Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
N
nettle
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Labels
Merge Requests
5
Merge Requests
5
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Commits
Open sidebar
Nettle
nettle
Commits
95feedde
Commit
95feedde
authored
Jul 03, 2012
by
Niels Möller
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Documented Salsa20.
parent
4a4201f9
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
79 additions
and
1 deletion
+79
-1
ChangeLog
ChangeLog
+4
-0
nettle.texinfo
nettle.texinfo
+75
-1
No files found.
ChangeLog
View file @
95feedde
2012-07-03 Niels Möller <nisse@lysator.liu.se>
* nettle.texinfo (Cipher functions): Document Salsa20.
2012-06-25 Niels Möller <nisse@lysator.liu.se>
* pkcs1.c (_pkcs1_signature_prefix): Renamed function, adding a
...
...
nettle.texinfo
View file @
95feedde
...
...
@@ -193,6 +193,12 @@ The implementation of RIPEMD160 message digest is based on the code in
libgcrypt, copyright owned by the Free Software Foundation. Ported to
Nettle by Andres Mejia. Released under the LGPL.
@item SALSA20
The C implementation of SALSA20 is based on D. J. Bernstein's reference
implementation, adapted to Nettle by Simon Josefsson, and heavily
modified by Niels Möller. Assembly for x86
_
64 by Niels Möller. Released
under the LGPL.
@item SERPENT
The implementation of the SERPENT cipher is based on the code in libgcrypt,
copyright owned by the Free Software Foundation. Adapted to Nettle by
...
...
@@ -1252,6 +1258,74 @@ in any other way.
Analogous to @code
{
des
_
encrypt
}
@end deftypefun
@subsection Salsa20
Salsa20 is a fairly recent stream cipher designed by D. J. Bernstein. It
is built on the observation that a cryptographic hash function can be
used for encryption: Form the hash input from the secret key and a
counter, xor the hash output and the first block of the plaintext, then
increment the counter to process the next block (similar to CTR mode, see
@pxref
{
CTR
}
). Bernstein defined an encryption algorithm, Snuffle,
in this way to ridicule United States export restrictions which treated hash
functions as nice and harmless, but ciphers as dangerous munitions.
Salsa20 uses the same idea, but with a new specialized hash function to
mix key, block counter, and a couple of constants (input and output are
the same size, making it not directly applicable for use as a general
hash function). It's also designed for speed; on x86
_
64, it is currently
the fastest cipher offered by nettle. It uses a block size of 512 bits
(64 octets) and there are two specified key sizes, 128 and 256 bits (16
and 32 octets).
When using Salsa20 to process a message, one specifies both a key and a
@dfn
{
nonce
}
, the latter playing a similar rôle to the initialization
vector (@acronym
{
IV
}
) used with @acronym
{
CBC
}
or @acronym
{
CTR
}
mode. For
this reason, Nettle uses the term @acronym
{
IV
}
to refer to the Salsa20
nonce. One can use the same key for several messages, provided one uses
a unique random @acronym
{
iv
}
for each message. The @acronym
{
iv
}
is 64
bits (8 octets). The block counter is initialized to zero for each
message, and is also 64 bits (8 octets). Nettle defines Salsa20 in
@file
{
<nettle/salsa20.h>
}
.
@deftp
{
Context struct
}
{
struct salsa20
_
ctx
}
@end deftp
@defvr Constant SALSA20
_
MIN
_
KEY
_
SIZE
@defvrx Constant SALSA20
_
MAX
_
KEY
_
SIZE
The two supported key sizes, 16 and 32 octets.
@end defvr
@defvr Constant SALSA20
_
KEY
_
SIZE
Recommended key size, 32.
@end defvr
@defvr Constant SALSA20
_
BLOCK
_
SIZE
Salsa20 block size, 64.
@end defvr
@defvr Constant SALSA20
_
IV
_
SIZE
Size of the @acronym
{
IV
}
, 8.
@end defvr
@deftypefun void salsa20
_
set
_
key (struct salsa20
_
ctx *@var
{
ctx
}
, unsigned @var
{
length
}
, const uint8
_
t *@var
{
key
}
)
Initialize the cipher. The same function is used for both encryption and
decryption. Before using the cipher, you @emph
{
must
}
also call
@code
{
salsa20
_
set
_
iv
}
, see below.
@end deftypefun
@deftypefun void salsa20
_
set
_
iv (struct salsa20
_
ctx *@var
{
ctx
}
, const uint8
_
t *@var
{
iv
}
)
Sets the @acronym
{
IV
}
. It is always of size @code
{
SALSA20
_
IV
_
SIZE
}
, 8
octets. This function also initializes the block counter, setting it to
zero.
@end deftypefun
@deftypefun void salsa20
_
crypt (struct salsa20
_
ctx *@var
{
ctx
}
, unsigned @var
{
length
}
, uint8
_
t *@var
{
dst
}
, const uint8
_
t *@var
{
src
}
)
Encrypts or decrypts the data of a message, using salsa20. When a
message is encrypted using a sequence of calls to @code
{
salsa20
_
crypt
}
,
all but the last call @emph
{
must
}
use a length that is a multiple of
@code
{
SALSA20
_
BLOCK
_
SIZE
}
.
@end deftypefun
@subsection SERPENT
SERPENT is one of the AES finalists, designed by Ross Anderson, Eli
Biham and Lars Knudsen. Thus, the interface and properties are similar
...
...
@@ -1540,7 +1614,7 @@ C_n = E_k(IC + n - 1) [1..m] XOR M_n
@end example
The @acronym
{
IC
}
is the initial value for the counter, it plays a
similar r
o
le as the @acronym
{
IV
}
for @acronym
{
CBC
}
. When adding,
similar r
ô
le as the @acronym
{
IV
}
for @acronym
{
CBC
}
. When adding,
@code
{
IC + x
}
, @acronym
{
IC
}
is interpreted as an integer, in network
byte order. For the last block, @code
{
E
_
k(IC + n - 1) [1..m]
}
means that
the cipher output is truncated to @code
{
m
}
bytes.
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment