Software APIs
ghash.h
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #ifndef OPENTITAN_SW_DEVICE_LIB_CRYPTO_IMPL_AES_GCM_GHASH_H_
6 #define OPENTITAN_SW_DEVICE_LIB_CRYPTO_IMPL_AES_GCM_GHASH_H_
7 
8 #include <stddef.h>
9 #include <stdint.h>
10 
11 #ifdef __cplusplus
12 extern "C" {
13 #endif // __cplusplus
14 
15 enum {
16  /**
17  * Size of a GHASH cipher block (128 bits) in bytes.
18  */
19  kGhashBlockNumBytes = 128 / 8,
20  /**
21  * Size of a GHASH cipher block (128 bits) in words.
22  */
23  kGhashBlockNumWords = kGhashBlockNumBytes / sizeof(uint32_t),
24 };
25 
26 /**
27  * A type that holds a single cipher block.
28  */
29 typedef struct ghash_block {
30  uint32_t data[kGhashBlockNumWords];
31 } ghash_block_t;
32 
33 typedef struct ghash_context {
34  /**
35  * Precomputed product table for the hash subkey.
36  */
37  ghash_block_t tbl[16];
38  /**
39  * Cipher block representing the current GHASH state.
40  */
41  ghash_block_t state;
42 } ghash_context_t;
43 
44 /**
45  * Precompute hash subkey information for GHASH.
46  *
47  * This routine will precompute a product table for the hash subkey for the
48  * GHASH context. It will not set the state to 0; call `ghash_init` afterwards.
49  *
50  * This operation should only be called once per key, and afterwards the
51  * context object can be used for multiple separate GHASH operations with that
52  * key. The reason for separating this and `ghash_init` into two functions is
53  * that computing the product table is computationally expensive, and some GCM
54  * computations need to compute more than one separate GHASH operation.
55  *
56  * @param hash_subkey Subkey for the GHASH operation (`kGhashBlockNumWords`
57  * words).
58  * @param[out] ctx Context object with product table populated.
59  */
60 void ghash_init_subkey(const uint32_t *hash_subkey, ghash_context_t *ctx);
61 
62 /**
63  * Start a GHASH operation.
64  *
65  * This routine will initialize the GHASH state within the context object to
66  * zero. It will not precompute the key product table; call `ghash_init_subkey`
67  * first.
68  *
69  * @param[out] ctx Context object with GHASH state reset to zero.
70  */
71 void ghash_init(ghash_context_t *ctx);
72 
73 /**
74  * Given a partial GHASH block and some new input, process full blocks.
75  *
76  * Concatenates the new input to the partial data and processes any full blocks
77  * with GHASH. Updates the partial block with the new, leftover partial data
78  * after processing the new input.
79  *
80  * The partial block may be empty, but should never be full; `partial_len`
81  * should always be less than `kGhashBlockNumBytes`.
82  *
83  * @param ctx Context object.
84  * @param partial_len Length of the partial block.
85  * @param partial Partial GHASH block.
86  * @param input_len Length of the input data in bytes.
87  * @param input Input data.
88  */
89 void ghash_process_full_blocks(ghash_context_t *ctx, size_t partial_len,
90  ghash_block_t *partial, size_t input_len,
91  const uint8_t *input);
92 /**
93  * Update the state of a GHASH operation.
94  *
95  * Pads the input with 0s on the right-hand side if needed so that the input
96  * size is a multiple of the block size. Given a state representing GHASH(A)
97  * and a new input B, this function will return a state representing:
98  * GHASH(A || B || <padding for B>)
99  *
100  * Initialize the context object with `ghash_init_subkey` and `ghash_init`
101  * before calling this function.
102  *
103  * @param ctx Context object.
104  * @param input_len Number of bytes in the input.
105  * @param input Pointer to input buffer.
106  */
107 void ghash_update(ghash_context_t *ctx, size_t input_len, const uint8_t *input);
108 
109 /**
110  * Update the state of a GHASH operation.
111  *
112  * Pads the input with 0s on the right-hand side if needed so that the input
113  * size is a multiple of the block size. Given a state representing GHASH(A)
114  * and a new input B, this function will return a state representing:
115  * GHASH(A || B || <padding for B>)
116  *
117  * Initialize the context object with `ghash_init_subkey` and `ghash_init`
118  * before calling this function.
119  *
120  * The caller must ensure that at least `kGhashBlockNumWords` words are
121  * allocated in the `result` buffer.
122  *
123  * @param ctx Context object.
124  * @param[out] result Buffer in which to write the GHASH result block
125  */
126 void ghash_final(ghash_context_t *ctx, uint32_t *result);
127 
128 #ifdef __cplusplus
129 } // extern "C"
130 #endif // __cplusplus
131 
132 #endif // OPENTITAN_SW_DEVICE_LIB_CRYPTO_IMPL_AES_GCM_GHASH_H_
Return to OpenTitan Documentation