freebsd-dev/sys/crypto/siphash/siphash.c

243 lines
6.0 KiB
C
Raw Normal View History

SipHash is a cryptographically strong pseudo-random function (a.k.a. keyed hash function) optimized for speed on short messages returning a 64bit hash/ digest value. SipHash is simpler and much faster than other secure MACs and competitive in speed with popular non-cryptographic hash functions. It uses a 128-bit key without the hidden cost of a key expansion step. SipHash iterates a simple round function consisting of four additions, four xors, and six rotations, interleaved with xors of message blocks for a pre-defined number of compression and finalization rounds. The absence of secret load/store addresses or secret branch conditions avoid timing attacks. No state is shared between messages. Hashing is deterministic and doesn't use nonces. It is not susceptible to length extension attacks. Target applications include network traffic authentication, message authentication (MAC) and hash-tables protection against hash-flooding denial-of-service attacks. The number of update/finalization rounds is defined during initialization: SipHash24_Init() for the fast and reasonable strong version. SipHash48_Init() for the strong version (half as fast). SipHash usage is similar to other hash functions: struct SIPHASH_CTX ctx; char *k = "16bytes long key" char *s = "string"; uint64_t h = 0; SipHash24_Init(&ctx); SipHash_SetKey(&ctx, k); SipHash_Update(&ctx, s, strlen(s)); SipHash_Final(&h, &ctx); /* or */ h = SipHash_End(&ctx); /* or */ h = SipHash24(&ctx, k, s, strlen(s)); It was designed by Jean-Philippe Aumasson and Daniel J. Bernstein and is described in the paper "SipHash: a fast short-input PRF", 2012.09.18: https://131002.net/siphash/siphash.pdf Permanent ID: b9a943a805fbfc6fde808af9fc0ecdfa Implemented by: andre (based on the paper) Reviewed by: cperciva
2013-07-11 14:18:38 +00:00
/*-
* Copyright (c) 2013 Andre Oppermann <andre@FreeBSD.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote
* products derived from this software without specific prior written
* permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* SipHash is a family of PRFs SipHash-c-d where the integer parameters c and d
* are the number of compression rounds and the number of finalization rounds.
* A compression round is identical to a finalization round and this round
* function is called SipRound. Given a 128-bit key k and a (possibly empty)
* byte string m, SipHash-c-d returns a 64-bit value SipHash-c-d(k; m).
*
* Implemented from the paper "SipHash: a fast short-input PRF", 2012.09.18,
* by Jean-Philippe Aumasson and Daniel J. Bernstein,
* Permanent Document ID b9a943a805fbfc6fde808af9fc0ecdfa
* https://131002.net/siphash/siphash.pdf
* https://131002.net/siphash/
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/param.h>
#include <sys/types.h>
#include <sys/systm.h>
#include <sys/libkern.h>
#include <sys/endian.h>
#include <crypto/siphash/siphash.h>
static void SipRounds(SIPHASH_CTX *ctx, int final);
void
SipHash_InitX(SIPHASH_CTX *ctx, int rc, int rf)
{
ctx->v[0] = 0x736f6d6570736575ull;
ctx->v[1] = 0x646f72616e646f6dull;
ctx->v[2] = 0x6c7967656e657261ull;
ctx->v[3] = 0x7465646279746573ull;
ctx->buf.b64 = 0;
ctx->bytes = 0;
ctx->buflen = 0;
ctx->rounds_compr = rc;
ctx->rounds_final = rf;
ctx->initialized = 1;
}
void
SipHash_SetKey(SIPHASH_CTX *ctx, const uint8_t key[16])
{
uint64_t k[2];
KASSERT(ctx->v[0] == 0x736f6d6570736575ull &&
ctx->initialized == 1,
("%s: context %p not properly initialized", __func__, ctx));
k[0] = le64dec(&key[0]);
k[1] = le64dec(&key[8]);
ctx->v[0] ^= k[0];
ctx->v[1] ^= k[1];
ctx->v[2] ^= k[0];
ctx->v[3] ^= k[1];
ctx->initialized = 2;
}
static size_t
SipBuf(SIPHASH_CTX *ctx, const uint8_t **src, size_t len, int final)
{
size_t x = 0;
KASSERT((!final && len > 0) || (final && len == 0),
("%s: invalid parameters", __func__));
if (!final) {
x = MIN(len, sizeof(ctx->buf.b64) - ctx->buflen);
bcopy(*src, &ctx->buf.b8[ctx->buflen], x);
