Mercurial > dropbear

comparison libtomcrypt/crypt.tex @ 1437:871b18fd7065 fuzz

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
merge from main (libtommath/libtomcrypt/curve25510-donna updates)
author Matt Johnston <matt@ucc.asn.au>
date Sat, 24 Jun 2017 22:51:45 +0800
parents f849a5ca2efc
children
comparison
equal deleted inserted replaced
1432:41dca1e5ea34 1437:871b18fd7065
188 The project is hereby released as public domain. 188 The project is hereby released as public domain.
189 189
190 \mysection{Patent Disclosure} 190 \mysection{Patent Disclosure}
191 191
192 The author (Tom St Denis) is not a patent lawyer so this section is not to be treated as legal advice. To the best 192 The author (Tom St Denis) is not a patent lawyer so this section is not to be treated as legal advice. To the best
193 of the authors knowledge the only patent related issues within the library are the RC5 and RC6 symmetric block ciphers. 193 of the author's knowledge the only patent related issues within the library are the RC5 and RC6 symmetric block ciphers.
194 They can be removed from a build by simply commenting out the two appropriate lines in \textit{tomcrypt\_custom.h}. The rest 194 They can be removed from a build by simply commenting out the two appropriate lines in \textit{tomcrypt\_custom.h}. The rest
195 of the ciphers and hashes are patent free or under patents that have since expired. 195 of the ciphers and hashes are patent free or under patents that have since expired.
196 196
197 The RC2 and RC4 symmetric ciphers are not under patents but are under trademark regulations. This means you can use 197 The RC2 and RC4 symmetric ciphers are not under patents but are under trademark regulations. This means you can use
198 the ciphers you just can't advertise that you are doing so. 198 the ciphers you just can't advertise that you are doing so.
614 \hline RC6-32/20/b & rc6\_desc & 16 & 8 $\ldots$ 128 & 20 \\ 614 \hline RC6-32/20/b & rc6\_desc & 16 & 8 $\ldots$ 128 & 20 \\
615 \hline SAFER+ & saferp\_desc &16 & 16, 24, 32 & 8, 12, 16 \\ 615 \hline SAFER+ & saferp\_desc &16 & 16, 24, 32 & 8, 12, 16 \\
616 \hline AES & aes\_desc & 16 & 16, 24, 32 & 10, 12, 14 \\ 616 \hline AES & aes\_desc & 16 & 16, 24, 32 & 10, 12, 14 \\
617 & aes\_enc\_desc & 16 & 16, 24, 32 & 10, 12, 14 \\ 617 & aes\_enc\_desc & 16 & 16, 24, 32 & 10, 12, 14 \\
618 \hline Twofish & twofish\_desc & 16 & 16, 24, 32 & 16 \\ 618 \hline Twofish & twofish\_desc & 16 & 16, 24, 32 & 16 \\
619 \hline DES & des\_desc & 8 & 7 & 16 \\ 619 \hline DES & des\_desc & 8 & 8 & 16 \\
620 \hline 3DES (EDE mode) & des3\_desc & 8 & 21 & 16 \\ 620 \hline 3DES (EDE mode) & des3\_desc & 8 & 24 & 16 \\
621 \hline CAST5 (CAST-128) & cast5\_desc & 8 & 5 $\ldots$ 16 & 12, 16 \\ 621 \hline CAST5 (CAST-128) & cast5\_desc & 8 & 5 $\ldots$ 16 & 12, 16 \\
622 \hline Noekeon & noekeon\_desc & 16 & 16 & 16 \\ 622 \hline Noekeon & noekeon\_desc & 16 & 16 & 16 \\
623 \hline Skipjack & skipjack\_desc & 8 & 10 & 32 \\ 623 \hline Skipjack & skipjack\_desc & 8 & 10 & 32 \\
624 \hline Anubis & anubis\_desc & 16 & 16 $\ldots$ 40 & 12 $\ldots$ 18 \\ 624 \hline Anubis & anubis\_desc & 16 & 16 $\ldots$ 40 & 12 $\ldots$ 18 \\
625 \hline Khazad & khazad\_desc & 8 & 16 & 8 \\ 625 \hline Khazad & khazad\_desc & 8 & 16 & 8 \\
