decrypt.c

#include "api.h"
#include "ascon.h"
#include "permutations.h"
#include "printstate.h"
#include "word.h"

int crypto_aead_decrypt(uint8_t* m, uint64_t* mlen, uint8_t* nsec,
                        const uint8_t* c, uint64_t clen, const uint8_t* ad,
                        uint64_t adlen, const uint8_t* npub, const uint8_t* k) {
  uint64_t K0, K1, K2, N0, N1;
  state_t s;
  (void)nsec;

  if (clen < CRYPTO_ABYTES) {
    *mlen = 0;
    return -1;
  }

  /* set plaintext size */
  *mlen = clen - CRYPTO_ABYTES;

  /* load key and nonce */
  K0 = LOADBYTES(k + 0, 4) >> 32;
  K1 = LOADBYTES(k + 4, 8);
  K2 = LOADBYTES(k + 12, 8);
  N0 = LOADBYTES(npub, 8);
  N1 = LOADBYTES(npub + 8, 8);

  /* initialization */
  s.x0 = ASCON_80PQ_IV | K0;
  s.x1 = K1;
  s.x2 = K2;
  s.x3 = N0;
  s.x4 = N1;
  P12(&s);
  s.x2 ^= K0;
  s.x3 ^= K1;
  s.x4 ^= K2;
  printstate("initialization", &s);

  /* process associated data */
  if (adlen) {
    while (adlen >= ASCON_128_RATE) {
      s.x0 ^= LOADBYTES(ad, 8);
      P6(&s);
      ad += ASCON_128_RATE;
      adlen -= ASCON_128_RATE;
    }
    /* final associated data block */
    s.x0 ^= LOADBYTES(ad, adlen);
    s.x0 ^= PAD(adlen);
    P6(&s);
  }
  s.x4 ^= 1;
  printstate("process associated data", &s);

  /* process ciphertext */
  clen -= CRYPTO_ABYTES;
  while (clen >= ASCON_128_RATE) {
    uint64_t c0 = LOADBYTES(c, 8);
    STOREBYTES(m, s.x0 ^ c0, 8);
    s.x0 = c0;
    P6(&s);
    m += ASCON_128_RATE;
    c += ASCON_128_RATE;
    clen -= ASCON_128_RATE;
  }
  /* final ciphertext block */
  uint64_t c0 = LOADBYTES(c, clen);
  STOREBYTES(m, s.x0 ^ c0, clen);
  s.x0 = CLEARBYTES(s.x0, clen);
  s.x0 |= c0;
  s.x0 ^= PAD(clen);
  c += clen;
  printstate("process ciphertext", &s);

  /* finalization */
  s.x1 ^= K0 << 32 | K1 >> 32;
  s.x2 ^= K1 << 32 | K2 >> 32;
  s.x3 ^= K2 << 32;
  P12(&s);
  s.x3 ^= K1;
  s.x4 ^= K2;
  printstate("finalization", &s);

  /* verify tag (should be constant time, check compiler output) */
  if ((s.x3 ^ LOADBYTES(c, 8)) | (s.x4 ^ LOADBYTES(c + 8, 8))) {
    *mlen = 0;
    return -1;
  }

  return 0;
}