Skip to content

Commit

Permalink
XTS mode for disk sector encryption
Browse files Browse the repository at this point in the history
  • Loading branch information
rweather committed Feb 20, 2016
1 parent 4445547 commit b078357
Show file tree
Hide file tree
Showing 7 changed files with 1,098 additions and 4 deletions.
2 changes: 1 addition & 1 deletion doc/crypto.dox
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
\section crypto_algorithms Supported Algorithms

\li Block ciphers: AES128, AES192, AES256, Speck
\li Block cipher modes: CTR, CFB, CBC, OFB, EAX, GCM
\li Block cipher modes: CTR, CFB, CBC, OFB, EAX, GCM, XTS
\li Stream ciphers: ChaCha
\li Authenticated encryption with associated data (AEAD): ChaChaPoly, EAX, GCM
\li Hash algorithms: SHA256, SHA512, SHA3_256, SHA3_512, BLAKE2s, BLAKE2b (regular and HMAC modes)
Expand Down
2 changes: 1 addition & 1 deletion doc/mainpage.dox
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ realtime clock and the LCD library to implement an alarm clock.
\section main_Crypto Cryptographic Library

\li Block ciphers: AES128, AES192, AES256, Speck
\li Block cipher modes: CTR, CFB, CBC, OFB, EAX, GCM
\li Block cipher modes: CTR, CFB, CBC, OFB, EAX, GCM, XTS
\li Stream ciphers: ChaCha
\li Authenticated encryption with associated data (AEAD): ChaChaPoly, EAX, GCM
\li Hash algorithms: SHA256, SHA512, SHA3_256, SHA3_512, BLAKE2s, BLAKE2b (regular and HMAC modes)
Expand Down
95 changes: 93 additions & 2 deletions libraries/Crypto/GF128.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -309,7 +309,7 @@ void GF128::mul(uint32_t Y[4], const uint32_t H[4])
* block, the modes multiply the nonce by 2 in the GF(2^128) field every
* block. This function is provided to help with implementing such modes.
*
* \sa dblEAX(), mul()
* \sa dblEAX(), dblXTS(), mul()
*/
void GF128::dbl(uint32_t V[4])
{
Expand Down Expand Up @@ -401,7 +401,7 @@ void GF128::dbl(uint32_t V[4])
* References: https://en.wikipedia.org/wiki/EAX_mode,
* http://web.cs.ucdavis.edu/~rogaway/papers/eax.html
*
* \sa dbl(), mul()
* \sa dbl(), dblXTS(), mul()
*/
void GF128::dblEAX(uint32_t V[4])
{
Expand Down Expand Up @@ -478,3 +478,94 @@ void GF128::dblEAX(uint32_t V[4])
V[3] = htobe32(V3);
#endif
}

/**
* \brief Doubles a value in the GF(2^128) field using XTS conventions.
*
* \param V The value to double, and the result. This array is
* assumed to be in littlen-endian order on entry and exit.
*
* This function differs from dbl() that it uses the conventions of XTS mode
* instead of those of NIST SP 800-38D (GCM). The two operations have
* equivalent security but the bits are ordered differently with the
* value shifted left instead of right.
*
* References: <a href="http://libeccio.di.unisa.it/Crypto14/Lab/p1619.pdf">IEEE Std. 1619-2007, XTS-AES</a>
*
* \sa dbl(), dblEAX(), mul()
*/
void GF128::dblXTS(uint32_t V[4])
{
#if defined(__AVR__)
__asm__ __volatile__ (
"ld r16,Z\n"
"ldd r17,Z+1\n"
"ldd r18,Z+2\n"
"ldd r19,Z+3\n"
"lsl r16\n"
"rol r17\n"
"rol r18\n"
"rol r19\n"
"std Z+1,r17\n"
"std Z+2,r18\n"
"std Z+3,r19\n"
"ldd r17,Z+4\n"
"ldd r18,Z+5\n"
"ldd r19,Z+6\n"
"ldd r20,Z+7\n"
"rol r17\n"
"rol r18\n"
"rol r19\n"
"rol r20\n"
"std Z+4,r17\n"
"std Z+5,r18\n"
"std Z+6,r19\n"
"std Z+7,r20\n"
"ldd r17,Z+8\n"
"ldd r18,Z+9\n"
"ldd r19,Z+10\n"
"ldd r20,Z+11\n"
"rol r17\n"
"rol r18\n"
"rol r19\n"
"rol r20\n"
"std Z+8,r17\n"
"std Z+9,r18\n"
"std Z+10,r19\n"
"std Z+11,r20\n"
"ldd r17,Z+12\n"
"ldd r18,Z+13\n"
"ldd r19,Z+14\n"
"ldd r20,Z+15\n"
"rol r17\n"
"rol r18\n"
"rol r19\n"
"rol r20\n"
"std Z+12,r17\n"
"std Z+13,r18\n"
"std Z+14,r19\n"
"std Z+15,r20\n"
"mov r17,__zero_reg__\n"
"sbc r17,__zero_reg__\n"
"andi r17,0x87\n"
"eor r16,r17\n"
"st Z,r16\n"
: : "z"(V)
: "r16", "r17", "r18", "r19", "r20"
);
#else
uint32_t V0 = le32toh(V[0]);
uint32_t V1 = le32toh(V[1]);
uint32_t V2 = le32toh(V[2]);
uint32_t V3 = le32toh(V[3]);
uint32_t mask = ((~(V3 >> 31)) + 1) & 0x00000087;
V3 = (V3 << 1) | (V2 >> 31);
V2 = (V2 << 1) | (V1 >> 31);
V1 = (V1 << 1) | (V0 >> 31);
V0 = (V0 << 1) ^ mask;
V[0] = htole32(V0);
V[1] = htole32(V1);
V[2] = htole32(V2);
V[3] = htole32(V3);
#endif
}
1 change: 1 addition & 0 deletions libraries/Crypto/GF128.h
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ class GF128
static void mul(uint32_t Y[4], const uint32_t H[4]);
static void dbl(uint32_t V[4]);
static void dblEAX(uint32_t V[4]);
static void dblXTS(uint32_t V[4]);
};

#endif
Loading

0 comments on commit b078357

Please sign in to comment.