sri sowj <[email protected]> wrote:
> I have seen multiple open source drivers for AES(CTR) mode for
> different Crypto Hardware Engines, I was not really sure on
> countersize,nonce etc.
> Please can any one provide some info on the following
Not what you asked for, but in case it is useful here is the counter
management code from a version of the random(4) driver that
I am working on:
/*****************************************************************
* 128-bit counter to mix in when hashing
****************************************************************/
static u32 iter_count = 0 ;
static spinlock_t counter_lock ;
/*
* constants are from SHA-1
* ones in counter[] are used only once, in initialisation
* then random data is mixed in there
*/
#define COUNTER_DELTA 0x67452301
static u32 counter[] = {0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0} ;
/*
* Code is based on my own work in the Enchilada cipher:
* https://aezoo.compute.dtu.dk/doku.php?id=enchilada
*
* Mix operations so Hamming weight changes more than for a simple
* counter. This may not be strictly necessary, but a simple counter
* can be considered safe only if you trust the crypto completely.
* Low Hamming weight differences in inputs do allow some attacks on
* block ciphers or hashes and the high bits of a large counter that
* is only incremented do not change for aeons.
*
* The extra code here is cheap insurance.
* Somewhat nonlinear since it uses +, XOR and rotation.
*
* For discussion, see mailing list thread starting at:
* http://www.metzdowd.com/pipermail/cryptography/2014-May/021345.html
*/
static void count(void)
{
spin_lock( &counter_lock ) ;
/*
* Limit the switch to < 256 cases
* should work with any CPU & compiler
*
* Five constants used, all primes
* roughly evenly spaced, around 50, 100, 150, 200, 250
*/
switch( iter_count ) {
/*
* mix three array elements
* each element is used twice
* once on left, once on right
* pattern is circular
*/
case 47:
counter[1] += counter[2] ;
break ;
case 101:
counter[2] += counter[3] ;
break ;
case 197:
counter[3] += counter[1] ;
break ;
/*
* inject counter[0] into that loop
* loop and counter[0] use +=
* so use ^= here
*/
case 149:
counter[1] ^= counter[0] ;
break ;
/*
* restart loop
* include a rotation for nonlinearity
*/
case 251:
counter[0] = ROTL( counter[0], 5) ;
iter_count = -1 ;
break ;
/*
* for 247 out of every 252 iterations
* the switch does nothing
*/
default:
break ;
}
/*
* counter[0] is almost purely a counter
* uses += instead of ++ to change Hamming weight more
* nothing above affects it, except the rotation
*/
counter[0] += COUNTER_DELTA ;
iter_count++ ;
spin_unlock( &counter_lock ) ;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
