1 // GoGOST -- Pure Go GOST cryptographic functions library
2 // Copyright (C) 2015-2020 Sergey Matveev <stargrave@stargrave.org>
4 // This program is free software: you can redistribute it and/or modify
5 // it under the terms of the GNU General Public License as published by
6 // the Free Software Foundation, version 3 of the License.
8 // This program is distributed in the hope that it will be useful,
9 // but WITHOUT ANY WARRANTY; without even the implied warranty of
10 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 // GNU General Public License for more details.
13 // You should have received a copy of the GNU General Public License
14 // along with this program. If not, see <http://www.gnu.org/licenses/>.
16 // Multilinear Galois Mode (MGM) block cipher mode.
28 R64 *big.Int = big.NewInt(0)
29 R128 *big.Int = big.NewInt(0)
34 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1b,
37 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
38 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x87,
61 func NewMGM(cipher cipher.Block, tagSize int) (cipher.AEAD, error) {
62 blockSize := cipher.BlockSize()
63 if !(blockSize == 8 || blockSize == 16) {
64 return nil, errors.New("gogost/mgm: only 64/128 blocksizes allowed")
66 if tagSize < 4 || tagSize > blockSize {
67 return nil, errors.New("gogost/mgm: invalid tag size")
70 maxSize: uint64(1<<uint(blockSize*8/2) - 1),
74 icn: make([]byte, blockSize),
75 bufP: make([]byte, blockSize),
76 bufC: make([]byte, blockSize),
77 padded: make([]byte, blockSize),
78 sum: make([]byte, blockSize),
82 mulBuf: make([]byte, blockSize),
94 func (mgm *MGM) NonceSize() int {
98 func (mgm *MGM) Overhead() int {
102 func incr(data []byte) {
103 for i := len(data) - 1; i >= 0; i-- {
111 func xor(dst, src1, src2 []byte) {
112 for i := 0; i < len(src1); i++ {
113 dst[i] = src1[i] ^ src2[i]
117 func (mgm *MGM) validateNonce(nonce []byte) {
118 if len(nonce) != mgm.blockSize {
119 panic("nonce length must be equal to cipher's blocksize")
121 if nonce[0]&0x80 > 0 {
122 panic("nonce must not have higher bit set")
126 func (mgm *MGM) validateSizes(text, additionalData []byte) {
127 if len(text) == 0 && len(additionalData) == 0 {
128 panic("at least either *text or additionalData must be provided")
130 if uint64(len(additionalData)) > mgm.maxSize {
131 panic("additionalData is too big")
133 if uint64(len(text)+len(additionalData)) > mgm.maxSize {
134 panic("*text with additionalData are too big")
138 func (mgm *MGM) auth(out, text, ad []byte) {
139 for i := 0; i < mgm.blockSize; i++ {
143 textLen := len(text) * 8
145 mgm.cipher.Encrypt(mgm.bufP, mgm.icn) // Z_1 = E_K(1 || ICN)
146 for len(ad) >= mgm.blockSize {
147 mgm.cipher.Encrypt(mgm.bufC, mgm.bufP) // H_i = E_K(Z_i)
148 xor( // sum (xor)= H_i (x) A_i
151 mgm.mul(mgm.bufC, ad[:mgm.blockSize]),
153 incr(mgm.bufP[:mgm.blockSize/2]) // Z_{i+1} = incr_l(Z_i)
154 ad = ad[mgm.blockSize:]
158 for i := len(ad); i < mgm.blockSize; i++ {
161 mgm.cipher.Encrypt(mgm.bufC, mgm.bufP)
162 xor(mgm.sum, mgm.sum, mgm.mul(mgm.bufC, mgm.padded))
163 incr(mgm.bufP[:mgm.blockSize/2])
166 for len(text) >= mgm.blockSize {
167 mgm.cipher.Encrypt(mgm.bufC, mgm.bufP) // H_{h+j} = E_K(Z_{h+j})
168 xor( // sum (xor)= H_{h+j} (x) C_j
171 mgm.mul(mgm.bufC, text[:mgm.blockSize]),
173 incr(mgm.bufP[:mgm.blockSize/2]) // Z_{h+j+1} = incr_l(Z_{h+j})
174 text = text[mgm.blockSize:]
177 copy(mgm.padded, text)
178 for i := len(text); i < mgm.blockSize; i++ {
181 mgm.cipher.Encrypt(mgm.bufC, mgm.bufP)
182 xor(mgm.sum, mgm.sum, mgm.mul(mgm.bufC, mgm.padded))
183 incr(mgm.bufP[:mgm.blockSize/2])
186 mgm.cipher.Encrypt(mgm.bufP, mgm.bufP) // H_{h+q+1} = E_K(Z_{h+q+1})
188 if mgm.blockSize == 8 {
189 binary.BigEndian.PutUint32(mgm.bufC, uint32(adLen))
190 binary.BigEndian.PutUint32(mgm.bufC[mgm.blockSize/2:], uint32(textLen))
192 binary.BigEndian.PutUint64(mgm.bufC, uint64(adLen))
193 binary.BigEndian.PutUint64(mgm.bufC[mgm.blockSize/2:], uint64(textLen))
195 // sum (xor)= H_{h+q+1} (x) (len(A) || len(C))
196 xor(mgm.sum, mgm.sum, mgm.mul(mgm.bufP, mgm.bufC))
197 mgm.cipher.Encrypt(mgm.bufP, mgm.sum) // E_K(sum)
198 copy(out, mgm.bufP[:mgm.tagSize]) // MSB_S(E_K(sum))
201 func (mgm *MGM) crypt(out, in []byte) {
203 mgm.cipher.Encrypt(mgm.bufP, mgm.icn) // Y_1 = E_K(0 || ICN)
204 for len(in) >= mgm.blockSize {
205 mgm.cipher.Encrypt(mgm.bufC, mgm.bufP) // E_K(Y_i)
206 xor(out, mgm.bufC, in) // C_i = P_i (xor) E_K(Y_i)
207 incr(mgm.bufP[mgm.blockSize/2:]) // Y_i = incr_r(Y_{i-1})
208 out = out[mgm.blockSize:]
209 in = in[mgm.blockSize:]
212 mgm.cipher.Encrypt(mgm.bufC, mgm.bufP)
213 xor(out, in, mgm.bufC)
217 func (mgm *MGM) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
218 mgm.validateNonce(nonce)
219 mgm.validateSizes(plaintext, additionalData)
220 if uint64(len(plaintext)) > mgm.maxSize {
221 panic("plaintext is too big")
223 ret, out := sliceForAppend(dst, len(plaintext)+mgm.tagSize)
225 mgm.crypt(out, plaintext)
227 out[len(plaintext):len(plaintext)+mgm.tagSize],
228 out[:len(plaintext)],
234 func (mgm *MGM) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
235 mgm.validateNonce(nonce)
236 mgm.validateSizes(ciphertext, additionalData)
237 if uint64(len(ciphertext)-mgm.tagSize) > mgm.maxSize {
238 panic("ciphertext is too big")
240 ret, out := sliceForAppend(dst, len(ciphertext)-mgm.tagSize)
241 ct := ciphertext[:len(ciphertext)-mgm.tagSize]
243 mgm.auth(mgm.sum, ct, additionalData)
244 if !hmac.Equal(mgm.sum[:mgm.tagSize], ciphertext[len(ciphertext)-mgm.tagSize:]) {
245 return nil, errors.New("gogost/mgm: invalid authentication tag")