Source of nhpoly1305.c - linux-imx - PHYTEC BitBucket (Stash)

Raw file
Source viewDiff to previous
int crypto_nhpoly1305_final_helper(struct shash_desc *desc, u8 *dst, nh_t nh_fn)
 
// SPDX-License-Identifier: GPL-2.0
/*
 * NHPoly1305 - ε-almost-∆-universal hash function for Adiantum
 *
 * Copyright 2018 Google LLC
 */
​
/*
 * "NHPoly1305" is the main component of Adiantum hashing.
 * Specifically, it is the calculation
 *
 *  H_L ← Poly1305_{K_L}(NH_{K_N}(pad_{128}(L)))
 *
 * from the procedure in section 6.4 of the Adiantum paper [1].  It is an
 * ε-almost-∆-universal (ε-∆U) hash function for equal-length inputs over
 * Z/(2^{128}Z), where the "∆" operation is addition.  It hashes 1024-byte
 * chunks of the input with the NH hash function [2], reducing the input length
 * by 32x.  The resulting NH digests are evaluated as a polynomial in
 * GF(2^{130}-5), like in the Poly1305 MAC [3].  Note that the polynomial
 * evaluation by itself would suffice to achieve the ε-∆U property; NH is used
 * for performance since it's over twice as fast as Poly1305.
 *
 * This is *not* a cryptographic hash function; do not use it as such!
 *
 * [1] Adiantum: length-preserving encryption for entry-level processors
 *     (https://eprint.iacr.org/2018/720.pdf)
 * [2] UMAC: Fast and Secure Message Authentication
 *     (https://fastcrypto.org/umac/umac_proc.pdf)
 * [3] The Poly1305-AES message-authentication code
 *     (https://cr.yp.to/mac/poly1305-20050329.pdf)
 */
​
#include <asm/unaligned.h>
#include <crypto/algapi.h>
#include <crypto/internal/hash.h>
#include <crypto/nhpoly1305.h>
#include <linux/crypto.h>
#include <linux/kernel.h>
#include <linux/module.h>
​
static void nh_generic(const u32 *key, const u8 *message, size_t message_len,
               __le64 hash[NH_NUM_PASSES])
{
    u64 sums[4] = { 0, 0, 0, 0 };
​
    BUILD_BUG_ON(NH_PAIR_STRIDE != 2);
    BUILD_BUG_ON(NH_NUM_PASSES != 4);
​
    while (message_len) {
        u32 m0 = get_unaligned_le32(message + 0);
        u32 m1 = get_unaligned_le32(message + 4);
        u32 m2 = get_unaligned_le32(message + 8);
        u32 m3 = get_unaligned_le32(message + 12);
​
        sums[0] += (u64)(u32)(m0 + key[ 0]) * (u32)(m2 + key[ 2]);
        sums[1] += (u64)(u32)(m0 + key[ 4]) * (u32)(m2 + key[ 6]);
        sums[2] += (u64)(u32)(m0 + key[ 8]) * (u32)(m2 + key[10]);
        sums[3] += (u64)(u32)(m0 + key[12]) * (u32)(m2 + key[14]);
        sums[0] += (u64)(u32)(m1 + key[ 1]) * (u32)(m3 + key[ 3]);
        sums[1] += (u64)(u32)(m1 + key[ 5]) * (u32)(m3 + key[ 7]);
        sums[2] += (u64)(u32)(m1 + key[ 9]) * (u32)(m3 + key[11]);
        sums[3] += (u64)(u32)(m1 + key[13]) * (u32)(m3 + key[15]);
        key += NH_MESSAGE_UNIT / sizeof(key[0]);