master
1//! AEGIS is a very fast authenticated encryption system built on top of the core AES function.
2//!
3//! The AEGIS-128* variants have a 128 bit key and a 128 bit nonce.
4//! The AEGIS-256* variants have a 256 bit key and a 256 bit nonce.
5//! All of them can compute 128 and 256 bit authentication tags.
6//!
7//! The AEGIS cipher family offers performance that significantly exceeds that of AES-GCM with
8//! hardware support for parallelizable AES block encryption.
9//!
10//! On high-end Intel CPUs with AVX-512 support, AEGIS-128X4 and AEGIS-256X4 are the fastest options.
11//! On other modern server, desktop and mobile CPUs, AEGIS-128X2 and AEGIS-256X2 are usually the fastest options.
12//! AEGIS-128L and AEGIS-256 perform well on a broad range of platforms, including WebAssembly.
13//!
14//! Unlike with AES-GCM, nonces can be safely chosen at random with no practical limit when using AEGIS-256*.
15//! AEGIS-128* also allows for more messages to be safely encrypted when using random nonces.
16//!
17//! Unless the associated data can be fully controled by an adversary, AEGIS is believed to be key-committing,
18//! making it a safer choice than most other AEADs when the key has low entropy, or can be controlled by an attacker.
19//!
20//! Finally, leaking the state does not leak the key.
21//!
22//! https://datatracker.ietf.org/doc/draft-irtf-cfrg-aegis-aead/
23
24const std = @import("std");
25const crypto = std.crypto;
26const mem = std.mem;
27const assert = std.debug.assert;
28const AuthenticationError = crypto.errors.AuthenticationError;
29
30/// AEGIS-128X4 with a 128 bit tag
31pub const Aegis128X4 = Aegis128XGeneric(4, 128);
32/// AEGIS-128X2 with a 128 bit tag
33pub const Aegis128X2 = Aegis128XGeneric(2, 128);
34/// AEGIS-128L with a 128 bit tag
35pub const Aegis128L = Aegis128XGeneric(1, 128);
36
37/// AEGIS-256X4 with a 128 bit tag
38pub const Aegis256X4 = Aegis256XGeneric(4, 128);
39/// AEGIS-256X2 with a 128 bit tag
40pub const Aegis256X2 = Aegis256XGeneric(2, 128);
41/// AEGIS-256 with a 128 bit tag
42pub const Aegis256 = Aegis256XGeneric(1, 128);
43
44/// AEGIS-128X4 with a 256 bit tag
45pub const Aegis128X4_256 = Aegis128XGeneric(4, 256);
46/// AEGIS-128X2 with a 256 bit tag
47pub const Aegis128X2_256 = Aegis128XGeneric(2, 256);
48/// AEGIS-128L with a 256 bit tag
49pub const Aegis128L_256 = Aegis128XGeneric(1, 256);
50
51/// AEGIS-256X4 with a 256 bit tag
52pub const Aegis256X4_256 = Aegis256XGeneric(4, 256);
53/// AEGIS-256X2 with a 256 bit tag
54pub const Aegis256X2_256 = Aegis256XGeneric(2, 256);
55/// AEGIS-256 with a 256 bit tag
56pub const Aegis256_256 = Aegis256XGeneric(1, 256);
