------------------------- /mgm/src/sealed.rs: -------------------------------------------------------------------------------- 1 | use aead::{ 2 | generic_array::{ 3 | typenum::{U16, U8}, 4 | ArrayLength, GenericArray, 5 | }, 6 | Error, 7 | }; 8 | use cipher::BlockCipher; 9 | 10 | pub type Counter = [<::BlockSize as Sealed>::Counter; 2]; 11 | 12 | pub trait Sealed: ArrayLength { 13 | type Counter; 14 | 15 | fn block2ctr(block: &GenericArray) -> [Self::Counter; 2]; 16 | fn ctr2block(ctr: &[Self::Counter; 2]) -> GenericArray; 17 | fn incr_l(ctr: &mut [Self::Counter; 2]); 18 | fn incr_r(ctr: &mut [Self::Counter; 2]); 19 | fn lengths2block(adata_len: usize, data_len: usize) -> Result, Error>; 20 | } 21 | 22 | impl Sealed for U16 { 23 | type Counter = u64; 24 | 25 | #[inline(always)] 26 | fn block2ctr(block: &GenericArray) -> [Self::Counter; 2] { 27 | let (a, b) = block.split_at(8); 28 | [ 29 | u64::from_be_bytes(a.try_into().unwrap()), 30 | u64::from_be_bytes(b.try_into().unwrap()), 31 | ] 32 | } 33 | 34 | #[inline(always)] 35 | fn ctr2block(ctr: &[Self::Counter; 2]) -> GenericArray { 36 | let a = ctr[0].to_be_bytes(); 37 | let b = ctr[1].to_be_bytes(); 38 | let mut block = GenericArray::::default(); 39 | block[..8].copy_from_slice(&a); 40 | block[8..].copy_from_slice(&b); 41 | block 42 | } 43 | 44 | #[inline(always)] 45 | fn incr_l(ctr: &mut [Self::Counter; 2]) { 46 | ctr[0] = ctr[0].wrapping_add(1); 47 | } 48 | 49 | #[inline(always)] 50 | fn incr_r(ctr: &mut [Self::Counter; 2]) { 51 | ctr[1] = ctr[1].wrapping_add(1); 52 | } 53 | 54 | #[inline(always)] 55 | fn lengths2block(adata_len: usize, data_len: usize) -> Result, Error> { 56 | let adata_len = adata_len 57 | .checked_mul(8) 58 | .ok_or(Error)? 59 | .try_into() 60 | .map_err(|_| Error)?; 61 | let data_len = data_len 62 | .checked_mul(8) 63 | .ok_or(Error)? 64 | .try_into() 65 | .map_err(|_| Error)?; 66 | Ok(Self::ctr2block(&[adata_len, data_len])) 67 | } 68 | } 69 | 70 | impl Sealed for U8 { 71 | type Counter = u32; 72 | 73 | #[inline(always)] 74 | fn block2ctr(block: &GenericArray) -> [Self::Counter; 2] { 75 | let (a, b) = block.split_at(4); 76 | [ 77 | u32::from_be_bytes(a.try_into().unwrap()), 78 | u32::from_be_bytes(b.try_into().unwrap()), 79 | ] 80 | } 81 | 82 | #[inline(always)] 83 | fn ctr2block(ctr: &[Self::Counter; 2]) -> GenericArray { 84 | let a = ctr[0].to_be_bytes(); 85 | let b = ctr[1].to_be_bytes(); 86 | let mut block = GenericArray::::default(); 87 | block[..4].copy_from_slice(&a); 88 | block[4..].copy_from_slice(&b); 89 | block 90 | } 91 | 92 | #[inline(always)] 93 | fn incr_l(ctr: &mut [Self::Counter; 2]) { 94 | ctr[0] = ctr[0].wrapping_add(1); 95 | } 96 | 97 | #[inline(always)] 98 | fn incr_r(ctr: &mut [Self::Counter; 2]) { 99 | ctr[1] = ctr[1].wrapping_add(1); 100 | } 101 | 102 | #[inline(always)] 103 | fn lengths2block(adata_len: usize, data_len: usize) -> Result, Error> { 104 | let adata_len = adata_len 105 | .checked_mul(8) 106 | .ok_or(Error)? 107 | .try_into() 108 | .map_err(|_| Error)?; 109 | let data_len = data_len 110 | .checked_mul(8) 111 | .ok_or(Error)? 