#include "api.h" #include "ascon.h" #include "loadstore.h" #include "permutations.h" #include "printstate.h" int crypto_aead_decrypt(uint8_t* m, uint64_t* mlen, uint8_t* nsec, const uint8_t* c, uint64_t clen, const uint8_t* ad, uint64_t adlen, const uint8_t* npub, const uint8_t* k) { uint64_t K0, K1, N0, N1; state_t s; (void)nsec; if (clen < CRYPTO_ABYTES) { *mlen = 0; return -1; } /* set plaintext size */ *mlen = clen - CRYPTO_ABYTES; /* load key and nonce */ K0 = LOAD(k, 8); K1 = LOAD(k + 8, 8); N0 = LOAD(npub, 8); N1 = LOAD(npub + 8, 8); /* initialization */ s.x0 = ASCON_128_IV; s.x1 = K0; s.x2 = K1; s.x3 = N0; s.x4 = N1; P12(&s); s.x3 ^= K0; s.x4 ^= K1; printstate("initialization", &s); /* process associated data */ if (adlen) { while (adlen >= ASCON_128_RATE) { s.x0 ^= LOAD(ad, 8); P6(&s); ad += ASCON_128_RATE; adlen -= ASCON_128_RATE; } /* final associated data block */ s.x0 ^= LOAD(ad, adlen); s.x0 ^= PAD(adlen); P6(&s); } s.x4 ^= 1; printstate("process associated data", &s); /* process ciphertext */ clen -= CRYPTO_ABYTES; while (clen >= ASCON_128_RATE) { uint64_t c0 = LOAD(c, 8); STORE(m, s.x0 ^ c0, 8); s.x0 = c0; P6(&s); m += ASCON_128_RATE; c += ASCON_128_RATE; clen -= ASCON_128_RATE; } /* final ciphertext block */ uint64_t c0 = LOAD(c, clen); STORE(m, s.x0 ^ c0, clen); s.x0 &= ~MASK(clen); s.x0 |= c0; s.x0 ^= PAD(clen); c += clen; printstate("process ciphertext", &s); /* finalization */ s.x1 ^= K0; s.x2 ^= K1; P12(&s); s.x3 ^= K0; s.x4 ^= K1; printstate("finalization", &s); /* verify tag (should be constant time, check compiler output) */ if ((s.x3 ^ LOAD(c, 8)) | (s.x4 ^ LOAD(c + 8, 8))) { *mlen = 0; return -1; } return 0; }