57
58fn State128X(comptime degree: u7) type {
59 return struct {
60 const AesBlockVec = crypto.core.aes.BlockVec(degree);
61 const State = @This();
62
63 blocks: [8]AesBlockVec,
64
65 const aes_block_length = AesBlockVec.block_length;
66 const rate = aes_block_length * 2;
67 const alignment = AesBlockVec.native_word_size;
68
69 fn init(key: [16]u8, nonce: [16]u8) State {
70 const c1 = AesBlockVec.fromBytes(&[16]u8{ 0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1, 0x20, 0x11, 0x31, 0x42, 0x73, 0xb5, 0x28, 0xdd } ** degree);
71 const c2 = AesBlockVec.fromBytes(&[16]u8{ 0x0, 0x1, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d, 0x15, 0x22, 0x37, 0x59, 0x90, 0xe9, 0x79, 0x62 } ** degree);
72 const key_block = AesBlockVec.fromBytes(&(key ** degree));
73 const nonce_block = AesBlockVec.fromBytes(&(nonce ** degree));
74 const blocks = [8]AesBlockVec{
75 key_block.xorBlocks(nonce_block),
76 c1,
77 c2,
78 c1,
79 key_block.xorBlocks(nonce_block),
80 key_block.xorBlocks(c2),
81 key_block.xorBlocks(c1),
82 key_block.xorBlocks(c2),
83 };
84 var state = State{ .blocks = blocks };
85 if (degree > 1) {
86 const context_block = ctx: {
87 var contexts_bytes = [_]u8{0} ** aes_block_length;
88 for (0..degree) |i| {
89 contexts_bytes[i * 16] = @intCast(i);
90 contexts_bytes[i * 16 + 1] = @intCast(degree - 1);
91 }
92 break :ctx AesBlockVec.fromBytes(&contexts_bytes);
93 };
94 for (0..10) |_| {
95 state.blocks[3] = state.blocks[3].xorBlocks(context_block);
96 state.blocks[7] = state.blocks[7].xorBlocks(context_block);
97 state.update(nonce_block, key_block);
98 }
99 } else {
100 for (0..10) |_| {
101 state.update(nonce_block, key_block);
102 }
103 }
104 return state;
105 }
106
107 fn update(state: *State, d1: AesBlockVec, d2: AesBlockVec) void {
108 const blocks = &state.blocks;
109 const tmp = blocks[7];
110 comptime var i: usize = 7;
111 inline while (i > 0) : (i -= 1) {
112 blocks[i] = blocks[i - 1].encrypt(blocks[i]);
113 }
114 blocks[0] = tmp.encrypt(blocks[0]);
115 blocks[0] = blocks[0].xorBlocks(d1);
116 blocks[4] = blocks[4].xorBlocks(d2);
117 }
118
119 fn absorb(state: *State, src: *const [rate]u8) void {
120 const msg0 = AesBlockVec.fromBytes(src[0..aes_block_length]);
121 const msg1 = AesBlockVec.fromBytes(src[aes_block_length..rate]);
122 state.update(msg0, msg1);
123 }
124
125 fn enc(state: *State, dst: *[rate]u8, src: *const [rate]u8) void {
126 const blocks = &state.blocks;
127 const msg0 = AesBlockVec.fromBytes(src[0..aes_block_length]);
128 const msg1 = AesBlockVec.fromBytes(src[aes_block_length..rate]);
129 var tmp0 = msg0.xorBlocks(blocks[6]).xorBlocks(blocks[1]);
