mac_init(): require a nonce

aegis-aead · Dec 4, 2024 · 7801a03 · 7801a03
1 parent 479326a
commit 7801a03
Show file tree

Hide file tree

Showing 14 changed files with 40 additions and 47 deletions.
diff --git a/src/aegis128l/aegis128l.c b/src/aegis128l/aegis128l.c
@@ -175,10 +175,8 @@ aegis128l_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t clen, con
 }
 
 void
-aegis128l_mac_init(aegis128l_state *st_, const uint8_t *k)
+aegis128l_mac_init(aegis128l_state *st_, const uint8_t *k, const uint8_t *npub)
 {
-    const uint8_t npub[aegis128l_NPUBBYTES] = { 0 };
-
     memset(st_, 0, sizeof *st_);
     implementation->state_init(st_, NULL, 0, npub, k);
 }

diff --git a/src/aegis128x2/aegis128x2.c b/src/aegis128x2/aegis128x2.c
@@ -176,11 +176,8 @@ aegis128x2_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t clen, co
 }
 
 void
-aegis128x2_mac_init(aegis128x2_state *st_, const uint8_t *k)
+aegis128x2_mac_init(aegis128x2_state *st_, const uint8_t *k, const uint8_t *npub)
 {
-    const uint8_t npub[aegis128x2_NPUBBYTES] = { 0 };
-
-    memset(st_, 0, sizeof *st_);
     implementation->state_init(st_, NULL, 0, npub, k);
 }
 

diff --git a/src/aegis128x4/aegis128x4.c b/src/aegis128x4/aegis128x4.c
@@ -177,11 +177,8 @@ aegis128x4_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t clen, co
 }
 
 void
-aegis128x4_mac_init(aegis128x4_state *st_, const uint8_t *k)
+aegis128x4_mac_init(aegis128x4_state *st_, const uint8_t *k, const uint8_t *npub)
 {
-    const uint8_t npub[aegis128x4_NPUBBYTES] = { 0 };
-
-    memset(st_, 0, sizeof *st_);
     implementation->state_init(st_, NULL, 0, npub, k);
 }
 

diff --git a/src/aegis256/aegis256.c b/src/aegis256/aegis256.c
@@ -175,11 +175,8 @@ aegis256_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t clen, cons
 }
 
 void
-aegis256_mac_init(aegis256_state *st_, const uint8_t *k)
+aegis256_mac_init(aegis256_state *st_, const uint8_t *k, const uint8_t *npub)
 {
-    const uint8_t npub[aegis256_NPUBBYTES] = { 0 };
-
-    memset(st_, 0, sizeof *st_);
     implementation->state_init(st_, NULL, 0, npub, k);
 }
 

diff --git a/src/aegis256x2/aegis256x2.c b/src/aegis256x2/aegis256x2.c
@@ -176,11 +176,8 @@ aegis256x2_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t clen, co
 }
 
 void
-aegis256x2_mac_init(aegis256x2_state *st_, const uint8_t *k)
+aegis256x2_mac_init(aegis256x2_state *st_, const uint8_t *k, const uint8_t *npub)
 {
-    const uint8_t npub[aegis256x2_NPUBBYTES] = { 0 };
-
-    memset(st_, 0, sizeof *st_);
     implementation->state_init(st_, NULL, 0, npub, k);
 }
 

diff --git a/src/aegis256x4/aegis256x4.c b/src/aegis256x4/aegis256x4.c
@@ -177,11 +177,8 @@ aegis256x4_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t clen, co
 }
 
 void
-aegis256x4_mac_init(aegis256x4_state *st_, const uint8_t *k)
+aegis256x4_mac_init(aegis256x4_state *st_, const uint8_t *k, const uint8_t *npub)
 {
-    const uint8_t npub[aegis256x4_NPUBBYTES] = { 0 };
-
-    memset(st_, 0, sizeof *st_);
     implementation->state_init(st_, NULL, 0, npub, k);
 }
 

diff --git a/src/include/aegis128l.h b/src/include/aegis128l.h
@@ -258,7 +258,6 @@ void aegis128l_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t clen
  * k: key input buffer (16 bytes)
  *
  * - The same key MUST NOT be used both for MAC and encryption.
- * - The nonce is not used in the MAC mode (fixed to zero).
  * - If the key is secret, the MAC is secure against forgery.
  * - However, if the key is known, arbitrary inputs matching a tag can be efficiently computed.
  *
@@ -268,7 +267,7 @@ void aegis128l_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t clen
  * with `aegis128l_mac_state_clone()`. It is only safe to copy a state directly without using
  * the clone function if the state is guaranteed to be properly aligned.
  */
-void aegis128l_mac_init(aegis128l_state *st_, const uint8_t *k);
+void aegis128l_mac_init(aegis128l_state *st_, const uint8_t *k, const uint8_t *npub);
 
