Crypto++ 8.2
Free C&
siphash.h
Go to the documentation of this file.
1// siphash.h - written and placed in public domain by Jeffrey Walton.
2
3/// \file siphash.h
4/// \brief Classes for SipHash message authentication code
5/// \details SipHash computes a 64-bit or 128-bit message authentication code from a variable-length
6/// message and 128-bit secret key. It was designed to be efficient even for short inputs, with
7/// performance comparable to non-cryptographic hash functions.
8/// \details To create a SipHash-2-4 object with a 64-bit MAC use code similar to the following.
9/// <pre> SecByteBlock key(16);
10/// prng.GenerateBlock(key, key.size());
11///
12/// SipHash<2,4,false> hash(key, key.size());
13/// hash.Update(...);
14/// hash.Final(...);</pre>
15/// \details To create a SipHash-2-4 object with a 128-bit MAC use code similar to the following.
16/// <pre> SecByteBlock key(16);
17/// prng.GenerateBlock(key, key.size());
18///
19/// SipHash<2,4,true> hash(key, key.size());
20/// hash.Update(...);
21/// hash.Final(...);</pre>
22/// \sa Jean-Philippe Aumasson and Daniel J. Bernstein <A HREF="http://131002.net/siphash/siphash.pdf">SipHash:
23/// a fast short-input PRF</A>
24/// \since Crypto++ 6.0
25
26#ifndef CRYPTOPP_SIPHASH_H
27#define CRYPTOPP_SIPHASH_H
28
29#include "cryptlib.h"
30#include "secblock.h"
31#include "misc.h"
32
33NAMESPACE_BEGIN(CryptoPP)
34
35/// \brief SipHash message authentication code information
36/// \tparam T_128bit flag indicating 128-bit (true) versus 64-bit (false) digest size
37template <bool T_128bit>
38class SipHash_Info : public FixedKeyLength<16>
39{
40public:
41 CRYPTOPP_STATIC_CONSTEXPR const char* StaticAlgorithmName() {return "SipHash";}
42 CRYPTOPP_CONSTANT(DIGESTSIZE = (T_128bit ? 16 : 8))
43};
44
45/// \brief SipHash message authentication code base class
46/// \tparam C the number of compression rounds
47/// \tparam D the number of finalization rounds
48/// \tparam T_128bit flag indicating 128-bit (true) versus 64-bit (false) digest size
49template <unsigned int C, unsigned int D, bool T_128bit>
50class SipHash_Base : public MessageAuthenticationCode, public SipHash_Info<T_128bit>
51{
52public:
53 static std::string StaticAlgorithmName() {
55 }
56
57 virtual ~SipHash_Base() {}
58
59 SipHash_Base() : m_idx(0) {}
60
61 virtual unsigned int DigestSize() const
63 virtual size_t MinKeyLength() const
65 virtual size_t MaxKeyLength() const
67 virtual size_t DefaultKeyLength() const
69 virtual size_t GetValidKeyLength(size_t keylength) const
70 {CRYPTOPP_UNUSED(keylength); return SipHash_Info<T_128bit>::DEFAULT_KEYLENGTH;}
73 virtual unsigned int IVSize() const
74 {return 0;}
75 virtual unsigned int OptimalBlockSize() const
76 {return sizeof(word64);}
77 virtual unsigned int OptimalDataAlignment () const
78 {return GetAlignmentOf<word64>();}
79
80 virtual void Update(const byte *input, size_t length);
81 virtual void TruncatedFinal(byte *digest, size_t digestSize);
82
83protected:
84
85 virtual void UncheckedSetKey(const byte *key, unsigned int length, const NameValuePairs &params);
86 virtual void Restart();
87
88 inline void SIPROUND()
89 {
90 m_v[0] += m_v[1];
91 m_v[1] = rotlConstant<13>(m_v[1]);
92 m_v[1] ^= m_v[0];
93 m_v[0] = rotlConstant<32>(m_v[0]);
94 m_v[2] += m_v[3];
95 m_v[3] = rotlConstant<16>(m_v[3]);
96 m_v[3] ^= m_v[2];
97 m_v[0] += m_v[3];
98 m_v[3] = rotlConstant<21>(m_v[3]);
99 m_v[3] ^= m_v[0];
100 m_v[2] += m_v[1];
101 m_v[1] = rotlConstant<17>(m_v[1]);
102 m_v[1] ^= m_v[2];
103 m_v[2] = rotlConstant<32>(m_v[2]);
104 }
105
106private:
110
111 // Tail bytes
113 size_t m_idx;
114};
115
116/// \brief SipHash message authentication code
117/// \tparam C the number of compression rounds
118/// \tparam D the number of finalization rounds
119/// \tparam T_128bit flag indicating 128-bit (true) versus 64-bit (false) digest size
120/// \details SipHash computes a 64-bit or 128-bit message authentication code from a variable-length
121/// message and 128-bit secret key. It was designed to be efficient even for short inputs, with
122/// performance comparable to non-cryptographic hash functions.
