126609a21SEric Biggers /* SPDX-License-Identifier: GPL-2.0 */ 226609a21SEric Biggers /* 326609a21SEric Biggers * Common values and helper functions for the NHPoly1305 hash function. 426609a21SEric Biggers */ 526609a21SEric Biggers 626609a21SEric Biggers #ifndef _NHPOLY1305_H 726609a21SEric Biggers #define _NHPOLY1305_H 826609a21SEric Biggers 926609a21SEric Biggers #include <crypto/hash.h> 10*1c08a104SJason A. Donenfeld #include <crypto/internal/poly1305.h> 1126609a21SEric Biggers 1226609a21SEric Biggers /* NH parameterization: */ 1326609a21SEric Biggers 1426609a21SEric Biggers /* Endianness: little */ 1526609a21SEric Biggers /* Word size: 32 bits (works well on NEON, SSE2, AVX2) */ 1626609a21SEric Biggers 1726609a21SEric Biggers /* Stride: 2 words (optimal on ARM32 NEON; works okay on other CPUs too) */ 1826609a21SEric Biggers #define NH_PAIR_STRIDE 2 1926609a21SEric Biggers #define NH_MESSAGE_UNIT (NH_PAIR_STRIDE * 2 * sizeof(u32)) 2026609a21SEric Biggers 2126609a21SEric Biggers /* Num passes (Toeplitz iteration count): 4, to give ε = 2^{-128} */ 2226609a21SEric Biggers #define NH_NUM_PASSES 4 2326609a21SEric Biggers #define NH_HASH_BYTES (NH_NUM_PASSES * sizeof(u64)) 2426609a21SEric Biggers 2526609a21SEric Biggers /* Max message size: 1024 bytes (32x compression factor) */ 2626609a21SEric Biggers #define NH_NUM_STRIDES 64 2726609a21SEric Biggers #define NH_MESSAGE_WORDS (NH_PAIR_STRIDE * 2 * NH_NUM_STRIDES) 2826609a21SEric Biggers #define NH_MESSAGE_BYTES (NH_MESSAGE_WORDS * sizeof(u32)) 2926609a21SEric Biggers #define NH_KEY_WORDS (NH_MESSAGE_WORDS + \ 3026609a21SEric Biggers NH_PAIR_STRIDE * 2 * (NH_NUM_PASSES - 1)) 3126609a21SEric Biggers #define NH_KEY_BYTES (NH_KEY_WORDS * sizeof(u32)) 3226609a21SEric Biggers 3326609a21SEric Biggers #define NHPOLY1305_KEY_SIZE (POLY1305_BLOCK_SIZE + NH_KEY_BYTES) 3426609a21SEric Biggers 3526609a21SEric Biggers struct nhpoly1305_key { 36*1c08a104SJason A. Donenfeld struct poly1305_core_key poly_key; 3726609a21SEric Biggers u32 nh_key[NH_KEY_WORDS]; 3826609a21SEric Biggers }; 3926609a21SEric Biggers 4026609a21SEric Biggers struct nhpoly1305_state { 4126609a21SEric Biggers 4226609a21SEric Biggers /* Running total of polynomial evaluation */ 4326609a21SEric Biggers struct poly1305_state poly_state; 4426609a21SEric Biggers 4526609a21SEric Biggers /* Partial block buffer */ 4626609a21SEric Biggers u8 buffer[NH_MESSAGE_UNIT]; 4726609a21SEric Biggers unsigned int buflen; 4826609a21SEric Biggers 4926609a21SEric Biggers /* 5026609a21SEric Biggers * Number of bytes remaining until the current NH message reaches 5126609a21SEric Biggers * NH_MESSAGE_BYTES. When nonzero, 'nh_hash' holds the partial NH hash. 5226609a21SEric Biggers */ 5326609a21SEric Biggers unsigned int nh_remaining; 5426609a21SEric Biggers 5526609a21SEric Biggers __le64 nh_hash[NH_NUM_PASSES]; 5626609a21SEric Biggers }; 5726609a21SEric Biggers 5826609a21SEric Biggers typedef void (*nh_t)(const u32 *key, const u8 *message, size_t message_len, 5926609a21SEric Biggers __le64 hash[NH_NUM_PASSES]); 6026609a21SEric Biggers 6126609a21SEric Biggers int crypto_nhpoly1305_setkey(struct crypto_shash *tfm, 6226609a21SEric Biggers const u8 *key, unsigned int keylen); 6326609a21SEric Biggers 6426609a21SEric Biggers int crypto_nhpoly1305_init(struct shash_desc *desc); 6526609a21SEric Biggers int crypto_nhpoly1305_update(struct shash_desc *desc, 6626609a21SEric Biggers const u8 *src, unsigned int srclen); 6726609a21SEric Biggers int crypto_nhpoly1305_update_helper(struct shash_desc *desc, 6826609a21SEric Biggers const u8 *src, unsigned int srclen, 6926609a21SEric Biggers nh_t nh_fn); 7026609a21SEric Biggers int crypto_nhpoly1305_final(struct shash_desc *desc, u8 *dst); 7126609a21SEric Biggers int crypto_nhpoly1305_final_helper(struct shash_desc *desc, u8 *dst, 7226609a21SEric Biggers nh_t nh_fn); 7326609a21SEric Biggers 7426609a21SEric Biggers #endif /* _NHPOLY1305_H */ 75