2017-05-11 22:39:54 +08:00
|
|
|
// EME (ECB-Mix-ECB or, clearer, Encrypt-Mix-Encrypt) is a wide-block
|
|
|
|
// encryption mode developed by Halevi and Rogaway.
|
|
|
|
//
|
|
|
|
// It was presented in the 2003 paper "A Parallelizable Enciphering Mode" by
|
|
|
|
// Halevi and Rogaway.
|
|
|
|
//
|
|
|
|
// EME uses multiple invocations of a block cipher to construct a new cipher
|
|
|
|
// of bigger block size (in multiples of 16 bytes, up to 2048 bytes).
|
2016-10-31 23:50:02 +08:00
|
|
|
package eme
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/cipher"
|
|
|
|
"log"
|
|
|
|
)
|
|
|
|
|
|
|
|
type directionConst bool
|
|
|
|
|
|
|
|
const (
|
|
|
|
// Encrypt "inputData"
|
|
|
|
DirectionEncrypt = directionConst(true)
|
|
|
|
// Decrypt "inputData"
|
|
|
|
DirectionDecrypt = directionConst(false)
|
|
|
|
)
|
|
|
|
|
|
|
|
// multByTwo - GF multiplication as specified in the EME-32 draft
|
|
|
|
func multByTwo(out []byte, in []byte) {
|
|
|
|
if len(in) != 16 {
|
|
|
|
panic("len must be 16")
|
|
|
|
}
|
|
|
|
tmp := make([]byte, 16)
|
|
|
|
|
|
|
|
tmp[0] = 2 * in[0]
|
|
|
|
if in[15] >= 128 {
|
|
|
|
tmp[0] = tmp[0] ^ 135
|
|
|
|
}
|
|
|
|
for j := 1; j < 16; j++ {
|
|
|
|
tmp[j] = 2 * in[j]
|
|
|
|
if in[j-1] >= 128 {
|
|
|
|
tmp[j] += 1
|
|
|
|
}
|
|
|
|
}
|
|
|
|
copy(out, tmp)
|
|
|
|
}
|
|
|
|
|
|
|
|
func xorBlocks(out []byte, in1 []byte, in2 []byte) {
|
|
|
|
if len(in1) != len(in2) {
|
|
|
|
log.Panicf("len(in1)=%d is not equal to len(in2)=%d", len(in1), len(in2))
|
|
|
|
}
|
|
|
|
|
|
|
|
for i := range in1 {
|
|
|
|
out[i] = in1[i] ^ in2[i]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// aesTransform - encrypt or decrypt (according to "direction") using block
|
|
|
|
// cipher "bc" (typically AES)
|
|
|
|
func aesTransform(dst []byte, src []byte, direction directionConst, bc cipher.Block) {
|
|
|
|
if direction == DirectionEncrypt {
|
|
|
|
bc.Encrypt(dst, src)
|
|
|
|
return
|
|
|
|
} else if direction == DirectionDecrypt {
|
|
|
|
bc.Decrypt(dst, src)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// tabulateL - calculate L_i for messages up to a length of m cipher blocks
|
|
|
|
func tabulateL(bc cipher.Block, m int) [][]byte {
|
|
|
|
/* set L0 = 2*AESenc(K; 0) */
|
|
|
|
eZero := make([]byte, 16)
|
|
|
|
Li := make([]byte, 16)
|
|
|
|
bc.Encrypt(Li, eZero)
|
|
|
|
|
|
|
|
LTable := make([][]byte, m)
|
|
|
|
// Allocate pool once and slice into m pieces in the loop
|
|
|
|
pool := make([]byte, m*16)
|
|
|
|
for i := 0; i < m; i++ {
|
|
|
|
multByTwo(Li, Li)
|
|
|
|
LTable[i] = pool[i*16 : (i+1)*16]
|
|
|
|
copy(LTable[i], Li)
|
|
|
|
}
|
|
|
|
return LTable
|
|
|
|
}
|
|
|
|
|
|
|
|
// Transform - EME-encrypt or EME-decrypt, according to "direction"
|
|
|
|
// (defined in the constants DirectionEncrypt and DirectionDecrypt).
|
|
|
|
// The data in "inputData" is en- or decrypted with the block ciper "bc" under
|
|
|
|
// "tweak" (also known as IV).
|
|
|
|
//
|
|
|
|
// The tweak is used to randomize the encryption in the same way as an
|
|
|
|
// IV. A use of this encryption mode envisioned by the authors of the
|
|
|
|
// algorithm was to encrypt each sector of a disk, with the tweak
|
|
|
|
// being the sector number. If you encipher the same data with the
|
|
|
|
// same tweak you will get the same ciphertext.
|
|
|
|
//
|
|
|
|
// The result is returned in a freshly allocated slice of the same
|
|
|
|
// size as inputData.
|
|
|
|
//
|
2017-05-11 22:39:54 +08:00
|
|
|
// Limitations:
|
|
|
|
// * The block cipher must have block size 16 (usually AES).
|
|
|
|
// * The size of "tweak" must be 16
|
|
|
|
// * "inputData" must be a multiple of 16 bytes long
|
|
|
|
// If any of these pre-conditions are not met, the function will panic.
|
|
|
|
//
|
|
|
|
// Note that you probably don't want to call this function directly and instead
|
|
|
|
// use eme.New(), which provides conventient wrappers.
