[RFC PATCH 2/3] Add API for initializing AEAD modes

Jussi Kivilinna jussi.kivilinna at iki.fi
Sat Oct 19 16:36:48 CEST 2013 

On 16.10.2013 12:25, Werner Koch wrote:
> On Wed, 16 Oct 2013 11:05, jussi.kivilinna at iki.fi said:
> 
>> Ok, so we'd have
>>   gcry_cipher_authenticate (hd, const void *aadbuf, size_t aadbuflen,
>> 			    count void *tag, size_t taglen, size_t crypt_len)
>>
>> For encryption, tag is NULL pointer and taglen is zero and after encryption
>> authentication tag can be read with 'gcry_cipher_tag'. For decryption, tag
>> is given for authentication check with above function.
> 
> A last idea: What about two functions
> 
>   gcry_cipher_settag ()  -- To be used before decryption
>   gcry_cipher_gettag ()  -- to be used after encryption.

For some modes, gettag would need to be used to decryption too.

For example, GCM does not need the encrypted data length before hand, so
for decryption (and for encryption) one needs to mark end of encrypted
data with gcry_cipher_gettag call.

So we'd have GCM encryption as:
  gcry_cipher_setiv(h, nonce, noncelen);
  gcry_cipher_setaad(h, aad, addlen, 0);
  gcry_cipher_encrypt(h, buf1, len1, NULL, 0);
  gcry_cipher_encrypt(h, buf2, len2, NULL, 0);
  ...
  gcry_cipher_encrypt(h, bufX, lenX, NULL, 0);
  gcry_cipher_gettag(h, tag, 8); /* Mark end of data stream, output tag.  */

and decryption:
  gcry_cipher_setiv(h, nonce, noncelen);
  gcry_cipher_setaad(h, aad, addlen, 0);
  gcry_cipher_settag(h, tag, 8);
  gcry_cipher_decrypt(h, buf1, len1, NULL, 0);
  gcry_cipher_decrypt(h, buf2, len2, NULL, 0);
  ...
  gcry_cipher_decrypt(h, bufX, lenX, NULL, 0);
  gcry_cipher_gettag(h, NULL, 0); /* Mark end of data stream,
                                     return 'checksum failed' if tags mismatch.
                                   */

So, renaming settag to checktag might be better:
  gcry_cipher_setiv(h, nonce, noncelen);
  gcry_cipher_setaad(h, aad, addlen, 0);
  gcry_cipher_decrypt(h, buf1, len1, NULL, 0);
  gcry_cipher_decrypt(h, buf2, len2, NULL, 0);
  ...
  gcry_cipher_decrypt(h, bufX, lenX, NULL, 0);
  gcry_cipher_checktag(h, tag, 8); /* Mark end of data stream,
                                      return 'checksum failed' if tags mismatch.
                                    */

But CCM would still need the tag length passed in before setaad.
So do I add 'taglen' argument to setaad?
Or just add gcry_cipher_ctl command to pass CCM specific values
(encryptlen, taglen)?

-Jussi

> 
> gcry_cipher_set_tag would actually look prettier but we already use
> setkey and setiv.  Wit these fucntions
> 
>   gcry_cipher_authenticate (hd, const void *aadbuf, size_t aadbuflen,
> 			    size_t crypt_len)
> 
> would be pretty easy to describe.  And a very last idea: What about
> renaming
> 
>   gcry_cipher_authenticate to gcry_cipher_setaad
> 
> ?
>        
> 
> 
> Shalom-Salam,
> 
>    Werner
> 
>

More information about the Gcrypt-devel mailing list