877 length as the block size\footnote{In other words the size of a block of plaintext for the cipher, e.g. 8 for DES, 16 for AES, etc.} 877 length as the block size\footnote{In other words the size of a block of plaintext for the cipher, e.g. 8 for DES, 16 for AES, etc.}
878 of the cipher you choose. It is important that the IV be random for each unique message you want to encrypt. The 878 of the cipher you choose. It is important that the IV be random for each unique message you want to encrypt. The
879 parameters \textit{key}, \textit{keylen} and \textit{num\_rounds} are the same as in the XXX\_setup() function call. The final parameter 879 parameters \textit{key}, \textit{keylen} and \textit{num\_rounds} are the same as in the XXX\_setup() function call. The final parameter
880 is a pointer to the structure you want to hold the information for the mode of operation. 880 is a pointer to the structure you want to hold the information for the mode of operation.
881 881
882 882 The routines return {\bf CRYPT\_OK} if the cipher initialized correctly, otherwise, they return an error code.
883
884 \subsubsection{CTR Mode}
883 In the case of CTR mode there is an additional parameter \textit{ctr\_mode} which specifies the mode that the counter is to be used in. 885 In the case of CTR mode there is an additional parameter \textit{ctr\_mode} which specifies the mode that the counter is to be used in.
884 If \textbf{CTR\_COUNTER\_ LITTLE\_ENDIAN} was specified then the counter will be treated as a little endian value. Otherwise, if 886 If \textbf{CTR\_COUNTER\_ LITTLE\_ENDIAN} was specified then the counter will be treated as a little endian value. Otherwise, if
885 \textbf{CTR\_COUNTER\_BIG\_ENDIAN} was specified the counter will be treated as a big endian value. As of v1.15 the RFC 3686 style of 887 \textbf{CTR\_COUNTER\_BIG\_ENDIAN} was specified the counter will be treated as a big endian value. As of v1.15 the RFC 3686 style of
886 increment then encrypt is also supported. By OR'ing \textbf{LTC\_CTR\_RFC3686} with the CTR \textit{mode} value, ctr\_start() will increment 888 increment then encrypt is also supported. By OR'ing \textbf{LTC\_CTR\_RFC3686} with the CTR \textit{mode} value, ctr\_start() will increment
887 the counter before encrypting it for the first time. 889 the counter before encrypting it for the first time.
888 890
889 The routines return {\bf CRYPT\_OK} if the cipher initialized correctly, otherwise, they return an error code. 891 As of V1.17, the library supports variable length counters for CTR mode. The (optional) counter length is specified by OR'ing the octet
892 length of the counter against the \textit{ctr\_mode} parameter. The default, zero, indicates that a full block length counter will be used. This also
893 ensures backwards compatibility with software that uses older versions of the library.
894
895 \begin{small}
896 \begin{verbatim}
897 symmetric_CTR ctr;
898 int err;
899 unsigned char IV[16], key[16];
900
901 /* use a 32-bit little endian counter */
902 if ((err = ctr_start(find_cipher("aes"),
903 IV, key, 16, 0,
904 CTR_COUNTER_LITTLE_ENDIAN | 4,
905 &ctr)) != CRYPT_OK) {
906 handle_error(err);
907 }
908 \end{verbatim}
909 \end{small}
910
911 Changing the counter size has little (really no) effect on the performance of the CTR chaining mode. It is provided for compatibility
912 with other software (and hardware) which have smaller fixed sized counters.