|
2016-10-31 23:50:02 +08:00
|
|
|
func Transform(bc cipher.Block, tweak []byte, inputData []byte, direction directionConst) []byte {
|
|
|
|
// In the paper, the tweak is just called "T". Call it the same here to
|
|
|
|
// make following the paper easy.
|
|
|
|
T := tweak
|
|
|
|
// In the paper, the plaintext data is called "P" and the ciphertext is
|
|
|
|
// called "C". Because encryption and decryption are virtually indentical,
|
|
|
|
// we share the code and always call the input data "P" and the output data
|
|
|
|
// "C", regardless of the direction.
|
|
|
|
P := inputData
|
|
|
|
|
|
|
|
if bc.BlockSize() != 16 {
|
|
|
|
log.Panicf("Using a block size other than 16 is not implemented")
|
|
|
|
}
|
|
|
|
if len(T) != 16 {
|
|
|
|
log.Panicf("Tweak must be 16 bytes long, is %d", len(T))
|
|
|
|
}
|
|
|
|
if len(P)%16 != 0 {
|
|
|
|
log.Panicf("Data P must be a multiple of 16 long, is %d", len(P))
|
|
|
|
}
|
|
|
|
m := len(P) / 16
|
|
|
|
if m == 0 || m > 16*8 {
|
|
|
|
log.Panicf("EME operates on 1 to %d block-cipher blocks, you passed %d", 16*8, m)
|
|
|
|
}
|
|
|
|
|
|
|
|
C := make([]byte, len(P))
|
|
|
|
|
|
|
|
LTable := tabulateL(bc, m)
|
|
|
|
|
|
|
|
PPj := make([]byte, 16)
|
|
|
|
for j := 0; j < m; j++ {
|
|
|
|
Pj := P[j*16 : (j+1)*16]
|
|
|
|
/* PPj = 2**(j-1)*L xor Pj */
|
|
|
|
xorBlocks(PPj, Pj, LTable[j])
|
|
|
|
/* PPPj = AESenc(K; PPj) */
|
|
|
|
aesTransform(C[j*16:(j+1)*16], PPj, direction, bc)
|
|
|
|
}
|
|
|
|
|
|
|
|
/* MP =(xorSum PPPj) xor T */
|
|
|
|
MP := make([]byte, 16)
|
|
|
|
xorBlocks(MP, C[0:16], T)
|
|
|
|
for j := 1; j < m; j++ {
|
|
|
|
xorBlocks(MP, MP, C[j*16:(j+1)*16])
|
|
|
|
}
|
|
|
|
|
|
|
|
/* MC = AESenc(K; MP) */
|
|
|
|
MC := make([]byte, 16)
|
|
|
|
aesTransform(MC, MP, direction, bc)
|
|
|
|
|
|
|
|
/* M = MP xor MC */
|
|
|
|
M := make([]byte, 16)
|
|
|
|
xorBlocks(M, MP, MC)
|
|
|
|
CCCj := make([]byte, 16)
|
|
|
|
for j := 1; j < m; j++ {
|
|
|
|
multByTwo(M, M)
|
|
|
|
/* CCCj = 2**(j-1)*M xor PPPj */
|
|
|
|
xorBlocks(CCCj, C[j*16:(j+1)*16], M)
|
|
|
|
copy(C[j*16:(j+1)*16], CCCj)
|
|
|
|
}
|
|
|
|
|
|
|
|
/* CCC1 = (xorSum CCCj) xor T xor MC */
|
|
|
|
CCC1 := make([]byte, 16)
|
|
|
|
xorBlocks(CCC1, MC, T)
|
|
|
|
for j := 1; j < m; j++ {
|
|
|
|
xorBlocks(CCC1, CCC1, C[j*16:(j+1)*16])
|
|
|
|
}
|
|
|
|
copy(C[0:16], CCC1)
|
|
|
|
|
|
|
|
for j := 0; j < m; j++ {
|
|
|
|
/* CCj = AES-enc(K; CCCj) */
|
|
|
|
aesTransform(C[j*16:(j+1)*16], C[j*16:(j+1)*16], direction, bc)
|
|
|
|
/* Cj = 2**(j-1)*L xor CCj */
|
|
|
|
xorBlocks(C[j*16:(j+1)*16], C[j*16:(j+1)*16], LTable[j])
|
|
|
|
}
|
|
|
|
|
|
|
|
return C
|
|
|
|
}
|
2017-05-11 22:39:54 +08:00
|
|
|
|
|
|
|
// EMECipher provides EME-Encryption and -Decryption functions that are more
|
|
|
|
// convenient than calling Transform directly.
|
|
|
|
type EMECipher struct {
|
|
|
|
bc cipher.Block
|
|
|
|
}
|
|
|
|
|
|
|
|
// New returns a new EMECipher object. "bc" must have a block size of 16,
|
|
|
|
// or subsequent calls to Encrypt and Decrypt will panic.
|
|
|
|
func New(bc cipher.Block) *EMECipher {
|
|
|
|
return &EMECipher{
|
|
|
|
bc: bc,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Encrypt is equivalent to calling Transform with direction=DirectionEncrypt.
|
|
|
|
func (e *EMECipher) Encrypt(tweak []byte, inputData []byte) []byte {
|
|
|
|
return Transform(e.bc, tweak, inputData, DirectionEncrypt)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Decrypt is equivalent to calling Transform with direction=DirectionDecrypt.
|
|
|
|
func (e *EMECipher) Decrypt(tweak []byte, inputData []byte) []byte {
|
|
|
|
return Transform(e.bc, tweak, inputData, DirectionDecrypt)
|
|
|
|
}
|