130 var tmp1 = msg1.xorBlocks(blocks[2]).xorBlocks(blocks[5]);
131 tmp0 = tmp0.xorBlocks(blocks[2].andBlocks(blocks[3]));
132 tmp1 = tmp1.xorBlocks(blocks[6].andBlocks(blocks[7]));
133 dst[0..aes_block_length].* = tmp0.toBytes();
134 dst[aes_block_length..rate].* = tmp1.toBytes();
135 state.update(msg0, msg1);
136 }
137
138 fn dec(state: *State, dst: *[rate]u8, src: *const [rate]u8) void {
139 const blocks = &state.blocks;
140 var msg0 = AesBlockVec.fromBytes(src[0..aes_block_length]).xorBlocks(blocks[6]).xorBlocks(blocks[1]);
141 var msg1 = AesBlockVec.fromBytes(src[aes_block_length..rate]).xorBlocks(blocks[2]).xorBlocks(blocks[5]);
142 msg0 = msg0.xorBlocks(blocks[2].andBlocks(blocks[3]));
143 msg1 = msg1.xorBlocks(blocks[6].andBlocks(blocks[7]));
144 dst[0..aes_block_length].* = msg0.toBytes();
145 dst[aes_block_length..rate].* = msg1.toBytes();
146 state.update(msg0, msg1);
147 }
148
149 fn decLast(state: *State, dst: []u8, src: []const u8) void {
150 const blocks = &state.blocks;
151 const z0 = blocks[6].xorBlocks(blocks[1]).xorBlocks(blocks[2].andBlocks(blocks[3]));
152 const z1 = blocks[2].xorBlocks(blocks[5]).xorBlocks(blocks[6].andBlocks(blocks[7]));
153 var pad = [_]u8{0} ** rate;
154 pad[0..aes_block_length].* = z0.toBytes();
155 pad[aes_block_length..].* = z1.toBytes();
156 for (pad[0..src.len], src) |*p, x| p.* ^= x;
157 @memcpy(dst, pad[0..src.len]);
158 @memset(pad[src.len..], 0);
159 const msg0 = AesBlockVec.fromBytes(pad[0..aes_block_length]);
160 const msg1 = AesBlockVec.fromBytes(pad[aes_block_length..rate]);
161 state.update(msg0, msg1);
162 }
163
164 fn finalize(state: *State, comptime tag_bits: u9, adlen: usize, mlen: usize) [tag_bits / 8]u8 {
165 const blocks = &state.blocks;
166 var sizes: [aes_block_length]u8 = undefined;
167 mem.writeInt(u64, sizes[0..8], @as(u64, adlen) * 8, .little);
168 mem.writeInt(u64, sizes[8..16], @as(u64, mlen) * 8, .little);
169 for (1..degree) |i| {
170 @memcpy(sizes[i * 16 ..][0..16], sizes[0..16]);
171 }
172 const tmp = AesBlockVec.fromBytes(&sizes).xorBlocks(blocks[2]);
173 for (0..7) |_| {
174 state.update(tmp, tmp);
175 }
176 switch (tag_bits) {
177 128 => {
178 var tag_multi = blocks[0].xorBlocks(blocks[1]).xorBlocks(blocks[2]).xorBlocks(blocks[3]).xorBlocks(blocks[4]).xorBlocks(blocks[5]).xorBlocks(blocks[6]).toBytes();
179 var tag = tag_multi[0..16].*;
180 @memcpy(tag[0..], tag_multi[0..16]);
181 for (1..degree) |d| {
182 for (0..16) |i| {
183 tag[i] ^= tag_multi[d * 16 + i];
184 }
185 }
186 return tag;
187 },
188 256 => {
189 const tag_multi_1 = blocks[0].xorBlocks(blocks[1]).xorBlocks(blocks[2]).xorBlocks(blocks[3]).toBytes();