890 913
891 \subsection{Encryption and Decryption} 914 \subsection{Encryption and Decryption}
892 To actually encrypt or decrypt the following routines are provided: 915 To actually encrypt or decrypt the following routines are provided:
893 \index{ecb\_encrypt()} \index{ecb\_decrypt()} \index{cfb\_encrypt()} \index{cfb\_decrypt()} 916 \index{ecb\_encrypt()} \index{ecb\_decrypt()} \index{cfb\_encrypt()} \index{cfb\_decrypt()}
894 \index{cbc\_encrypt()} \index{cbc\_decrypt()} \index{ofb\_encrypt()} \index{ofb\_decrypt()} \index{ctr\_encrypt()} \index{ctr\_decrypt()} 917 \index{cbc\_encrypt()} \index{cbc\_decrypt()} \index{ofb\_encrypt()} \index{ofb\_decrypt()} \index{ctr\_encrypt()} \index{ctr\_decrypt()}
1090 1113
1091 \index{lrw\_done()} 1114 \index{lrw\_done()}
1092 \begin{verbatim} 1115 \begin{verbatim}
1093 int lrw_done(symmetric_LRW *lrw); 1116 int lrw_done(symmetric_LRW *lrw);
1094 \end{verbatim} 1117 \end{verbatim}
1118
1119 \subsection{XTS Mode}
1120 As of v1.17, LibTomCrypt supports XTS mode with code donated by Elliptic Semiconductor Inc.\footnote{www.ellipticsemi.com}.
1121 XTS is a chaining mode for 128--bit block ciphers, recommended by IEEE (P1619)
1122 for disk encryption. It is meant to be an encryption mode with random access to the message data without compromising privacy. It requires two private keys (of equal
1123 length) to perform the encryption process. Each encryption invocation includes a sector number or unique identifier specified as a 128--bit string.
1124
1125 To initialize XTS mode use the following function call:
1126
1127 \index{xts\_start()}
1128 \begin{verbatim}
1129 int xts_start( int cipher,
1130 const unsigned char *key1,
1131 const unsigned char *key2,
1132 unsigned long keylen,
1133 int num_rounds,
1134 symmetric_xts *xts)
1135 \end{verbatim}
1136 This will start the XTS mode with the two keys pointed to by \textit{key1} and \textit{key2} of length \textit{keylen} octets each.
1137
1138 To encrypt or decrypt a sector use the following calls:
1139
1140 \index{xts\_encrypt()} \index{xts\_decrypt()}
1141 \begin{verbatim}
1142 int xts_encrypt(
1143 const unsigned char *pt, unsigned long ptlen,
1144 unsigned char *ct,
1145 const unsigned char *tweak,
1146 symmetric_xts *xts);
1147
1148 int xts_decrypt(
1149 const unsigned char *ct, unsigned long ptlen,
1150 unsigned char *pt,
1151 const unsigned char *tweak,
1152 symmetric_xts *xts);
1153 \end{verbatim}
1154 The first will encrypt the plaintext pointed to by \textit{pt} of length \textit{ptlen} octets, and store the ciphertext in the array pointed to by
1155 \textit{ct}. It uses the 128--bit tweak pointed to by \textit{tweak} to encrypt the block. The decrypt function performs the opposite operation. Both
1156 functions support ciphertext stealing (blocks that are not multiples of 16 bytes).
1157
1158 The P1619 specification states the tweak for sector number shall be represented as a 128--bit little endian string.
1159
1160 To terminate the XTS state call the following function:
1161
1162 \index{xts\_done()}
1163 \begin{verbatim}
1164 void xts_done(symmetric_xts *xts);
1165 \end{verbatim}
1166
1095 1167
1096 \subsection{F8 Mode} 1168 \subsection{F8 Mode}
1097 \index{F8 Mode} 1169 \index{F8 Mode}
1098 The F8 Chaining mode (see RFC 3711 for instance) is yet another chaining mode for block ciphers. It behaves much like CTR mode in that it XORs a keystream 1170 The F8 Chaining mode (see RFC 3711 for instance) is yet another chaining mode for block ciphers. It behaves much like CTR mode in that it XORs a keystream
1099 against the plaintext to encrypt. F8 mode comes with the additional twist that the counter value is secret, encrypted by a \textit{salt key}. We 1171 against the plaintext to encrypt. F8 mode comes with the additional twist that the counter value is secret, encrypted by a \textit{salt key}. We
2096 \begin{verbatim} 2168 \begin{verbatim}
2097 int hmac_process( hmac_state *hmac, 2169 int hmac_process( hmac_state *hmac,
2098 const unsigned char *in, 2170 const unsigned char *in,
2099 unsigned long inlen); 2171 unsigned long inlen);
2100 \end{verbatim} 2172 \end{verbatim}
2101 \textit{hmac} is the HMAC state you are working with. \textit{buf} is the array of octets to send into the HMAC process. \textit{len} is the 2173 \textit{hmac} is the HMAC state you are working with. \textit{in} is the array of octets to send into the HMAC process. \textit{inlen} is the
2102 number of octets to process. Like the hash process routines you can send the data in arbitrarily sized chunks. When you 2174 number of octets to process. Like the hash process routines, you can send the data in arbitrarily sized chunks. When you
2103 are finished with the HMAC process you must call the following function to get the HMAC code: 2175 are finished with the HMAC process you must call the following function to get the HMAC code:
2104 \index{hmac\_done()} 2176 \index{hmac\_done()}
2105 \begin{verbatim} 2177 \begin{verbatim}
2106 int hmac_done( hmac_state *hmac, 2178 int hmac_done( hmac_state *hmac,
2107 unsigned char *out, 2179 unsigned char *out,
2508 unsigned long keylen); 2580 unsigned long keylen);
2509 \end{verbatim} 2581 \end{verbatim}
2510 2582
2511 This will initialize the XCBC--MAC state \textit{xcbc}, with the key specified in \textit{key} of length \textit{keylen} octets. The cipher indicated 2583 This will initialize the XCBC--MAC state \textit{xcbc}, with the key specified in \textit{key} of length \textit{keylen} octets. The cipher indicated
2512 by the \textit{cipher} index can be either a 64 or 128--bit block cipher. This will return \textbf{CRYPT\_OK} on success. 2584 by the \textit{cipher} index can be either a 64 or 128--bit block cipher. This will return \textbf{CRYPT\_OK} on success.
2585
2586 \index{LTC\_XCBC\_PURE}
2587 It is possible to use XCBC in a three key mode by OR'ing the value \textbf{LTC\_XCBC\_PURE} against the \textit{keylen} parameter. In this mode, the key is
2588 interpretted as three keys. If the cipher has a block size of $n$ octets, the first key is then $keylen - 2n$ octets and is the encryption key. The next
2589 $2n$ octets are the $K_1$ and $K_2$ padding keys (used on the last block). For example, to use AES--192 \textit{keylen} should be $24 + 2 \cdot 16 = 56$ octets.
2590 The three keys are interpretted as if they were concatenated in the \textit{key} buffer.
2591
2513 2592
2514 To process data through XCBC--MAC use the following function: 2593 To process data through XCBC--MAC use the following function:
2515 2594
2516 \index{xcbc\_process()} 2595 \index{xcbc\_process()}
2517 \begin{verbatim} 2596 \begin{verbatim}
6483 \input{crypt.ind} 6562 \input{crypt.ind}
6484 6563
6485 \end{document} 6564 \end{document}
6486 6565
6487 % $Source: /cvs/libtom/libtomcrypt/crypt.tex,v $ 6566 % $Source: /cvs/libtom/libtomcrypt/crypt.tex,v $
6488 % $Revision: 1.123 $ 6567 % $Revision: 1.128 $
6489 % $Date: 2006/12/16 19:08:17 $ 6568 % $Date: 2007/03/10 23:59:54 $