ctx->buflen += x;
*src += x;
} else
ctx->buf.b8[7] = (uint8_t)ctx->bytes;
if (ctx->buflen == 8 || final) {
ctx->v[3] ^= le64toh(ctx->buf.b64);
SipRounds(ctx, 0);
ctx->v[0] ^= le64toh(ctx->buf.b64);
ctx->buf.b64 = 0;
ctx->buflen = 0;
}
return (x);
}
void
SipHash_Update(SIPHASH_CTX *ctx, const void *src, size_t len)
{
uint64_t m;
const uint64_t *p;
SipHash is a cryptographically strong pseudo-random function (a.k.a. keyed hash function) optimized for speed on short messages returning a 64bit hash/ digest value. SipHash is simpler and much faster than other secure MACs and competitive in speed with popular non-cryptographic hash functions. It uses a 128-bit key without the hidden cost of a key expansion step. SipHash iterates a simple round function consisting of four additions, four xors, and six rotations, interleaved with xors of message blocks for a pre-defined number of compression and finalization rounds. The absence of secret load/store addresses or secret branch conditions avoid timing attacks. No state is shared between messages. Hashing is deterministic and doesn't use nonces. It is not susceptible to length extension attacks. Target applications include network traffic authentication, message authentication (MAC) and hash-tables protection against hash-flooding denial-of-service attacks. The number of update/finalization rounds is defined during initialization: SipHash24_Init() for the fast and reasonable strong version. SipHash48_Init() for the strong version (half as fast). SipHash usage is similar to other hash functions: struct SIPHASH_CTX ctx; char *k = "16bytes long key" char *s = "string"; uint64_t h = 0; SipHash24_Init(&ctx); SipHash_SetKey(&ctx, k); SipHash_Update(&ctx, s, strlen(s)); SipHash_Final(&h, &ctx); /* or */ h = SipHash_End(&ctx); /* or */ h = SipHash24(&ctx, k, s, strlen(s)); It was designed by Jean-Philippe Aumasson and Daniel J. Bernstein and is described in the paper "SipHash: a fast short-input PRF", 2012.09.18: https://131002.net/siphash/siphash.pdf Permanent ID: b9a943a805fbfc6fde808af9fc0ecdfa Implemented by: andre (based on the paper) Reviewed by: cperciva
2013-07-11 14:18:38 +00:00
const uint8_t *s;
size_t rem;
KASSERT(ctx->initialized == 2,
("%s: context %p not properly initialized", __func__, ctx));
s = src;
ctx->bytes += len;
/*
* Push length smaller than block size into buffer or
* fill up the buffer if there is already something
* in it.
*/
if (ctx->buflen > 0 || len < 8)
len -= SipBuf(ctx, &s, len, 0);
if (len == 0)
return;
rem = len & 0x7;
len >>= 3;
/* Optimze for 64bit aligned/unaligned access. */
if (((uintptr_t)s & 0x7) == 0) {
for (p = (const uint64_t *)s; len > 0; len--, p++) {
SipHash is a cryptographically strong pseudo-random function (a.k.a. keyed hash function) optimized for speed on short messages returning a 64bit hash/ digest value. SipHash is simpler and much faster than other secure MACs and competitive in speed with popular non-cryptographic hash functions. It uses a 128-bit key without the hidden cost of a key expansion step. SipHash iterates a simple round function consisting of four additions, four xors, and six rotations, interleaved with xors of message blocks for a pre-defined number of compression and finalization rounds. The absence of secret load/store addresses or secret branch conditions avoid timing attacks. No state is shared between messages. Hashing is deterministic and doesn't use nonces. It is not susceptible to length extension attacks. Target applications include network traffic authentication, message authentication (MAC) and hash-tables protection against hash-flooding denial-of-service attacks. The number of update/finalization rounds is defined during initialization: SipHash24_Init() for the fast and reasonable strong version. SipHash48_Init() for the strong version (half as fast). SipHash usage is similar to other hash functions: struct SIPHASH_CTX ctx; char *k = "16bytes long key" char *s = "string"; uint64_t h = 0; SipHash24_Init(&ctx); SipHash_SetKey(&ctx, k); SipHash_Update(&ctx, s, strlen(s)); SipHash_Final(&h, &ctx); /* or */ h = SipHash_End(&ctx); /* or */ h = SipHash24(&ctx, k, s, strlen(s)); It was designed by Jean-Philippe Aumasson and Daniel J. Bernstein and is described in the paper "SipHash: a fast short-input PRF", 2012.09.18: https://131002.net/siphash/siphash.pdf Permanent ID: b9a943a805fbfc6fde808af9fc0ecdfa Implemented by: andre (based on the paper) Reviewed by: cperciva