112 | .try_into() 113 | .map_err(|_| Error)?; 114 | Ok(Self::ctr2block(&[adata_len, data_len])) 115 | } 116 | } 117 | -------------------------------------------------------------------------------- /mgm/tests/bad_nonce.rs: -------------------------------------------------------------------------------- 1 | //! Tests for nonce validity checks 2 | 3 | #![cfg(feature = "alloc")] 4 | 5 | use aead::{generic_array::GenericArray, Aead, KeyInit}; 6 | use mgm::Mgm; 7 | 8 | #[test] 9 | fn kuznyechik_bad_nonce() { 10 | let key = GenericArray::from_slice(&[0u8; 32]); 11 | let mut nonce = GenericArray::clone_from_slice(&[0u8; 16]); 12 | let cipher = Mgm::::new(key); 13 | let mut enc_data = cipher.encrypt(&nonce, &[][..]).unwrap(); 14 | let res = cipher.decrypt(&nonce, &enc_data[..]); 15 | assert!(res.is_ok()); 16 | enc_data[0] ^= 0x80; 17 | let res = cipher.decrypt(&nonce, &enc_data[..]); 18 | assert!(res.is_err()); 19 | 20 | nonce[0] ^= 0x80; 21 | let res = cipher.encrypt(&nonce, &[][..]); 22 | assert!(res.is_err()); 23 | let res = cipher.decrypt(&nonce, &enc_data[..]); 24 | assert!(res.is_err()); 25 | } 26 | -------------------------------------------------------------------------------- /mgm/tests/data/kuznyechik.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/mgm/tests/data/kuznyechik.blb -------------------------------------------------------------------------------- /mgm/tests/data/magma.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/mgm/tests/data/magma.blb -------------------------------------------------------------------------------- /mgm/tests/rfc9058.rs: -------------------------------------------------------------------------------- 1 | //! Test vectors from: https://datatracker.ietf.org/doc/html/rfc9058 2 | 3 | #![cfg(feature = "alloc")] 4 | 5 | aead::new_test!(kuznyechik, "kuznyechik", mgm::Mgm); 6 | aead::new_test!(magma, "magma", mgm::Mgm); 7 | -------------------------------------------------------------------------------- /ocb3/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | All notable changes to this project will be documented in this file. 3 | 4 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 5 | and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 6 | 7 | ## 0.2.0 (UNRELEASED) 8 | ### Changed 9 | - Bump `aead` from `0.5` to `0.6` ([#583]) 10 | - Bump `cipher` from `0.4` to `0.5` ([#583]) 11 | - Bump `ctr` from `0.9` to `0.10` ([#583]) 12 | - Edition changed to 2024 and MSRV bumped to 1.85 ([#662]) 13 | - Relax MSRV policy and allow MSRV bumps in patch releases 14 | - `getrandom` feature renamed as `os_rng` ([#662]) 15 | 16 | ## Removed 17 | - `std` and `stream` features ([#662]) 18 | 19 | [#583]: https://github.com/RustCrypto/AEADs/pull/583 20 | [#662]: https://github.com/RustCrypto/AEADs/pull/662 21 | 22 | ## 0.1.0 (2024-03-07) 23 | - Initial release 24 | -------------------------------------------------------------------------------- /ocb3/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "ocb3" 3 | version = "0.2.0-pre" 4 | description = """ 5 | Pure Rust implementation of the Offset Codebook Mode v3 (OCB3) Authenticated Encryption with 6 | Associated Data (AEAD) Cipher as described in RFC7253 7 | """ 8 | authors = ["RustCrypto Developers"] 9 | edition = "2024" 10 | license = "Apache-2.0 OR MIT" 11 | readme = "README.md" 12 | documentation = "https://docs.rs/ocb3" 13 | repository = "https://github.com/RustCrypto/AEADs" 14 | keywords = ["aead", "encryption", "ocb"] 15 | categories = ["cryptography", "no-std"] 16 | rust-version = "1.85" 17 | 18 | [dependencies] 19 | aead = { version = "0.6.0-rc.1", default-features = false } 20 | cipher = "0.5.0-rc.0" 21 | ctr = "0.10.0-rc.0" 22 | dbl = "0.4.0-rc.2" 