[RFC PATCH 2/3] Add API for initializing AEAD modes

Jussi Kivilinna jussi.kivilinna at iki.fi
Wed Oct 16 13:26:19 CEST 2013 

On 16.10.2013 12:25, Werner Koch wrote:
> On Wed, 16 Oct 2013 11:05, jussi.kivilinna at iki.fi said:
> 
>> Ok, so we'd have
>>   gcry_cipher_authenticate (hd, const void *aadbuf, size_t aadbuflen,
>> 			    count void *tag, size_t taglen, size_t crypt_len)
>>
>> For encryption, tag is NULL pointer and taglen is zero and after encryption
>> authentication tag can be read with 'gcry_cipher_tag'. For decryption, tag
>> is given for authentication check with above function.
> 
> A last idea: What about two functions
> 
>   gcry_cipher_settag ()  -- To be used before decryption
>   gcry_cipher_gettag ()  -- to be used after encryption.
> 
> gcry_cipher_set_tag would actually look prettier but we already use
> setkey and setiv.  Wit these fucntions
> 
>   gcry_cipher_authenticate (hd, const void *aadbuf, size_t aadbuflen,
> 			    size_t crypt_len)
> 
> would be pretty easy to describe.  And a very last idea: What about
> renaming
> 
>   gcry_cipher_authenticate to gcry_cipher_setaad
> 
> ?

I started writing following example to check is for CCM would work with
these. Problem here is that CCM needs authentication tag length for
first CBC-MAC block. Maybe taglen could be given to CCM mode encryption
with gcry_cipher_settag(hd, NULL, taglen)?

CCM encryption, without AAD:

  gcry_cipher_setkey (hd, key, key_len);

  /* Set nonce.  */
  gcry_cipher_setiv (hd, nonce, nonce_len);

  /* No AAD, but for CCM need to set crypt_len.  */
  gcry_cipher_setaad (hd, NULL, 0, inbuf_len_1 + inbuf_len_2); <-- cannot initialize CBC-MAC, needs tag_len.

  /* Do encryption.  */
  gcry_cipher_encrypt (hd, outbuf_1, outbuf_len_1, inbuf_1, inbuf_len_1);
  /* More data... */
  gcry_cipher_encrypt (hd, outbuf_2, outbuf_len_2, inbuf_2, inbuf_len_2);

  /* Finalize and read tag.  */
  gcry_cipher_gettag (hd, tag, tag_len);


With OCB, if AAD stays the same between messages, one can reuse the 
preprocessed HASH(Key, AAD). Following example would process three messages,
where first two have same AAD and last one has zero length AAD. Does this
look ok?

OCB encryption:

  gcry_cipher_setkey (hd, key, key_len);

  /* Process packet/message #1.  */

  /* Set nonce.  */
  gcry_cipher_setiv (hd, nonce_1, nonce_len);

  /* Set AAD.  */
  gcry_cipher_setaad (hd, aad, aadlen, 0);

  /* Do encryption.  */
  gcry_cipher_encrypt (hd, outbuf_1, inbuf_len_1, inbuf_1, inbuf_len_1);

  /* Finalize and read tag.  */
  gcry_cipher_gettag (hd, tag_1, tag_len);

  /*** Process next packet/message, #2.  */

  /* Same key and AAD (preprocessed).  */

  /* Set next nonce.  */
  gcry_cipher_setiv (hd, nonce_2, nonce_len);

  /* Do encryption.  */
  gcry_cipher_encrypt (hd, outbuf_2, inbuf_len_2, inbuf_2, inbuf_len_2);

  /* Finalize and read tag.  */
  gcry_cipher_gettag (hd, tag_2, tag_len);

  /*** Process next packet/message, #3.  */

  /* Same key and new AAD (empty).  */

  /* Set next nonce.  */
  gcry_cipher_setiv (hd, nonce_3, nonce_len);

  /* Set/clear AAD.  */
  gcry_cipher_setaad (hd, NULL, 0, 0);

  /* Do encryption.  */
  gcry_cipher_encrypt (hd, outbuf_3, inbuf_len_3, inbuf_3, inbuf_len_3);

  /* Finalize and read tag.  */
  gcry_cipher_gettag (hd, tag_3, tag_len);


-Jussi

>        
> 
> 
> Shalom-Salam,
> 
>    Werner
> 
>

More information about the Gcrypt-devel mailing list