2013-07-11 14:18:38 +00:00
m = le64toh(*p);
ctx->v[3] ^= m;
SipRounds(ctx, 0);
ctx->v[0] ^= m;
}
s = (const uint8_t *)p;
SipHash is a cryptographically strong pseudo-random function (a.k.a. keyed hash function) optimized for speed on short messages returning a 64bit hash/ digest value. SipHash is simpler and much faster than other secure MACs and competitive in speed with popular non-cryptographic hash functions. It uses a 128-bit key without the hidden cost of a key expansion step. SipHash iterates a simple round function consisting of four additions, four xors, and six rotations, interleaved with xors of message blocks for a pre-defined number of compression and finalization rounds. The absence of secret load/store addresses or secret branch conditions avoid timing attacks. No state is shared between messages. Hashing is deterministic and doesn't use nonces. It is not susceptible to length extension attacks. Target applications include network traffic authentication, message authentication (MAC) and hash-tables protection against hash-flooding denial-of-service attacks. The number of update/finalization rounds is defined during initialization: SipHash24_Init() for the fast and reasonable strong version. SipHash48_Init() for the strong version (half as fast). SipHash usage is similar to other hash functions: struct SIPHASH_CTX ctx; char *k = "16bytes long key" char *s = "string"; uint64_t h = 0; SipHash24_Init(&ctx); SipHash_SetKey(&ctx, k); SipHash_Update(&ctx, s, strlen(s)); SipHash_Final(&h, &ctx); /* or */ h = SipHash_End(&ctx); /* or */ h = SipHash24(&ctx, k, s, strlen(s)); It was designed by Jean-Philippe Aumasson and Daniel J. Bernstein and is described in the paper "SipHash: a fast short-input PRF", 2012.09.18: https://131002.net/siphash/siphash.pdf Permanent ID: b9a943a805fbfc6fde808af9fc0ecdfa Implemented by: andre (based on the paper) Reviewed by: cperciva
2013-07-11 14:18:38 +00:00
} else {
for (; len > 0; len--, s += 8) {
m = le64dec(s);
ctx->v[3] ^= m;
SipRounds(ctx, 0);
ctx->v[0] ^= m;
}
}
/* Push remainder into buffer. */
if (rem > 0)
(void)SipBuf(ctx, &s, rem, 0);
}
void
SipHash_Final(void *dst, SIPHASH_CTX *ctx)
{
uint64_t r;
KASSERT(ctx->initialized == 2,
("%s: context %p not properly initialized", __func__, ctx));
r = SipHash_End(ctx);
le64enc(dst, r);
}
uint64_t
SipHash_End(SIPHASH_CTX *ctx)
{
uint64_t r;
KASSERT(ctx->initialized == 2,
("%s: context %p not properly initialized", __func__, ctx));
SipBuf(ctx, NULL, 0, 1);
ctx->v[2] ^= 0xff;
SipRounds(ctx, 1);
r = (ctx->v[0] ^ ctx->v[1]) ^ (ctx->v[2] ^ ctx->v[3]);
bzero(ctx, sizeof(*ctx));
return (r);
}
uint64_t
SipHashX(SIPHASH_CTX *ctx, int rc, int rf, const uint8_t key[16],
const void *src, size_t len)
{
SipHash_InitX(ctx, rc, rf);
SipHash_SetKey(ctx, key);
SipHash_Update(ctx, src, len);
return (SipHash_End(ctx));
}
#define SIP_ROTL(x, b) (uint64_t)(((x) << (b)) | ( (x) >> (64 - (b))))
static void
SipRounds(SIPHASH_CTX *ctx, int final)
{
int rounds;
if (!final)
rounds = ctx->rounds_compr;
else
rounds = ctx->rounds_final;
while (rounds--) {
ctx->v[0] += ctx->v[1];
ctx->v[2] += ctx->v[3];
ctx->v[1] = SIP_ROTL(ctx->v[1], 13);
ctx->v[3] = SIP_ROTL(ctx->v[3], 16);
ctx->v[1] ^= ctx->v[0];
ctx->v[3] ^= ctx->v[2];
ctx->v[0] = SIP_ROTL(ctx->v[0], 32);
ctx->v[2] += ctx->v[1];
ctx->v[0] += ctx->v[3];
ctx->v[1] = SIP_ROTL(ctx->v[1], 17);
ctx->v[3] = SIP_ROTL(ctx->v[3], 21);
ctx->v[1] ^= ctx->v[2];
ctx->v[3] ^= ctx->v[0];
ctx->v[2] = SIP_ROTL(ctx->v[2], 32);
}
}