23 | subtle = { version = "2", default-features = false } 24 | aead-stream = { version = "0.6.0-rc.0", optional = true, default-features = false } 25 | zeroize = { version = "1", optional = true, default-features = false } 26 | 27 | [dev-dependencies] 28 | aead = { version = "0.6.0-rc.0", features = ["dev"], default-features = false } 29 | aes = { version = "0.9.0-rc.0", default-features = false } 30 | hex-literal = "0.4" 31 | 32 | [features] 33 | default = ["alloc", "os_rng"] 34 | alloc = ["aead/alloc", "aead-stream?/alloc"] 35 | arrayvec = ["aead/arrayvec"] 36 | bytes = ["aead/bytes"] 37 | os_rng = ["aead/os_rng", "rand_core"] 38 | heapless = ["aead/heapless"] 39 | rand_core = ["aead/rand_core"] 40 | 41 | [package.metadata.docs.rs] 42 | all-features = true 43 | rustdoc-args = ["--cfg", "docsrs"] 44 | -------------------------------------------------------------------------------- /ocb3/LICENSE-MIT: -------------------------------------------------------------------------------- 1 | Copyright (c) 2023 The RustCrypto Project Developers 2 | 3 | Permission is hereby granted, free of charge, to any 4 | person obtaining a copy of this software and associated 5 | documentation files (the "Software"), to deal in the 6 | Software without restriction, including without 7 | limitation the rights to use, copy, modify, merge, 8 | publish, distribute, sublicense, and/or sell copies of 9 | the Software, and to permit persons to whom the Software 10 | is furnished to do so, subject to the following 11 | conditions: 12 | 13 | The above copyright notice and this permission notice 14 | shall be included in all copies or substantial portions 15 | of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF 18 | ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED 19 | TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 20 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT 21 | SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 22 | CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 23 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR 24 | IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 25 | DEALINGS IN THE SOFTWARE. 26 | -------------------------------------------------------------------------------- /ocb3/README.md: -------------------------------------------------------------------------------- 1 | # RustCrypto: OCB3 2 | 3 | [![crate][crate-image]][crate-link] 4 | [![Docs][docs-image]][docs-link] 5 | ![Apache2/MIT licensed][license-image] 6 | ![Rust Version][rustc-image] 7 | [![Project Chat][chat-image]][chat-link] 8 | [![Build Status][build-image]][build-link] 9 | 10 | Pure Rust implementation of the Offset Codebook Mode v3 (OCB3) 11 | [Authenticated Encryption with Associated Data (AEAD)][aead] cipher as described in [RFC7253]. 12 | 13 | [Documentation][docs-link] 14 | 15 | ## Example 16 | 17 | ```rust 18 | use aes::Aes128; 19 | use ocb3::{ 20 | aead::{Aead, AeadCore, KeyInit, array::Array, rand_core::OsRng}, 21 | consts::U12, 22 | Ocb3, 23 | }; 24 | 25 | type Aes128Ocb3 = Ocb3; 26 | 27 | let key = Aes128::generate_key().unwrap(); 28 | let cipher = Aes128Ocb3::new(&key); 29 | let nonce = Aes128Ocb3::generate_nonce().unwrap(); 30 | let ciphertext = cipher.encrypt(&nonce, b"plaintext message".as_ref()).unwrap(); 31 | let plaintext = cipher.decrypt(&nonce, ciphertext.as_ref()).unwrap(); 32 | 33 | assert_eq!(&plaintext, b"plaintext message"); 34 | ``` 35 | 36 | ## Security Notes 37 | 38 | No security audits of this crate have ever been performed, and it has not been thoroughly assessed to ensure its operation is constant-time on common CPU architectures. 39 | 40 | USE AT YOUR OWN RISK! 41 | 42 | ## License 43 | 44 | Licensed under either of: 45 | 46 | * [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0) 47 | * [MIT license](http://opensource.org/licenses/MIT) 48 | 49 | at your option. 50 | 51 | ### Contribution 52 | 53 | Unless you explicitly state otherwise, any contribution intentionally submitted 54 | for inclusion in the work by you, as defined in the Apache-2.0 license, shall be 55 | dual licensed as above, without any additional terms or conditions. 56 | 57 | [//]: # (badges) 58 | 59 | [crate-image]: https://img.shields.io/crates/v/ocb3 60 | [crate-link]: https://crates.io/crates/ocb3 61 | [docs-image]: https://docs.rs/ocb3/badge.svg 62 | [docs-link]: https://docs.rs/ocb3/ 63 | [license-image]: https://img.shields.io/badge/license-Apache2.0/MIT-blue.svg 64 | [rustc-image]: https://img.shields.io/badge/rustc-1.85+-blue.svg 65 | [chat-image]: https://img.shields.io/badge/zulip-join_chat-blue.svg 66 | [chat-link]: https://rustcrypto.zulipchat.com/#narrow/stream/260038-AEADs 67 | [build-image]: https://github.com/RustCrypto/AEADs/actions/workflows/ocb3.yml/badge.svg 68 | [build-link]: https://github.com/RustCrypto/AEADs/actions/workflows/ocb3.yml 69 | 70 | [//]: # (general links) 71 | 72 | [rfc7253]: https://datatracker.ietf.org/doc/rfc7253/ 73 | [aead]: https://en.wikipedia.org/wiki/Authenticated_encryption 74 | -------------------------------------------------------------------------------- /ocb3/tests/data/rfc7253_ocb_aes.blb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RustCrypto/AEADs/543c7a0b7a14e85cd53edc9c4b6e7788eb734bcd/ocb3/tests/data/rfc7253_ocb_aes.blb -------------------------------------------------------------------------------- /ocb3/tests/kats.rs: -------------------------------------------------------------------------------- 1 | #![allow(non_snake_case)] 2 | 3 | use aead::{ 4 | AeadInOut, KeyInit, 5 | consts::{U8, U12}, 6 | }; 7 | use aes::{Aes128, Aes192, Aes256}; 8 | use hex_literal::hex; 9 | use ocb3::{Array, Ocb3}; 10 | 11 | // Test vectors from https://www.rfc-editor.org/rfc/rfc7253.html#appendix-A 12 | aead::new_test!(rfc7253_ocb_aes, "rfc7253_ocb_aes", Aes128Ocb3); 13 | 14 | fn num2str96(num: usize) -> [u8; 12] { 15 | let num: u32 = num.try_into().unwrap(); 16 | let mut out = [0u8; 12]; 17 | out[8..12].copy_from_slice(&num.to_be_bytes()); 18 | out 19 | } 20 | 21 | /// Test vectors from Page 18 of https://www.rfc-editor.org/rfc/rfc7253.html#appendix-A 22 | macro_rules! rfc7253_wider_variety { 23 | ($ocb:tt, $keylen:tt, $taglen:expr, $expected:expr) => { 24 | let mut key_bytes = vec![0u8; $keylen]; 25 | key_bytes[$keylen - 1] = 8 * $taglen; // taglen in bytes 26 | 27 | let key = <&Array<_, _>>::try_from(key_bytes.as_slice()).unwrap(); 28 | let ocb = $ocb::new(key); 29 | 30 | let mut ciphertext = Vec::new(); 31 | 32 | for i in 0..128 { 33 | // S = zeros(8i) 34 | let S = vec![0u8; i]; 35 | 36 | // N = num2str(3i+1,96) 37 | // C = C || OCB-ENCRYPT(K,N,S,S) 38 | let N = num2str96(3 * i + 1); 39 | let mut buffer = S.clone(); 40 | let tag = ocb 41 | .encrypt_inout_detached( 42 | N.as_slice().try_into().unwrap(), 43 | &S, 44 | buffer.as_mut_slice().into(), 45 | ) 46 | .unwrap(); 47 | ciphertext.append(&mut buffer); 48 | ciphertext.append(&mut tag.as_slice().to_vec()); 49 | 50 | // N = num2str(3i+2,96) 51 | // C = C || OCB-ENCRYPT(K,N,,S) 52 | let N = num2str96(3 * i + 2); 53 | let mut buffer = S.clone(); 54 | let tag = ocb 55 | .encrypt_inout_detached( 56 | N.as_slice().try_into().unwrap(), 57 | &[], 58 | buffer.as_mut_slice().into(), 59 | ) 60 | .unwrap(); 61 | ciphertext.append(&mut buffer); 62 | ciphertext.append(&mut tag.as_slice().to_vec()); 63 | 64 | // N = num2str(3i+3,96) 65 | // C = C || OCB-ENCRYPT(K,N,S,) 66 | let N = num2str96(3 * i + 3); 67 | let tag = ocb 68 | .encrypt_inout_detached(N.as_slice().try_into().unwrap(), &S, (&mut [][..]).into()) 69 | .unwrap(); 70 | ciphertext.append(&mut tag.as_slice().to_vec()); 71 | } 72 | if $taglen == 16 { 73 | assert_eq!(ciphertext.len(), 22_400); 74 | } else if $taglen == 12 { 75 | assert_eq!(ciphertext.len(), 20_864); 76 | } else if $taglen == 8 { 77 | assert_eq!(ciphertext.len(), 19_328); 78 | } else { 79 | unreachable!(); 80 | } 81 | 82 | // N = num2str(385,96) 83 | // Output : OCB-ENCRYPT(K,N,C,) 84 | let N = num2str96(385); 85 | let tag = ocb 86 | .encrypt_inout_detached( 87 | N.as_slice().try_into().unwrap(), 88 | &ciphertext, 89 | (&mut [][..]).into(), 90 | ) 91 | .unwrap(); 92 | 93 | assert_eq!(tag.as_slice(), hex!($expected)) 94 | }; 95 | } 96 | 97 | // More types for testing 98 | type Aes192Ocb3 = Ocb3; 99 | type Aes128Ocb3Tag96 = Ocb3; 100 | type Aes192Ocb3Tag96 = Ocb3; 101 | type Aes256Ocb3Tag96 = Ocb3; 102 | type Aes128Ocb3Tag64 = Ocb3; 103 | type Aes192Ocb3Tag64 = Ocb3; 104 | type Aes256Ocb3Tag64 = Ocb3; 105 | type Aes128Ocb3 = Ocb3; 106 | type Aes256Ocb3 = Ocb3; 107 | 108 | /// Test vectors from Page 18 of https://www.rfc-editor.org/rfc/rfc7253.html#appendix-A 109 | #[test] 110 | fn rfc7253_more_sample_results() { 111 | rfc7253_wider_variety!(Aes128Ocb3, 16, 16, "67E944D23256C5E0B6C61FA22FDF1EA2"); 112 | rfc7253_wider_variety!(Aes192Ocb3, 24, 16, "F673F2C3E7174AAE7BAE986CA9F29E17"); 113 | rfc7253_wider_variety!(Aes256Ocb3, 32, 16, "D90EB8E9C977C88B79DD793D7FFA161C"); 114 | rfc7253_wider_variety!(Aes128Ocb3Tag96, 16, 12, "77A3D8E73589158D25D01209"); 115 | rfc7253_wider_variety!(Aes192Ocb3Tag96, 24, 12, "05D56EAD2752C86BE6932C5E"); 116 | rfc7253_wider_variety!(Aes256Ocb3Tag96, 32, 12, "5458359AC23B0CBA9E6330DD"); 117 | rfc7253_wider_variety!(Aes128Ocb3Tag64, 16, 8, "192C9B7BD90BA06A"); 118 | rfc7253_wider_variety!(Aes192Ocb3Tag64, 24, 8, "0066BC6E0EF34E24"); 119 | rfc7253_wider_variety!(Aes256Ocb3Tag64, 32, 8, "7D4EA5D445501CBE"); 120 | } 121 | -------------------------------------------------------------------------------- /xaes-256-gcm/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | All notable changes to this project will be documented in this file. 3 | 4 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 5 | and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 6 | 7 | ## 0.1.0 (TBD) 8 | - Initial release 9 | -------------------------------------------------------------------------------- /xaes-256-gcm/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "xaes-256-gcm" 3 | version = "0.0.1-pre.0" 4 | description = """ 5 | Pure Rust implementation of the XAES-256-GCM extended-nonce Authenticated 6 | Encryption with Associated Data (AEAD). 