 /*
  * Update the MAC state with input data.

diff --git a/src/include/aegis128x2.h b/src/include/aegis128x2.h
@@ -258,7 +258,7 @@ void aegis128x2_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t cle
  * k: key input buffer (16 bytes)
  *
  * - The same key MUST NOT be used both for MAC and encryption.
- * - The nonce is not used in the MAC mode (fixed to zero).
+ * - The nonce MUST NOT be reused with the same key.
  * - If the key is secret, the MAC is secure against forgery.
  * - However, if the key is known, arbitrary inputs matching a tag can be efficiently computed.
  *
@@ -268,7 +268,7 @@ void aegis128x2_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t cle
  * with `aegis128x2_mac_state_clone()`. It is only safe to copy a state directly without using
  * the clone function if the state is guaranteed to be properly aligned.
  */
-void aegis128x2_mac_init(aegis128x2_state *st_, const uint8_t *k);
+void aegis128x2_mac_init(aegis128x2_state *st_, const uint8_t *k, const uint8_t *npub);
 
 /*
  * Update the MAC state with input data.

diff --git a/src/include/aegis128x4.h b/src/include/aegis128x4.h
@@ -258,7 +258,7 @@ void aegis128x4_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t cle
  * k: key input buffer (16 bytes)
  *
  * - The same key MUST NOT be used both for MAC and encryption.
- * - The nonce is not used in the MAC mode (fixed to zero).
+ * - The nonce MUST NOT be reused with the same key.
  * - If the key is secret, the MAC is secure against forgery.
  * - However, if the key is known, arbitrary inputs matching a tag can be efficiently computed.
  *
@@ -268,7 +268,7 @@ void aegis128x4_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t cle
  * with `aegis128x4_mac_state_clone()`. It is only safe to copy a state directly without using
  * the clone function if the state is guaranteed to be properly aligned.
  */
-void aegis128x4_mac_init(aegis128x4_state *st_, const uint8_t *k);
+void aegis128x4_mac_init(aegis128x4_state *st_, const uint8_t *k, const uint8_t *npub);
 
 /*
  * Update the MAC state with input data.

diff --git a/src/include/aegis256.h b/src/include/aegis256.h
@@ -258,7 +258,6 @@ void aegis256_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t clen,
  * k: key input buffer (32 bytes)
  *
  * - The same key MUST NOT be used both for MAC and encryption.
- * - The nonce is not used in the MAC mode (fixed to zero).
  * - If the key is secret, the MAC is secure against forgery.
  * - However, if the key is known, arbitrary inputs matching a tag can be efficiently computed.
  *
@@ -268,7 +267,7 @@ void aegis256_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t clen,
  * with `aegis256_mac_state_clone()`. It is only safe to copy a state directly without using
  * the clone function if the state is guaranteed to be properly aligned.
  */
-void aegis256_mac_init(aegis256_state *st_, const uint8_t *k);
+void aegis256_mac_init(aegis256_state *st_, const uint8_t *k, const uint8_t *npub);
 
 /*
  * Update the MAC state with input data.

diff --git a/src/include/aegis256x2.h b/src/include/aegis256x2.h
@@ -258,7 +258,7 @@ void aegis256x2_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t cle
  * k: key input buffer (32 bytes)
  *
  * - The same key MUST NOT be used both for MAC and encryption.
- * - The nonce is not used in the MAC mode (fixed to zero).
+ * - The nonce MUST NOT be reused with the same key.
  * - If the key is secret, the MAC is secure against forgery.
  * - However, if the key is known, arbitrary inputs matching a tag can be efficiently computed.
  *
@@ -268,7 +268,7 @@ void aegis256x2_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t cle
  * with `aegis256x2_mac_state_clone()`. It is only safe to copy a state directly without using
  * the clone function if the state is guaranteed to be properly aligned.
  */
-void aegis256x2_mac_init(aegis256x2_state *st_, const uint8_t *k);
+void aegis256x2_mac_init(aegis256x2_state *st_, const uint8_t *k, const uint8_t *npub);
 
 /*
  * Update the MAC state with input data.