190 const tag_multi_2 = blocks[4].xorBlocks(blocks[5]).xorBlocks(blocks[6]).xorBlocks(blocks[7]).toBytes();
191 var tag = tag_multi_1[0..16].* ++ tag_multi_2[0..16].*;
192 for (1..degree) |d| {
193 for (0..16) |i| {
194 tag[i] ^= tag_multi_1[d * 16 + i];
195 tag[i + 16] ^= tag_multi_2[d * 16 + i];
196 }
197 }
198 return tag;
199 },
200 else => unreachable,
201 }
202 }
203
204 fn finalizeMac(state: *State, comptime tag_bits: u9, datalen: usize) [tag_bits / 8]u8 {
205 const blocks = &state.blocks;
206 var sizes: [aes_block_length]u8 = undefined;
207 mem.writeInt(u64, sizes[0..8], @as(u64, datalen) * 8, .little);
208 mem.writeInt(u64, sizes[8..16], tag_bits, .little);
209 for (1..degree) |i| {
210 @memcpy(sizes[i * 16 ..][0..16], sizes[0..16]);
211 }
212 var t = blocks[2].xorBlocks(AesBlockVec.fromBytes(&sizes));
213 for (0..7) |_| {
214 state.update(t, t);
215 }
216 if (degree > 1) {
217 var v = [_]u8{0} ** rate;
218 switch (tag_bits) {
219 128 => {
220 const tags = blocks[0].xorBlocks(blocks[1]).xorBlocks(blocks[2]).xorBlocks(blocks[3]).xorBlocks(blocks[4]).xorBlocks(blocks[5]).xorBlocks(blocks[6]).toBytes();
221 for (0..degree / 2) |d| {
222 v[0..16].* = tags[d * 32 ..][0..16].*;
223 v[rate / 2 ..][0..16].* = tags[d * 32 ..][16..32].*;
224 state.absorb(&v);
225 }
226 },
227 256 => {
228 const tags_0 = blocks[0].xorBlocks(blocks[1]).xorBlocks(blocks[2]).xorBlocks(blocks[3]).toBytes();
229 const tags_1 = blocks[4].xorBlocks(blocks[5]).xorBlocks(blocks[6]).xorBlocks(blocks[7]).toBytes();
230 for (1..degree) |d| {
231 v[0..16].* = tags_0[d * 16 ..][0..16].*;
232 v[rate / 2 ..][0..16].* = tags_1[d * 16 ..][0..16].*;
233 state.absorb(&v);
234 }
235 },
236 else => unreachable,
237 }
238 mem.writeInt(u64, sizes[0..8], degree, .little);
239 mem.writeInt(u64, sizes[8..16], tag_bits, .little);
240 t = blocks[2].xorBlocks(AesBlockVec.fromBytes(&sizes));
241 for (0..7) |_| {
242 state.update(t, t);
243 }
244 }
245 switch (tag_bits) {
246 128 => {
247 const tags = blocks[0].xorBlocks(blocks[1]).xorBlocks(blocks[2]).xorBlocks(blocks[3]).xorBlocks(blocks[4]).xorBlocks(blocks[5]).xorBlocks(blocks[6]).toBytes();
248 return tags[0..16].*;
249 },
250 256 => {
251 const tags_0 = blocks[0].xorBlocks(blocks[1]).xorBlocks(blocks[2]).xorBlocks(blocks[3]).toBytes();
252 const tags_1 = blocks[4].xorBlocks(blocks[5]).xorBlocks(blocks[6]).xorBlocks(blocks[7]).toBytes();
253 return tags_0[0..16].* ++ tags_1[0..16].*;
254 },
255 else => unreachable,
256 }
257 }
258 };
259}
260
261/// AEGIS is a very fast authenticated encryption system built on top of the core AES function.
262///
263/// The 128 bits variants of AEGIS have a 128 bit key and a 128 bit nonce.
