/* * Copyright (C) 2020 Southern Storm Software, Pty Ltd. * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the "Software"), * to deal in the Software without restriction, including without limitation * the rights to use, copy, modify, merge, publish, distribute, sublicense, * and/or sell copies of the Software, and to permit persons to whom the * Software is furnished to do so, subject to the following conditions: * * The above copyright notice and this permission notice shall be included * in all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER * DEALINGS IN THE SOFTWARE. */ #ifndef LWCRYPTO_SPARKLE_H #define LWCRYPTO_SPARKLE_H #include "aead-common.h" /** * \file sparkle.h * \brief Encryption and hash algorithms based on the SPARKLE permutation. * * SPARKLE is a family of encryption and hash algorithms that are based * around the SPARKLE permutation. There are three versions of the * permutation with 256-bit, 384-bit, and 512-bit state sizes. * The algorithms in the family are: * * \li Schwaemm256-128 with a 128-bit key, a 256-bit nonce, and a 128-bit tag. * This is the primary encryption algorithm in the family. * \li Schwaemm192-192 with a 192-bit key, a 192-bit nonce, and a 192-bit tag. * \li Schwaemm128-128 with a 128-bit key, a 128-bit nonce, and a 128-bit tag. * \li Schwaemm256-256 with a 256-bit key, a 256-bit nonce, and a 256-bit tag. * \li Esch256 hash algorithm with a 256-bit digest output. This is the * primary hash algorithm in the family. * \li Esch384 hash algorithm with a 384-bit digest output. * * References: https://www.cryptolux.org/index.php/Sparkle */ #ifdef __cplusplus extern "C" { #endif /** * \brief Size of the key for Schwaemm256-128. */ #define SCHWAEMM_256_128_KEY_SIZE 16 /** * \brief Size of the authentication tag for Schwaemm256-128. */ #define SCHWAEMM_256_128_TAG_SIZE 16 /** * \brief Size of the nonce for Schwaemm256-128. */ #define SCHWAEMM_256_128_NONCE_SIZE 32 /** * \brief Size of the key for Schwaemm192-192. */ #define SCHWAEMM_192_192_KEY_SIZE 24 /** * \brief Size of the authentication tag for Schwaemm192-192. */ #define SCHWAEMM_192_192_TAG_SIZE 24 /** * \brief Size of the nonce for Schwaemm192-192. */ #define SCHWAEMM_192_192_NONCE_SIZE 24 /** * \brief Size of the key for Schwaemm128-128. */ #define SCHWAEMM_128_128_KEY_SIZE 16 /** * \brief Size of the authentication tag for Schwaemm128-128. */ #define SCHWAEMM_128_128_TAG_SIZE 16 /** * \brief Size of the nonce for Schwaemm128-128. */ #define SCHWAEMM_128_128_NONCE_SIZE 16 /** * \brief Size of the key for Schwaemm256-256. */ #define SCHWAEMM_256_256_KEY_SIZE 32 /** * \brief Size of the authentication tag for Schwaemm256-256. */ #define SCHWAEMM_256_256_TAG_SIZE 32 /** * \brief Size of the nonce for Schwaemm256-256. */ #define SCHWAEMM_256_256_NONCE_SIZE 32 /** * \brief Size of the hash output for Esch256. */ #define ESCH_256_HASH_SIZE 32 /** * \brief Size of the hash output for Esch384. */ #define ESCH_384_HASH_SIZE 48 /** * \brief Meta-information block for the Schwaemm256-128 cipher. */ extern aead_cipher_t const schwaemm_256_128_cipher; /** * \brief Meta-information block for the Schwaemm192-192 cipher. */ extern aead_cipher_t const schwaemm_192_192_cipher; /** * \brief Meta-information block for the Schwaemm128-128 cipher. */ extern aead_cipher_t const schwaemm_128_128_cipher; /** * \brief Meta-information block for the Schwaemm256-256 cipher. */ extern aead_cipher_t const schwaemm_256_256_cipher; /** * \brief Meta-information block for the Esch256 hash algorithm. */ extern aead_hash_algorithm_t const esch_256_hash_algorithm; /** * \brief Meta-information block for the Esch384 hash algorithm. */ extern aead_hash_algorithm_t const esch_384_hash_algorithm; /** * \brief State information for the Esch256 incremental hash mode. */ typedef union { struct { unsigned char state[48]; /**< Current hash state */ unsigned char block[16]; /**< Partial input data block */ unsigned char count; /**< Number of bytes in the current block */ } s; /**< State */ unsigned long long align; /**< For alignment of this structure */ } esch_256_hash_state_t; /** * \brief State information for the Esch384 incremental hash mode. */ typedef union { struct { unsigned char state[64]; /**< Current hash state */ unsigned char block[16]; /**< Partial input data block */ unsigned char count; /**< Number of bytes in the current block */ } s; /**< State */ unsigned long long align; /**< For alignment of this structure */ } esch_384_hash_state_t; /** * \brief Encrypts and authenticates a packet with Schwaemm256-128. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes * the ciphertext and the 16 byte authentication tag. * \param m Buffer that contains the plaintext message to encrypt. * \param mlen Length of the plaintext message in bytes. * \param ad Buffer that contains associated data to authenticate * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must * be 32 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * * \sa schwaemm_256_128_aead_decrypt() */ int schwaemm_256_128_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, const unsigned char *nsec, const unsigned char *npub, const unsigned char *k); /** * \brief Decrypts and authenticates a packet with Schwaemm256-128. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. * \param nsec Secret nonce - not used by this algorithm. * \param c Buffer that contains the ciphertext and authentication * tag to decrypt. * \param clen Length of the input data in bytes, which includes the * ciphertext and the 16 byte authentication tag. * \param ad Buffer that contains associated data to authenticate * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must * be 32 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * * \sa schwaemm_256_128_aead_encrypt() */ int schwaemm_256_128_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, const unsigned char *ad, unsigned long long adlen, const unsigned char *npub, const unsigned char *k); /** * \brief Encrypts and authenticates a packet with Schwaemm192-192. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes * the ciphertext and the 24 byte authentication tag. * \param m Buffer that contains the plaintext message to encrypt. * \param mlen Length of the plaintext message in bytes. * \param ad Buffer that contains associated data to authenticate * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must * be 24 bytes in length. * \param k Points to the 24 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * * \sa schwaemm_192_192_aead_decrypt() */ int schwaemm_192_192_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, const unsigned char *nsec, const unsigned char *npub, const unsigned char *k); /** * \brief Decrypts and authenticates a packet with Schwaemm192-192. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. * \param nsec Secret nonce - not used by this algorithm. * \param c Buffer that contains the ciphertext and authentication * tag to decrypt. * \param clen Length of the input data in bytes, which includes the * ciphertext and the 24 byte authentication tag. * \param ad Buffer that contains associated data to authenticate * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must * be 24 bytes in length. * \param k Points to the 24 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * * \sa schwaemm_192_192_aead_encrypt() */ int schwaemm_192_192_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, const unsigned char *ad, unsigned long long adlen, const unsigned char *npub, const unsigned char *k); /** * \brief Encrypts and authenticates a packet with Schwaemm128-128. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes * the ciphertext and the 16 byte authentication tag. * \param m Buffer that contains the plaintext message to encrypt. * \param mlen Length of the plaintext message in bytes. * \param ad Buffer that contains associated data to authenticate * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * * \sa schwaemm_128_128_aead_decrypt() */ int schwaemm_128_128_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, const unsigned char *nsec, const unsigned char *npub, const unsigned char *k); /** * \brief Decrypts and authenticates a packet with Schwaemm128-128. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. * \param nsec Secret nonce - not used by this algorithm. * \param c Buffer that contains the ciphertext and authentication * tag to decrypt. * \param clen Length of the input data in bytes, which includes the * ciphertext and the 16 byte authentication tag. * \param ad Buffer that contains associated data to authenticate * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * * \sa schwaemm_128_128_aead_encrypt() */ int schwaemm_128_128_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, const unsigned char *ad, unsigned long long adlen, const unsigned char *npub, const unsigned char *k); /** * \brief Encrypts and authenticates a packet with Schwaemm256-256. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes * the ciphertext and the 16 byte authentication tag. * \param m Buffer that contains the plaintext message to encrypt. * \param mlen Length of the plaintext message in bytes. * \param ad Buffer that contains associated data to authenticate * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * * \sa schwaemm_256_256_aead_decrypt() */ int schwaemm_256_256_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, const unsigned char *nsec, const unsigned char *npub, const unsigned char *k); /** * \brief Decrypts and authenticates a packet with Schwaemm256-256. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. * \param nsec Secret nonce - not used by this algorithm. * \param c Buffer that contains the ciphertext and authentication * tag to decrypt. * \param clen Length of the input data in bytes, which includes the * ciphertext and the 16 byte authentication tag. * \param ad Buffer that contains associated data to authenticate * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * * \sa schwaemm_256_256_aead_encrypt() */ int schwaemm_256_256_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, const unsigned char *ad, unsigned long long adlen, const unsigned char *npub, const unsigned char *k); /** * \brief Hashes a block of input data with Esch256 to generate a hash value. * * \param out Buffer to receive the hash output which must be at least * ESCH_256_HASH_SIZE bytes in length. * \param in Points to the input data to be hashed. * \param inlen Length of the input data in bytes. * * \return Returns zero on success or -1 if there was an error in the * parameters. */ int esch_256_hash (unsigned char *out, const unsigned char *in, unsigned long long inlen); /** * \brief Initializes the state for an Esch256 hashing operation. * * \param state Hash state to be initialized. * * \sa esch_256_hash_update(), esch_256_hash_finalize(), esch_256_hash() */ void esch_256_hash_init(esch_256_hash_state_t *state); /** * \brief Updates an Esch256 state with more input data. * * \param state Hash state to be updated. * \param in Points to the input data to be incorporated into the state. * \param inlen Length of the input data to be incorporated into the state. * * \sa esch_256_hash_init(), esch_256_hash_finalize() */ void esch_256_hash_update (esch_256_hash_state_t *state, const unsigned char *in, unsigned long long inlen); /** * \brief Returns the final hash value from an Esch256 hashing operation. * * \param state Hash state to be finalized. * \param out Points to the output buffer to receive the 32-byte hash value. * * \sa esch_256_hash_init(), esch_256_hash_update() */ void esch_256_hash_finalize (esch_256_hash_state_t *state, unsigned char *out); /** * \brief Hashes a block of input data with Esch384 to generate a hash value. * * \param out Buffer to receive the hash output which must be at least * ESCH_384_HASH_SIZE bytes in length. * \param in Points to the input data to be hashed. * \param inlen Length of the input data in bytes. * * \return Returns zero on success or -1 if there was an error in the * parameters. */ int esch_384_hash (unsigned char *out, const unsigned char *in, unsigned long long inlen); /** * \brief Initializes the state for an Esch384 hashing operation. * * \param state Hash state to be initialized. * * \sa esch_384_hash_update(), esch_384_hash_finalize(), esch_384_hash() */ void esch_384_hash_init(esch_384_hash_state_t *state); /** * \brief Updates an Esch384 state with more input data. * * \param state Hash state to be updated. * \param in Points to the input data to be incorporated into the state. * \param inlen Length of the input data to be incorporated into the state. * * \sa esch_384_hash_init(), esch_384_hash_finalize() */ void esch_384_hash_update (esch_384_hash_state_t *state, const unsigned char *in, unsigned long long inlen); /** * \brief Returns the final hash value from an Esch384 hashing operation. * * \param state Hash state to be finalized. * \param out Points to the output buffer to receive the 48-byte hash value. * * \sa esch_384_hash_init(), esch_384_hash_update() */ void esch_384_hash_finalize (esch_384_hash_state_t *state, unsigned char *out); #ifdef __cplusplus } #endif #endif