123/// \details To create a SipHash-2-4 object with a 64-bit MAC use code similar to the following.
124/// <pre> SecByteBlock key(16);
125/// prng.GenerateBlock(key, key.size());
126///
127/// SipHash<2,4,false> hash(key, key.size());
128/// hash.Update(...);
129/// hash.Final(...);</pre>
130/// \details To create a SipHash-2-4 object with a 128-bit MAC use code similar to the following.
131/// <pre> SecByteBlock key(16);
132/// prng.GenerateBlock(key, key.size());
133///
134/// SipHash<2,4,true> hash(key, key.size());
135/// hash.Update(...);
136/// hash.Final(...);</pre>
137/// \sa Jean-Philippe Aumasson and Daniel J. Bernstein <A HREF="http://131002.net/siphash/siphash.pdf">SipHash:
138/// a fast short-input PRF</A>
139/// \since Crypto++ 6.0
140template <unsigned int C=2, unsigned int D=4, bool T_128bit=false>
141class SipHash : public SipHash_Base<C, D, T_128bit>
142{
143public:
144 /// \brief Create a SipHash
146 {this->UncheckedSetKey(NULLPTR, 0, g_nullNameValuePairs);}
147 /// \brief Create a SipHash
148 /// \param key a byte array used to key the cipher
149 /// \param length the size of the byte array, in bytes
150 SipHash(const byte *key, unsigned int length)
151 {this->UncheckedSetKey(key, length, g_nullNameValuePairs);}
152};
153
154template <unsigned int C, unsigned int D, bool T_128bit>
155void SipHash_Base<C,D,T_128bit>::Update(const byte *input, size_t length)
156{
157 CRYPTOPP_ASSERT((input && length) || !length);
158 if (!length) return;
159
160 if (m_idx)
161 {
162 size_t head = STDMIN(size_t(8U-m_idx), length);
163 memcpy(m_acc+m_idx, input, head);
164 m_idx += head; input += head; length -= head;
165
166 if (m_idx == 8)
167 {
168 word64 m = GetWord<word64>(true, LITTLE_ENDIAN_ORDER, m_acc);
169 m_v[3] ^= m;
170 for (unsigned int i = 0; i < C; ++i)
171 SIPROUND();
172
173 m_v[0] ^= m;
174 m_b[0] += 8;
175
176 m_idx = 0;
177 }
178 }
179
180 while (length >= 8)
181 {
182 word64 m = GetWord<word64>(false, LITTLE_ENDIAN_ORDER, input);
183 m_v[3] ^= m;
184 for (unsigned int i = 0; i < C; ++i)
185 SIPROUND();
186
187 m_v[0] ^= m;
188 m_b[0] += 8;
189
190 input += 8;
191 length -= 8;
192 }
193
194 CRYPTOPP_ASSERT(length < 8);
195 size_t tail = length % 8;
196 if (tail)
197 {
198 memcpy(m_acc+m_idx, input, tail);
199 m_idx += tail;
200 }
201}
202
203template <unsigned int C, unsigned int D, bool T_128bit>
204void SipHash_Base<C,D,T_128bit>::TruncatedFinal(byte *digest, size_t digestSize)
205{
206 CRYPTOPP_ASSERT(digest); // Pointer is valid
207
208 ThrowIfInvalidTruncatedSize(digestSize);
209
210 // The high octet holds length and is digested mod 256
211 m_b[0] += m_idx; m_b[0] <<= 56U;
212 switch (m_idx)
213 {
214 case 7:
215 m_b[0] |= ((word64)m_acc[6]) << 48;
216 // fall through
217 case 6:
218 m_b[0] |= ((word64)m_acc[5]) << 40;
219 // fall through
220 case 5:
221 m_b[0] |= ((word64)m_acc[4]) << 32;
222 // fall through
223 case 4:
224 m_b[0] |= ((word64)m_acc[3]) << 24;
225 // fall through
226 case 3:
227 m_b[0] |= ((word64)m_acc[2]) << 16;
228 // fall through
229 case 2:
230 m_b[0] |= ((word64)m_acc[1]) << 8;
231 // fall through
232 case 1:
233 m_b[0] |= ((word64)m_acc[0]);
234 // fall through
235 case 0:
236 break;
237 }
238
239 m_v[3] ^= m_b[0];
240
241 for (unsigned int i=0; i<C; i++)
242 SIPROUND();
243
244 m_v[0] ^= m_b[0];
245
246 if (T_128bit)
247 m_v[2] ^= 0xee;
248 else
249 m_v[2] ^= 0xff;
250
251 for (unsigned int i=0; i<D; i++)
252 SIPROUND();
253
254 m_b[0] = m_v[0] ^ m_v[1] ^ m_v[2] ^ m_v[3];
256
257 if (T_128bit)
258 {
259 m_v[1] ^= 0xdd;
260 for (unsigned int i = 0; i<D; ++i)
261 SIPROUND();
262
263 m_b[1] = m_v[0] ^ m_v[1] ^ m_v[2] ^ m_v[3];
265 }
266
267 memcpy_s(digest, digestSize, m_b.begin(), STDMIN(digestSize, (size_t)SipHash_Info<T_128bit>::DIGESTSIZE));
268 Restart();
269}
270
271template <unsigned int C, unsigned int D, bool T_128bit>