7 | """ 8 | authors = ["RustCrypto Developers"] 9 | edition = "2024" 10 | license = "Apache-2.0 OR MIT" 11 | readme = "README.md" 12 | documentation = "https://docs.rs/xaes-256-gcm" 13 | repository = "https://github.com/RustCrypto/AEADs" 14 | keywords = ["aead", "aes", "xaes", "encryption", "extended-nonce"] 15 | categories = ["cryptography", "no-std"] 16 | rust-version = "1.85" 17 | 18 | [dependencies] 19 | aead = { version = "0.6.0-rc.1", default-features = false } 20 | aes = "0.9.0-rc.0" 21 | aes-gcm = { version = "0.11.0-rc.0", default-features = false, features = ["aes"] } 22 | cipher = "0.5.0-rc.0" 23 | aead-stream = { version = "0.6.0-rc.0", optional = true, default-features = false } 24 | 25 | [dev-dependencies] 26 | aead = { version = "0.6.0-rc.1", features = ["dev"], default-features = false } 27 | hex-literal = "1" 28 | 29 | [features] 30 | default = ["alloc", "os_rng"] 31 | alloc = ["aead/alloc", "aead-stream?/alloc", "aes-gcm/alloc"] 32 | arrayvec = ["aead/arrayvec", "aes-gcm/arrayvec"] 33 | os_rng = ["aead/os_rng", "aes-gcm/os_rng", "rand_core"] 34 | heapless = ["aead/heapless", "aes-gcm/heapless"] 35 | rand_core = ["aead/rand_core", "aes-gcm/rand_core"] 36 | 37 | [package.metadata.docs.rs] 38 | all-features = true 39 | rustdoc-args = ["--cfg", "docsrs"] 40 | -------------------------------------------------------------------------------- /xaes-256-gcm/LICENSE-MIT: -------------------------------------------------------------------------------- 1 | Copyright (c) 2024 The RustCrypto Project Developers 2 | 3 | Permission is hereby granted, free of charge, to any 4 | person obtaining a copy of this software and associated 5 | documentation files (the "Software"), to deal in the 6 | Software without restriction, including without 7 | limitation the rights to use, copy, modify, merge, 8 | publish, distribute, sublicense, and/or sell copies of 9 | the Software, and to permit persons to whom the Software 10 | is furnished to do so, subject to the following 11 | conditions: 12 | 13 | The above copyright notice and this permission notice 14 | shall be included in all copies or substantial portions 15 | of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF 18 | ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED 19 | TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 20 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT 21 | SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 22 | CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 23 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR 24 | IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 25 | DEALINGS IN THE SOFTWARE. 26 | -------------------------------------------------------------------------------- /xaes-256-gcm/README.md: -------------------------------------------------------------------------------- 1 | # RustCrypto: XAES-256-GCM 2 | 3 | [![crate][crate-image]][crate-link] 4 | [![Docs][docs-image]][docs-link] 5 | ![Apache2/MIT licensed][license-image] 6 | ![Rust Version][rustc-image] 7 | [![Project Chat][chat-image]][chat-link] 8 | [![Build Status][build-image]][build-link] 9 | 10 | Pure Rust implementation of the [XAES-256-GCM][4] extended-nonce 11 | [Authenticated Encryption with Associated Data (AEAD)][1]. 12 | 13 | [Documentation][docs-link] 14 | ## Security Notes 15 | 16 | This crate has *NOT* received any security audit. 17 | 18 | Although encryption and decryption passes the test vector, there is no guarantee 19 | of constant-time operation. 