Re: Counter Size in CTR mode for AES Driver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



sri sowj <srisowj4linux@xxxxxxxxx> wrote:

> I have seen multiple open source drivers for AES(CTR) mode for
> different Crypto Hardware Engines, I was not really sure on
> countersize,nonce etc.
> Please can any one provide some info on the following

Not what you asked for, but in case it is useful here is the counter
management code from a version of the random(4) driver that
I am working on:


/*****************************************************************
 * 128-bit counter to mix in when hashing
 ****************************************************************/

static u32 iter_count = 0 ;
static spinlock_t counter_lock ;

/*
 * constants are from SHA-1
 * ones in counter[] are used only once, in initialisation
 * then random data is mixed in there
 */
#define COUNTER_DELTA 0x67452301

static u32 counter[] = {0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0} ;

/*
 * Code is based on my own work in the Enchilada cipher:
 * https://aezoo.compute.dtu.dk/doku.php?id=enchilada
 *
 * Mix operations so Hamming weight changes more than for a simple
 * counter. This may not be strictly necessary, but a simple counter
 * can be considered safe only if you trust the crypto completely.
 * Low Hamming weight differences in inputs do allow some attacks on
 * block ciphers or hashes and the high bits of a large counter that
 * is only incremented do not change for aeons.
 *
 * The extra code here is cheap insurance.
 * Somewhat nonlinear since it uses +, XOR and rotation.
 *
 * For discussion, see mailing list thread starting at:
 * http://www.metzdowd.com/pipermail/cryptography/2014-May/021345.html
 */
static void count(void)
{
    spin_lock( &counter_lock ) ;

    /*
    * Limit the switch to < 256 cases
    * should work with any CPU & compiler
    *
    * Five constants used, all primes
    * roughly evenly spaced, around 50, 100, 150, 200, 250
    */
    switch( iter_count )    {
        /*
        * mix three array elements
        * each element is used twice
        * once on left, once on right
        * pattern is circular
        */
        case 47:
            counter[1] += counter[2] ;
            break ;
        case 101:
            counter[2] += counter[3] ;
            break ;
        case 197:
            counter[3] += counter[1] ;
            break ;
        /*
        * inject counter[0] into that loop
        * loop and counter[0] use +=
        * so use ^= here
        */
        case 149:
            counter[1] ^= counter[0] ;
            break ;
        /*
        * restart loop
        * include a rotation for nonlinearity
        */
        case 251:
            counter[0] = ROTL( counter[0], 5) ;
            iter_count = -1 ;
            break ;
        /*
        * for 247 out of every 252 iterations
        * the switch does nothing
        */
        default:
            break ;
    }
    /*
    * counter[0] is almost purely a counter
    * uses += instead of ++ to change Hamming weight more
    * nothing above affects it, except the rotation
    */
    counter[0] += COUNTER_DELTA ;
    iter_count++ ;

    spin_unlock( &counter_lock ) ;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux