Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GCM and AEADs #43

Closed
zer0x64 opened this issue Jan 23, 2019 · 6 comments
Closed

GCM and AEADs #43

zer0x64 opened this issue Jan 23, 2019 · 6 comments

Comments

@zer0x64
Copy link

zer0x64 commented Jan 23, 2019

I'm not sure on which repo to ask this, but is there any plans to implements GCM and other authenticated modes to the project? The original https://github.com/DaGenix/rust-crypto/ crate has already done it.
@tarcieri
Copy link
Member

tarcieri commented Jan 23, 2019
edited

My crate Miscreant is built on this project and exposes an AEAD API to both AES-SIV and an alternative PMAC-based construction. Here is its Aead trait:

https://docs.rs/miscreant/latest/miscreant/aead/trait.Aead.html

I have a half-baked implementation of POLYVAL, which is effectively “GHASH, but little endian”, and used by the AES-GCM-SIV construction. GHASH can be implemented in terms of POLYVAL at effectively zero cost on little endian architectures. For more information, see: https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-09#appendix-A

My implementation of POLYVAL is already designed to take advantage of a (P)CLMUl(QDQ)-like instruction. Using POLYVAL to implement GHASH means that AES-GCM and AES-GCM-SIV can share a common universal hashing implementation.

I’ll push that up as a Miscreant PR for reference. That said I think it’s an interesting way to implement both constructions with a single primitive.

@zer0x64
Copy link
Author

zer0x64 commented Jan 24, 2019

Hey @tarcieri ! My main concern without other librairies is that I depend a lot on webassembly on my projects, so that pretty much locks me to pure rust or libs with dual implementation(this one actually works with webassembly). Does yours works with it?

@tarcieri
Copy link
Member

My current implementation is pure Rust and does not leverage CLMUL yet. However, it's been designed so that should be very easy to wire up using core::simd. I just haven't tried yet.

@tarcieri
Copy link
Member

tarcieri commented Jan 24, 2019
edited

I've published a WIP branch of an AES-GCM-SIV implementation in Miscreant. It has not been tested and is likely broken.

It includes a generic POLYVAL core function with concrete instantiations that theoretically implement both POLYVAL and GHASH.

https://github.com/miscreant/miscreant.rs/blob/047ae8b3fd68d62eeb1e8510110439ba24473df3/src/polyval.rs (Outdated: see below)

I'm happy to find a way to upstream it to this project, however that could probably use a separate issue on https://github.com/rustcrypto/macs

@tarcieri
Copy link
Member

There's now a WIP PR open on https://github.com/RustCrypto/MACs/ implementing POLYVAL including support for CLMUL intrinsics. I think there are still a few XMM registers I'm rotating/shifting the wrong way but I think it's shaping up:

RustCrypto/MACs#13

Also in the comments for that PR is a plan for implementing GHASH in terms of POLYVAL (which is described in the RFC)

@tarcieri
Copy link
Member

We should probably continue this over on the new RustCrypto/AEADs repo:

RustCrypto/AEADs#1

@newpavlov think we should close this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tarcieri @newpavlov @zer0x64