decrypt.c

#include "api.h"
#include "ascon.h"
#include "permutations.h"
#include "printstate.h"

void ascon_core(state_t* s, uint8_t* out, const uint8_t* in, uint64_t tlen,
                const uint8_t* ad, uint64_t adlen, const uint8_t* npub,
                const uint8_t* k, uint8_t mode);

int crypto_aead_decrypt(uint8_t* m, uint64_t* mlen, uint8_t* nsec,
                        const uint8_t* c, uint64_t clen, const uint8_t* ad,
                        uint64_t adlen, const uint8_t* npub, const uint8_t* k) {
  if (clen < CRYPTO_ABYTES) {
    *mlen = 0;
    return -1;
  }
  state_t s;
  (void)nsec;
  /* set plaintext size */
  *mlen = clen - CRYPTO_ABYTES;
  /* ascon decryption */
  ascon_core(&s, m, c, *mlen, ad, adlen, npub, k, ASCON_DECRYPT);
  /* verify tag (should be constant time, check compiler output) */
  s.x3 = XOR(s.x3, LOADBYTES(c + *mlen, 8));
  s.x4 = XOR(s.x4, LOADBYTES(c + *mlen + 8, 8));
  if (NOTZERO(s.x3, s.x4)) {
    *mlen = 0;
    return -1;
  }
  return 0;
}