264///
265/// https://datatracker.ietf.org/doc/draft-irtf-cfrg-aegis-aead/
266fn Aegis128XGeneric(comptime degree: u7, comptime tag_bits: u9) type {
267 comptime assert(degree > 0); // degree must be greater than 0
268 comptime assert(tag_bits == 128 or tag_bits == 256); // tag must be 128 or 256 bits
269
270 return struct {
271 const State = State128X(degree);
272
273 pub const tag_length = tag_bits / 8;
274 pub const nonce_length = 16;
275 pub const key_length = 16;
276 pub const block_length = State.rate;
277
278 const alignment = State.alignment;
279
280 /// c: ciphertext: output buffer should be of size m.len
281 /// tag: authentication tag: output MAC
282 /// m: message
283 /// ad: Associated Data
284 /// npub: public nonce
285 /// k: private key
286 pub fn encrypt(c: []u8, tag: *[tag_length]u8, m: []const u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) void {
287 assert(c.len == m.len);
288 var state = State.init(key, npub);
289 var src: [block_length]u8 align(alignment) = undefined;
290 var dst: [block_length]u8 align(alignment) = undefined;
291 var i: usize = 0;
292 while (i + block_length <= ad.len) : (i += block_length) {
293 state.absorb(ad[i..][0..block_length]);
294 }
295 if (ad.len % block_length != 0) {
296 @memset(src[0..], 0);
297 @memcpy(src[0 .. ad.len % block_length], ad[i..][0 .. ad.len % block_length]);
298 state.absorb(&src);
299 }
300 i = 0;
301 while (i + block_length <= m.len) : (i += block_length) {
302 state.enc(c[i..][0..block_length], m[i..][0..block_length]);
303 }
304 if (m.len % block_length != 0) {
305 @memset(src[0..], 0);
306 @memcpy(src[0 .. m.len % block_length], m[i..][0 .. m.len % block_length]);
307 state.enc(&dst, &src);
308 @memcpy(c[i..][0 .. m.len % block_length], dst[0 .. m.len % block_length]);
309 }
310 tag.* = state.finalize(tag_bits, ad.len, m.len);
311 }
312
313 /// `m`: Message
314 /// `c`: Ciphertext
315 /// `tag`: Authentication tag
316 /// `ad`: Associated data
317 /// `npub`: Public nonce
318 /// `k`: Private key
319 /// Asserts `c.len == m.len`.
320 ///
321 /// Contents of `m` are undefined if an error is returned.
322 pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) AuthenticationError!void {
323 assert(c.len == m.len);
324 var state = State.init(key, npub);
325 var src: [block_length]u8 align(alignment) = undefined;
326 var i: usize = 0;
327 while (i + block_length <= ad.len) : (i += block_length) {
328 state.absorb(ad[i..][0..block_length]);
329 }
330 if (ad.len % block_length != 0) {
331 @memset(src[0..], 0);
332 @memcpy(src[0 .. ad.len % block_length], ad[i..][0 .. ad.len % block_length]);
333 state.absorb(&src);
334 }
335 i = 0;
336 while (i + block_length <= m.len) : (i += block_length) {
337 state.dec(m[i..][0..block_length], c[i..][0..block_length]);
338 }
339 if (m.len % block_length != 0) {
340 state.decLast(m[i..], c[i..]);
341 }
342 var computed_tag = state.finalize(tag_bits, ad.len, m.len);
343 const verify = crypto.timing_safe.eql([tag_length]u8, computed_tag, tag);
344 if (!verify) {
345 crypto.secureZero(u8, &computed_tag);
346 @memset(m, undefined);
347 return error.AuthenticationFailed;
348 }
349 }
350 };
351}
352
353fn State256X(comptime degree: u7) type {
354 return struct {
355 const AesBlockVec = crypto.core.aes.BlockVec(degree);
356 const State = @This();
357
358 blocks: [6]AesBlockVec,
359
360 const aes_block_length = AesBlockVec.block_length;
361 const rate = aes_block_length;
362 const alignment = AesBlockVec.native_word_size;
363
364 fn init(key: [32]u8, nonce: [32]u8) State {
365 const c1 = AesBlockVec.fromBytes(&[16]u8{ 0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1, 0x20, 0x11, 0x31, 0x42, 0x73, 0xb5, 0x28, 0xdd } ** degree);
366 const c2 = AesBlockVec.fromBytes(&[16]u8{ 0x0, 0x1, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d, 0x15, 0x22, 0x37, 0x59, 0x90, 0xe9, 0x79, 0x62 } ** degree);
367 const key_block1 = AesBlockVec.fromBytes(key[0..16] ** degree);
368 const key_block2 = AesBlockVec.fromBytes(key[16..32] ** degree);
369 const nonce_block1 = AesBlockVec.fromBytes(nonce[0..16] ** degree);
370 const nonce_block2 = AesBlockVec.fromBytes(nonce[16..32] ** degree);
371 const kxn1 = key_block1.xorBlocks(nonce_block1);
372 const kxn2 = key_block2.xorBlocks(nonce_block2);
373 const blocks = [6]AesBlockVec{
374 kxn1,
375 kxn2,
376 c1,
377 c2,
378 key_block1.xorBlocks(c2),
379 key_block2.xorBlocks(c1),
380 };
381 var state = State{ .blocks = blocks };
382 if (degree > 1) {
383 const context_block = ctx: {
384 var contexts_bytes = [_]u8{0} ** aes_block_length;
385 for (0..degree) |i| {
386 contexts_bytes[i * 16] = @intCast(i);
387 contexts_bytes[i * 16 + 1] = @intCast(degree - 1);
388 }
389 break :ctx AesBlockVec.fromBytes(&contexts_bytes);
390 };
391 for (0..4) |_| {
392 state.blocks[3] = state.blocks[3].xorBlocks(context_block);
393 state.blocks[5] = state.blocks[5].xorBlocks(context_block);
394 state.update(key_block1);
395 state.blocks[3] = state.blocks[3].xorBlocks(context_block);
396 state.blocks[5] = state.blocks[5].xorBlocks(context_block);
397 state.update(key_block2);
398 state.blocks[3] = state.blocks[3].xorBlocks(context_block);
399 state.blocks[5] = state.blocks[5].xorBlocks(context_block);
400 state.update(kxn1);
401 state.blocks[3] = state.blocks[3].xorBlocks(context_block);
402 state.blocks[5] = state.blocks[5].xorBlocks(context_block);
403 state.update(kxn2);
404 }
405 } else {
406 for (0..4) |_| {
407 state.update(key_block1);
408 state.update(key_block2);
409 state.update(kxn1);
410 state.update(kxn2);
411 }
412 }
413 return state;
414 }
415
416 fn update(state: *State, d: AesBlockVec) void {
417 const blocks = &state.blocks;
418 const tmp = blocks[5].encrypt(blocks[0]);
419 comptime var i: usize = 5;
420 inline while (i > 0) : (i -= 1) {
421 blocks[i] = blocks[i - 1].encrypt(blocks[i]);
422 }
423 blocks[0] = tmp.xorBlocks(d);
424 }
425
426 fn absorb(state: *State, src: *const [rate]u8) void {
427 const msg = AesBlockVec.fromBytes(src);
428 state.update(msg);
429 }
430
431 fn enc(state: *State, dst: *[rate]u8, src: *const [rate]u8) void {
432 const blocks = &state.blocks;
433 const msg = AesBlockVec.fromBytes(src);
434 var tmp = msg.xorBlocks(blocks[5]).xorBlocks(blocks[4]).xorBlocks(blocks[1]);
435 tmp = tmp.xorBlocks(blocks[2].andBlocks(blocks[3]));
436 dst.* = tmp.toBytes();
437 state.update(msg);
438 }
439
440 fn dec(state: *State, dst: *[rate]u8, src: *const [rate]u8) void {
441 const blocks = &state.blocks;
442 var msg = AesBlockVec.fromBytes(src).xorBlocks(blocks[5]).xorBlocks(blocks[4]).xorBlocks(blocks[1]);
443 msg = msg.xorBlocks(blocks[2].andBlocks(blocks[3]));
444 dst.* = msg.toBytes();
445 state.update(msg);
446 }
447
448 fn decLast(state: *State, dst: []u8, src: []const u8) void {
449 const blocks = &state.blocks;
450 const z = blocks[5].xorBlocks(blocks[4]).xorBlocks(blocks[1]).xorBlocks(blocks[2].andBlocks(blocks[3]));
451 var pad = z.toBytes();
452 for (pad[0..src.len], src) |*p, x| p.* ^= x;
453 @memcpy(dst, pad[0..src.len]);
