include/crypto/nhpoly1305.h

0001 /* SPDX-License-Identifier: GPL-2.0 */
0002 /*
0003  * Common values and helper functions for the NHPoly1305 hash function.
0004  */
0005
0006 #ifndef _NHPOLY1305_H
0007 #define _NHPOLY1305_H
0008
0009 #include <crypto/hash.h>
0010 #include <crypto/internal/poly1305.h>
0011
0012 /* NH parameterization: */
0013
0014 /* Endianness: little */
0015 /* Word size: 32 bits (works well on NEON, SSE2, AVX2) */
0016
0017 /* Stride: 2 words (optimal on ARM32 NEON; works okay on other CPUs too) */
0018 #define NH_PAIR_STRIDE      2
0019 #define NH_MESSAGE_UNIT     (NH_PAIR_STRIDE * 2 * sizeof(u32))
0020
0021 /* Num passes (Toeplitz iteration count): 4, to give ε = 2^{-128} */
0022 #define NH_NUM_PASSES       4
0023 #define NH_HASH_BYTES       (NH_NUM_PASSES * sizeof(u64))
0024
0025 /* Max message size: 1024 bytes (32x compression factor) */
0026 #define NH_NUM_STRIDES      64
0027 #define NH_MESSAGE_WORDS    (NH_PAIR_STRIDE * 2 * NH_NUM_STRIDES)
0028 #define NH_MESSAGE_BYTES    (NH_MESSAGE_WORDS * sizeof(u32))
0029 #define NH_KEY_WORDS        (NH_MESSAGE_WORDS + \
0030                  NH_PAIR_STRIDE * 2 * (NH_NUM_PASSES - 1))
0031 #define NH_KEY_BYTES        (NH_KEY_WORDS * sizeof(u32))
0032
0033 #define NHPOLY1305_KEY_SIZE (POLY1305_BLOCK_SIZE + NH_KEY_BYTES)
0034
0035 struct nhpoly1305_key {
0036     struct poly1305_core_key poly_key;
0037     u32 nh_key[NH_KEY_WORDS];
0038 };
0039
0040 struct nhpoly1305_state {
0041
0042     /* Running total of polynomial evaluation */
0043     struct poly1305_state poly_state;
0044
0045     /* Partial block buffer */
0046     u8 buffer[NH_MESSAGE_UNIT];
0047     unsigned int buflen;
0048
0049     /*
0050      * Number of bytes remaining until the current NH message reaches
0051      * NH_MESSAGE_BYTES.  When nonzero, 'nh_hash' holds the partial NH hash.
0052      */
0053     unsigned int nh_remaining;
0054
0055     __le64 nh_hash[NH_NUM_PASSES];
0056 };
0057
0058 typedef void (*nh_t)(const u32 *key, const u8 *message, size_t message_len,
0059              __le64 hash[NH_NUM_PASSES]);
0060
0061 int crypto_nhpoly1305_setkey(struct crypto_shash *tfm,
0062                  const u8 *key, unsigned int keylen);
0063
0064 int crypto_nhpoly1305_init(struct shash_desc *desc);
0065 int crypto_nhpoly1305_update(struct shash_desc *desc,
0066                  const u8 *src, unsigned int srclen);
0067 int crypto_nhpoly1305_update_helper(struct shash_desc *desc,
0068                     const u8 *src, unsigned int srclen,
0069                     nh_t nh_fn);
0070 int crypto_nhpoly1305_final(struct shash_desc *desc, u8 *dst);
0071 int crypto_nhpoly1305_final_helper(struct shash_desc *desc, u8 *dst,
0072                    nh_t nh_fn);
0073
0074 #endif /* _NHPOLY1305_H */