decrypt.c 2.39 KB
Newer Older
lwc-tester committed
1
#include "api.h"
Martin Schläffer committed
2 3
#include "ascon.h"
#include "loadstore.h"
lwc-tester committed
4
#include "permutations.h"
Martin Schläffer committed
5
#include "printstate.h"
lwc-tester committed
6

Martin Schläffer committed
7 8 9 10 11 12
int crypto_aead_decrypt(uint8_t* m, uint64_t* mlen, uint8_t* nsec,
                        const uint8_t* c, uint64_t clen, const uint8_t* ad,
                        uint64_t adlen, const uint8_t* npub, const uint8_t* k) {
  uint64_t K0, K1, N0, N1;
  state_t s;
  (void)nsec;
lwc-tester committed
13 14 15 16 17 18

  if (clen < CRYPTO_ABYTES) {
    *mlen = 0;
    return -1;
  }

Martin Schläffer committed
19
  /* set plaintext size */
lwc-tester committed
20 21
  *mlen = clen - CRYPTO_ABYTES;

Martin Schläffer committed
22 23 24 25 26 27 28 29
  /* load key and nonce */
  K0 = LOAD(k, 8);
  K1 = LOAD(k + 8, 8);
  N0 = LOAD(npub, 8);
  N1 = LOAD(npub + 8, 8);

  /* initialization */
  s.x0 = ASCON_128A_IV;
lwc-tester committed
30 31 32 33 34 35 36
  s.x1 = K0;
  s.x2 = K1;
  s.x3 = N0;
  s.x4 = N1;
  P12(&s);
  s.x3 ^= K0;
  s.x4 ^= K1;
Martin Schläffer committed
37
  printstate("initialization", &s);
lwc-tester committed
38

Martin Schläffer committed
39
  /* process associated data */
lwc-tester committed
40
  if (adlen) {
Martin Schläffer committed
41 42 43
    while (adlen >= ASCON_128A_RATE) {
      s.x0 ^= LOAD(ad, 8);
      s.x1 ^= LOAD(ad + 8, 8);
lwc-tester committed
44
      P8(&s);
Martin Schläffer committed
45 46
      ad += ASCON_128A_RATE;
      adlen -= ASCON_128A_RATE;
lwc-tester committed
47
    }
Martin Schläffer committed
48
    /* final associated data block */
lwc-tester committed
49
    if (adlen >= 8) {
Martin Schläffer committed
50 51 52
      s.x0 ^= LOAD(ad, 8);
      s.x1 ^= LOAD(ad + 8, adlen - 8);
      s.x1 ^= PAD(adlen - 8);
lwc-tester committed
53
    } else {
Martin Schläffer committed
54 55
      s.x0 ^= LOAD(ad, adlen);
      s.x0 ^= PAD(adlen);
lwc-tester committed
56 57 58 59
    }
    P8(&s);
  }
  s.x4 ^= 1;
Martin Schläffer committed
60
  printstate("process associated data", &s);
lwc-tester committed
61

Martin Schläffer committed
62
  /* process ciphertext */
lwc-tester committed
63
  clen -= CRYPTO_ABYTES;
Martin Schläffer committed
64 65 66 67 68
  while (clen >= ASCON_128A_RATE) {
    uint64_t c0 = LOAD(c, 8);
    uint64_t c1 = LOAD(c + 8, 8);
    STORE(m, s.x0 ^ c0, 8);
    STORE(m + 8, s.x1 ^ c1, 8);
lwc-tester committed
69 70 71
    s.x0 = c0;
    s.x1 = c1;
    P8(&s);
Martin Schläffer committed
72 73 74
    m += ASCON_128A_RATE;
    c += ASCON_128A_RATE;
    clen -= ASCON_128A_RATE;
lwc-tester committed
75
  }
Martin Schläffer committed
76
  /* final ciphertext block */
lwc-tester committed
77
  if (clen >= 8) {
Martin Schläffer committed
78 79 80 81
    uint64_t c0 = LOAD(c, 8);
    uint64_t c1 = LOAD(c + 8, clen - 8);
    STORE(m, s.x0 ^ c0, 8);
    STORE(m + 8, s.x1 ^ c1, clen - 8);
lwc-tester committed
82
    s.x0 = c0;
Martin Schläffer committed
83
    s.x1 &= ~MASK(clen - 8);
lwc-tester committed
84
    s.x1 |= c1;
Martin Schläffer committed
85
    s.x1 ^= PAD(clen - 8);
lwc-tester committed
86
  } else {
Martin Schläffer committed
87 88 89
    uint64_t c0 = LOAD(c, clen);
    STORE(m, s.x0 ^ c0, clen);
    s.x0 &= ~MASK(clen);
lwc-tester committed
90
    s.x0 |= c0;
Martin Schläffer committed
91
    s.x0 ^= PAD(clen);
lwc-tester committed
92 93
  }
  c += clen;
Martin Schläffer committed
94
  printstate("process ciphertext", &s);
lwc-tester committed
95

Martin Schläffer committed
96
  /* finalization */
lwc-tester committed
97 98 99 100 101
  s.x2 ^= K0;
  s.x3 ^= K1;
  P12(&s);
  s.x3 ^= K0;
  s.x4 ^= K1;
Martin Schläffer committed
102
  printstate("finalization", &s);
lwc-tester committed
103

Martin Schläffer committed
104 105
  /* verify tag (should be constant time, check compiler output) */
  if ((s.x3 ^ LOAD(c, 8)) | (s.x4 ^ LOAD(c + 8, 8))) {
lwc-tester committed
106 107 108 109 110 111
    *mlen = 0;
    return -1;
  }

  return 0;
}