454 @memset(pad[src.len..], 0);
455 const msg = AesBlockVec.fromBytes(pad[0..]);
456 state.update(msg);
457 }
458
459 fn finalize(state: *State, comptime tag_bits: u9, adlen: usize, mlen: usize) [tag_bits / 8]u8 {
460 const blocks = &state.blocks;
461 var sizes: [aes_block_length]u8 = undefined;
462 mem.writeInt(u64, sizes[0..8], @as(u64, adlen) * 8, .little);
463 mem.writeInt(u64, sizes[8..16], @as(u64, mlen) * 8, .little);
464 for (1..degree) |i| {
465 @memcpy(sizes[i * 16 ..][0..16], sizes[0..16]);
466 }
467 const tmp = AesBlockVec.fromBytes(&sizes).xorBlocks(blocks[3]);
468 for (0..7) |_| {
469 state.update(tmp);
470 }
471 switch (tag_bits) {
472 128 => {
473 var tag_multi = blocks[0].xorBlocks(blocks[1]).xorBlocks(blocks[2]).xorBlocks(blocks[3]).xorBlocks(blocks[4]).xorBlocks(blocks[5]).toBytes();
474 var tag = tag_multi[0..16].*;
475 @memcpy(tag[0..], tag_multi[0..16]);
476 for (1..degree) |d| {
477 for (0..16) |i| {
478 tag[i] ^= tag_multi[d * 16 + i];
479 }
480 }
481 return tag;
482 },
483 256 => {
484 const tag_multi_1 = blocks[0].xorBlocks(blocks[1]).xorBlocks(blocks[2]).toBytes();
485 const tag_multi_2 = blocks[3].xorBlocks(blocks[4]).xorBlocks(blocks[5]).toBytes();
486 var tag = tag_multi_1[0..16].* ++ tag_multi_2[0..16].*;
487 for (1..degree) |d| {
488 for (0..16) |i| {
489 tag[i] ^= tag_multi_1[d * 16 + i];
490 tag[i + 16] ^= tag_multi_2[d * 16 + i];
491 }
492 }
493 return tag;
494 },
495 else => unreachable,
496 }
497 }
498
499 fn finalizeMac(state: *State, comptime tag_bits: u9, datalen: usize) [tag_bits / 8]u8 {
500 const blocks = &state.blocks;
501 var sizes: [aes_block_length]u8 = undefined;
502 mem.writeInt(u64, sizes[0..8], @as(u64, datalen) * 8, .little);
503 mem.writeInt(u64, sizes[8..16], tag_bits, .little);
504 for (1..degree) |i| {
505 @memcpy(sizes[i * 16 ..][0..16], sizes[0..16]);
506 }
507 var t = blocks[3].xorBlocks(AesBlockVec.fromBytes(&sizes));
508 for (0..7) |_| {
509 state.update(t);
510 }
511 if (degree > 1) {
512 var v = [_]u8{0} ** rate;
513 switch (tag_bits) {
514 128 => {
515 const tags = blocks[0].xorBlocks(blocks[1]).xorBlocks(blocks[2]).xorBlocks(blocks[3]).xorBlocks(blocks[4]).xorBlocks(blocks[5]).toBytes();
516 for (1..degree) |d| {
517 v[0..16].* = tags[d * 16 ..][0..16].*;
518 state.absorb(&v);
519 }
520 },
521 256 => {
522 const tags_0 = blocks[0].xorBlocks(blocks[1]).xorBlocks(blocks[2]).toBytes();
523 const tags_1 = blocks[3].xorBlocks(blocks[4]).xorBlocks(blocks[5]).toBytes();
524 for (1..degree) |d| {
525 v[0..16].* = tags_0[d * 16 ..][0..16].*;
526 state.absorb(&v);
527 v[0..16].* = tags_1[d * 16 ..][0..16].*;
528 state.absorb(&v);
529 }
530 },
531 else => unreachable,
532 }
533 mem.writeInt(u64, sizes[0..8], degree, .little);
534 mem.writeInt(u64, sizes[8..16], tag_bits, .little);
535 t = blocks[3].xorBlocks(AesBlockVec.fromBytes(&sizes));
536 for (0..7) |_| {
537 state.update(t);
538 }
539 }
540 switch (tag_bits) {
541 128 => {
542 const tags = blocks[0].xorBlocks(blocks[1]).xorBlocks(blocks[2]).xorBlocks(blocks[3]).xorBlocks(blocks[4]).xorBlocks(blocks[5]).toBytes();
543 return tags[0..16].*;
544 },
545 256 => {
546 const tags_0 = blocks[0].xorBlocks(blocks[1]).xorBlocks(blocks[2]).toBytes();
547 const tags_1 = blocks[3].xorBlocks(blocks[4]).xorBlocks(blocks[5]).toBytes();
548 return tags_0[0..16].* ++ tags_1[0..16].*;
549 },
550 else => unreachable,
551 }
552 }
553 };
554}
555
556/// AEGIS is a very fast authenticated encryption system built on top of the core AES function.