diff --git a/src/include/aegis256x4.h b/src/include/aegis256x4.h
@@ -258,7 +258,7 @@ void aegis256x4_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t cle
  * k: key input buffer (32 bytes)
  *
  * - The same key MUST NOT be used both for MAC and encryption.
- * - The nonce is not used in the MAC mode (fixed to zero).
+ * - The nonce MUST NOT be reused with the same key.
  * - If the key is secret, the MAC is secure against forgery.
  * - However, if the key is known, arbitrary inputs matching a tag can be efficiently computed.
  *
@@ -268,7 +268,7 @@ void aegis256x4_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t cle
  * with `aegis256_mac_state_clone()`. It is only safe to copy a state directly without using
  * the clone function if the state is guaranteed to be properly aligned.
  */
-void aegis256x4_mac_init(aegis256x4_state *st_, const uint8_t *k);
+void aegis256x4_mac_init(aegis256x4_state *st_, const uint8_t *k, const uint8_t *npub);
 
 /*
  * Update the MAC state with input data.

diff --git a/src/test/benchmark.zig b/src/test/benchmark.zig
@@ -202,12 +202,14 @@ fn bench_aegis128x4() !void {
 
 fn bench_aegis128l_mac() !void {
     var key: [aegis.aegis128l_KEYBYTES]u8 = undefined;
+    var nonce: [aegis.aegis128l_NPUBBYTES]u8 = undefined;
     var buf: [msg_len]u8 = undefined;
     var st0: aegis.aegis128l_state = undefined;
 
     random.bytes(&key);
+    random.bytes(&nonce);
     random.bytes(&buf);
-    aegis.aegis128l_mac_init(&st0, &key);
+    aegis.aegis128l_mac_init(&st0, &key, &nonce);
 
     var timer = try Timer.start();
     const start = timer.lap();
@@ -228,12 +230,14 @@ fn bench_aegis128l_mac() !void {
 
 fn bench_aegis128x2_mac() !void {
     var key: [aegis.aegis128x2_KEYBYTES]u8 = undefined;
+    var nonce: [aegis.aegis128x2_NPUBBYTES]u8 = undefined;
     var buf: [msg_len]u8 = undefined;
     var st0: aegis.aegis128x2_state = undefined;
 
     random.bytes(&key);
+    random.bytes(&nonce);
     random.bytes(&buf);
-    aegis.aegis128x2_mac_init(&st0, &key);
+    aegis.aegis128x2_mac_init(&st0, &key, &nonce);
 
     var timer = try Timer.start();
     const start = timer.lap();
@@ -254,12 +258,14 @@ fn bench_aegis128x2_mac() !void {
 
 fn bench_aegis128x4_mac() !void {
     var key: [aegis.aegis128x4_KEYBYTES]u8 = undefined;
+    var nonce: [aegis.aegis128x4_NPUBBYTES]u8 = undefined;
     var buf: [msg_len]u8 = undefined;
     var st0: aegis.aegis128x4_state = undefined;
 
     random.bytes(&key);
+    random.bytes(&nonce);
     random.bytes(&buf);
-    aegis.aegis128x4_mac_init(&st0, &key);
+    aegis.aegis128x4_mac_init(&st0, &key, &nonce);
 
     var timer = try Timer.start();
     const start = timer.lap();
@@ -280,12 +286,14 @@ fn bench_aegis128x4_mac() !void {
 
 fn bench_aegis256_mac() !void {
     var key: [aegis.aegis256_KEYBYTES]u8 = undefined;
+    var nonce: [aegis.aegis256_NPUBBYTES]u8 = undefined;
     var buf: [msg_len]u8 = undefined;
     var st0: aegis.aegis256_state = undefined;
 
     random.bytes(&key);
+    random.bytes(&nonce);
     random.bytes(&buf);
-    aegis.aegis256_mac_init(&st0, &key);
+    aegis.aegis256_mac_init(&st0, &key, &nonce);
 
     var timer = try Timer.start();
     const start = timer.lap();
@@ -306,12 +314,14 @@ fn bench_aegis256_mac() !void {
 
 fn bench_aegis256x2_mac() !void {
     var key: [aegis.aegis256x2_KEYBYTES]u8 = undefined;
+    var nonce: [aegis.aegis256x2_NPUBBYTES]u8 = undefined;
     var buf: [msg_len]u8 = undefined;
     var st0: aegis.aegis256x2_state = undefined;
 
     random.bytes(&key);
+    random.bytes(&nonce);
     random.bytes(&buf);
-    aegis.aegis256x2_mac_init(&st0, &key);
+    aegis.aegis256x2_mac_init(&st0, &key, &nonce);
 
     var timer = try Timer.start();
     const start = timer.lap();
@@ -332,12 +342,14 @@ fn bench_aegis256x2_mac() !void {
 
 fn bench_aegis256x4_mac() !void {
     var key: [aegis.aegis256x4_KEYBYTES]u8 = undefined;
+    var nonce: [aegis.aegis256x2_NPUBBYTES]u8 = undefined;
     var buf: [msg_len]u8 = undefined;
     var st0: aegis.aegis256x4_state = undefined;
 
     random.bytes(&key);
+    random.bytes(&nonce);
     random.bytes(&buf);
-    aegis.aegis256x4_mac_init(&st0, &key);
+    aegis.aegis256x4_mac_init(&st0, &key, &nonce);
 
     var timer = try Timer.start();
     const start = timer.lap();

diff --git a/src/test/main.zig b/src/test/main.zig
@@ -627,10 +627,11 @@ test "aegis128l - Random stream" {
 
 test "aegis128l - MAC" {
     const key = [16]u8{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 };
+    const nonce = [_]u8{0} ** 16;
     const msg = [_]u8{ 1, 2, 3 } ** 100;
     const msg2 = [_]u8{ 4, 5, 6, 7, 8 } ** 100 ++ [_]u8{0};
     var st0: aegis.aegis128l_state = undefined;
-    aegis.aegis128l_mac_init(&st0, &key);
+    aegis.aegis128l_mac_init(&st0, &key, &nonce);
 
     var st: aegis.aegis128l_state = undefined;
     aegis.aegis128l_mac_state_clone(&st, &st0);
@@ -657,7 +658,6 @@ test "aegis128l - MAC" {
     ret = aegis.aegis128l_mac_verify(&st, &mac, mac.len);
     try testing.expectEqual(ret, 0);
 
-    const nonce = [_]u8{0} ** 16;
     var mac2: [mac.len]u8 = undefined;
     ret = aegis.aegis128l_encrypt_detached(&mac2, &mac2, mac2.len, "", 0, &msg3, msg3.len, &nonce, &key);
     try testing.expectEqual(ret, 0);
@@ -666,10 +666,11 @@ test "aegis128l - MAC" {
 
 test "aegis128x2 - MAC" {
     const key = [16]u8{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 };
+    const nonce = [_]u8{0} ** 16;
     const msg = [_]u8{ 1, 2, 3 } ** 100;
     const msg2 = [_]u8{ 4, 5, 6, 7, 8 } ** 100 ++ [_]u8{0};
     var st0: aegis.aegis128x2_state = undefined;
-    aegis.aegis128x2_mac_init(&st0, &key);
+    aegis.aegis128x2_mac_init(&st0, &key, &nonce);
 
     var st: aegis.aegis128x2_state = undefined;
     aegis.aegis128x2_mac_state_clone(&st, &st0);
@@ -696,7 +697,6 @@ test "aegis128x2 - MAC" {
     ret = aegis.aegis128x2_mac_verify(&st, &mac, mac.len);
     try testing.expectEqual(ret, 0);
 
-    const nonce = [_]u8{0} ** 16;
     var mac2: [mac.len]u8 = undefined;
     ret = aegis.aegis128x2_encrypt_detached(&mac2, &mac2, mac2.len, "", 0, &msg3, msg3.len, &nonce, &key);
     try testing.expectEqual(ret, 0);
@@ -705,10 +705,11 @@ test "aegis128x2 - MAC" {
 
 test "aegis128x4 - MAC" {
     const key = [16]u8{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 };
+    const nonce = [_]u8{0} ** 16;
     const msg = [_]u8{ 1, 2, 3 } ** 100 ++ [_]u8{0};
     const msg2 = [_]u8{ 4, 5, 6, 7, 8 } ** 100;
     var st0: aegis.aegis128x4_state = undefined;
-    aegis.aegis128x4_mac_init(&st0, &key);
+    aegis.aegis128x4_mac_init(&st0, &key, &nonce);
 
     var st: aegis.aegis128x4_state = undefined;
     aegis.aegis128x4_mac_state_clone(&st, &st0);
@@ -735,7 +736,6 @@ test "aegis128x4 - MAC" {
     ret = aegis.aegis128x4_mac_verify(&st, &mac, mac.len);
     try testing.expectEqual(ret, 0);
 
-    const nonce = [_]u8{0} ** 16;
     var mac2: [mac.len]u8 = undefined;
     ret = aegis.aegis128x4_encrypt_detached(&mac2, &mac2, mac2.len, "", 0, &msg3, msg3.len, &nonce, &key);
     try testing.expectEqual(ret, 0);