272void SipHash_Base<C,D,T_128bit>::UncheckedSetKey(const byte *key, unsigned int length, const NameValuePairs &params)
273{
274 CRYPTOPP_UNUSED(params);
275 if (key && length)
276 {
277 m_k[0] = GetWord<word64>(false, LITTLE_ENDIAN_ORDER, key);
278 m_k[1] = GetWord<word64>(false, LITTLE_ENDIAN_ORDER, key+8);
279 }
280 else
281 {
282 // Avoid Coverity finding
283 m_k[0] = m_k[1] = 0;
284 }
285 Restart();
286}
287
288template <unsigned int C, unsigned int D, bool T_128bit>
290{
291 m_v[0] = W64LIT(0x736f6d6570736575);
292 m_v[1] = W64LIT(0x646f72616e646f6d);
293 m_v[2] = W64LIT(0x6c7967656e657261);
294 m_v[3] = W64LIT(0x7465646279746573);
295
296 m_v[3] ^= m_k[1];
297 m_v[2] ^= m_k[0];
298 m_v[1] ^= m_k[1];
299 m_v[0] ^= m_k[0];
300
301 if (T_128bit)
302 {
303 m_v[1] ^= 0xee;
304 }
305
306 m_idx = 0;
307 m_b[0] = 0;
308}
309
310NAMESPACE_END
311
312#endif // CRYPTOPP_SIPHASH_H
Inherited by keyed algorithms with fixed key length.
Definition: seckey.h:125
Fixed size stack-based SecBlock.
Definition: secblock.h:1078
Interface for message authentication codes.
Definition: cryptlib.h:1267
Interface for retrieving values given their names.
Definition: cryptlib.h:294
IV_Requirement
Secure IVs requirements as enumerated values.
Definition: cryptlib.h:691
@ NOT_RESYNCHRONIZABLE
The object does not use an IV.
Definition: cryptlib.h:701
SipHash message authentication code base class.
Definition: siphash.h:51
virtual IV_Requirement IVRequirement() const
Minimal requirement for secure IVs.
Definition: siphash.h:71
virtual void TruncatedFinal(byte *digest, size_t digestSize)
Computes the hash of the current message.
Definition: siphash.h:204
virtual unsigned int IVSize() const
Returns length of the IV accepted by this object.
Definition: siphash.h:73
virtual size_t MinKeyLength() const
Returns smallest valid key length.
Definition: siphash.h:63
virtual unsigned int OptimalBlockSize() const
Provides the input block size most efficient for this hash.
Definition: siphash.h:75
virtual void Update(const byte *input, size_t length)
Updates a hash with additional input.
Definition: siphash.h:155
virtual unsigned int DigestSize() const
Provides the digest size of the hash.
Definition: siphash.h:61
virtual size_t DefaultKeyLength() const
Returns default key length.
Definition: siphash.h:67
virtual size_t MaxKeyLength() const
Returns largest valid key length.
Definition: siphash.h:65
virtual size_t GetValidKeyLength(size_t keylength) const
Returns a valid key length for the algorithm.
Definition: siphash.h:69
virtual unsigned int OptimalDataAlignment() const
Provides input and output data alignment for optimal performance.
Definition: siphash.h:77
SipHash message authentication code information.
Definition: siphash.h:39
SipHash message authentication code.
Definition: siphash.h:142
SipHash(const byte *key, unsigned int length)
Create a SipHash.
Definition: siphash.h:150
SipHash()
Create a SipHash.
Definition: siphash.h:145
Abstract base classes that provide a uniform interface to this library.
@ LITTLE_ENDIAN_ORDER
byte order is little-endian
Definition: cryptlib.h:145
Utility functions for the Crypto++ library.
void memcpy_s(void *dest, size_t sizeInBytes, const void *src, size_t count)
Bounds checking replacement for memcpy()
Definition: misc.h:443
const T & STDMIN(const T &a, const T &b)
Replacement function for std::min.
Definition: misc.h:567
std::string IntToString(T value, unsigned int base=10)
Converts a value to a string.
Definition: misc.h:636
T ConditionalByteReverse(ByteOrder order, T value)
Reverses bytes in a value depending upon endianness.
Definition: misc.h:2113
Crypto++ library namespace.
Classes and functions for secure memory allocations.
#define CRYPTOPP_ASSERT(exp)
Debugging and diagnostic assertion.
Definition: trap.h:69