20 | 21 | **USE AT YOUR OWN RISK.** 22 | 23 | ## License 24 | 25 | Licensed under either of: 26 | 27 | * [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0) 28 | * [MIT license](http://opensource.org/licenses/MIT) 29 | 30 | at your option. 31 | 32 | ### Contribution 33 | 34 | Unless you explicitly state otherwise, any contribution intentionally submitted 35 | for inclusion in the work by you, as defined in the Apache-2.0 license, shall be 36 | dual licensed as above, without any additional terms or conditions. 37 | 38 | [//]: # (badges) 39 | 40 | [crate-image]: https://img.shields.io/crates/v/xaes-256-gcm 41 | [crate-link]: https://crates.io/crates/xaes-256-gcm 42 | [docs-image]: https://docs.rs/xaes-256-gcm/badge.svg 43 | [docs-link]: https://docs.rs/xaes-256-gcm/ 44 | [license-image]: https://img.shields.io/badge/license-Apache2.0/MIT-blue.svg 45 | [rustc-image]: https://img.shields.io/badge/rustc-1.81+-blue.svg 46 | [chat-image]: https://img.shields.io/badge/zulip-join_chat-blue.svg 47 | [chat-link]: https://rustcrypto.zulipchat.com/#narrow/stream/260038-AEADs 48 | [build-image]: https://github.com/RustCrypto/AEADs/workflows/xaes-256-gcm/badge.svg?branch=master&event=push 49 | [build-link]: https://github.com/RustCrypto/AEADs/actions 50 | 51 | [//]: # (general links) 52 | 53 | [1]: https://en.wikipedia.org/wiki/Authenticated_encryption 54 | [2]: https://research.nccgroup.com/2020/02/26/public-report-rustcrypto-xaes-256-gcm-and-chacha20poly1305-implementation-review/ 55 | [3]: https://www.mobilecoin.com/ 56 | [4]: https://github.com/C2SP/C2SP/blob/main/XAES-256-GCM.md 57 | -------------------------------------------------------------------------------- /xaes-256-gcm/tests/xaes256gcm.rs: -------------------------------------------------------------------------------- 1 | //! XAES-256-GCM test vectors 2 | 3 | #[macro_use] 4 | #[path = "../../aes-gcm/tests/common/mod.rs"] 5 | mod common; 6 | 7 | use aes_gcm::aead::{Aead, AeadInOut, KeyInit, Payload, array::Array}; 8 | use common::TestVector; 9 | use hex_literal::hex; 10 | use xaes_256_gcm::Xaes256Gcm; 11 | 12 | /// C2SP XAES-256-GCM test vectors 13 | /// 14 | /// 15 | const TEST_VECTORS: &[TestVector<[u8; 32], [u8; 24]>] = &[ 16 | TestVector { 17 | key: &hex!("0101010101010101010101010101010101010101010101010101010101010101"), 18 | nonce: b"ABCDEFGHIJKLMNOPQRSTUVWX", 19 | plaintext: b"XAES-256-GCM", 20 | aad: b"", 21 | ciphertext: &hex!("ce546ef63c9cc60765923609"), 22 | tag: &hex!("b33a9a1974e96e52daf2fcf7075e2271"), 23 | }, 24 | TestVector { 25 | key: &hex!("0303030303030303030303030303030303030303030303030303030303030303"), 26 | nonce: b"ABCDEFGHIJKLMNOPQRSTUVWX", 27 | plaintext: b"XAES-256-GCM", 28 | aad: b"c2sp.org/XAES-256-GCM", 29 | ciphertext: &hex!("986ec1832593df5443a17943"), 30 | tag: &hex!("7fd083bf3fdb41abd740a21f71eb769d"), 31 | }, 32 | ]; 33 | 34 | tests!(Xaes256Gcm, TEST_VECTORS); 35 | -------------------------------------------------------------------------------- /xsalsa20poly1305/README.md: -------------------------------------------------------------------------------- 1 | ## 🚨 DEPRECATED! 🚨 2 | 3 | Please switch to the `crypto_secretbox` crate: 4 | 5 | 6 | 7 | This crate is deprecated and will not receive further updates. 8 | --------------------------------------------------------------------------------