557///
558/// The 256 bits variants of AEGIS have a 256 bit key and a 256 bit nonce.
559///
560/// https://datatracker.ietf.org/doc/draft-irtf-cfrg-aegis-aead/
561fn Aegis256XGeneric(comptime degree: u7, comptime tag_bits: u9) type {
562 comptime assert(degree > 0); // degree must be greater than 0
563 comptime assert(tag_bits == 128 or tag_bits == 256); // tag must be 128 or 256 bits
564
565 return struct {
566 const State = State256X(degree);
567
568 pub const tag_length = tag_bits / 8;
569 pub const nonce_length = 32;
570 pub const key_length = 32;
571 pub const block_length = State.rate;
572
573 const alignment = State.alignment;
574
575 /// c: ciphertext: output buffer should be of size m.len
576 /// tag: authentication tag: output MAC
577 /// m: message
578 /// ad: Associated Data
579 /// npub: public nonce
580 /// k: private key
581 pub fn encrypt(c: []u8, tag: *[tag_length]u8, m: []const u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) void {
582 assert(c.len == m.len);
583 var state = State.init(key, npub);
584 var src: [block_length]u8 align(alignment) = undefined;
585 var dst: [block_length]u8 align(alignment) = undefined;
586 var i: usize = 0;
587 while (i + block_length <= ad.len) : (i += block_length) {
588 state.absorb(ad[i..][0..block_length]);
589 }
590 if (ad.len % block_length != 0) {
591 @memset(src[0..], 0);
592 @memcpy(src[0 .. ad.len % block_length], ad[i..][0 .. ad.len % block_length]);
593 state.absorb(&src);
594 }
595 i = 0;
596 while (i + block_length <= m.len) : (i += block_length) {
597 state.enc(c[i..][0..block_length], m[i..][0..block_length]);
598 }
599 if (m.len % block_length != 0) {
600 @memset(src[0..], 0);
601 @memcpy(src[0 .. m.len % block_length], m[i..][0 .. m.len % block_length]);
602 state.enc(&dst, &src);
603 @memcpy(c[i..][0 .. m.len % block_length], dst[0 .. m.len % block_length]);
604 }
605 tag.* = state.finalize(tag_bits, ad.len, m.len);
606 }
607
608 /// `m`: Message
609 /// `c`: Ciphertext
610 /// `tag`: Authentication tag
611 /// `ad`: Associated data
612 /// `npub`: Public nonce
613 /// `k`: Private key
614 /// Asserts `c.len == m.len`.
615 ///
616 /// Contents of `m` are undefined if an error is returned.
617 pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const u8, npub: [nonce_length]u8, key: [key_length]u8) AuthenticationError!void {
618 assert(c.len == m.len);
619 var state = State.init(key, npub);
620 var src: [block_length]u8 align(alignment) = undefined;
621 var i: usize = 0;
622 while (i + block_length <= ad.len) : (i += block_length) {
623 state.absorb(ad[i..][0..block_length]);
624 }
625 if (ad.len % block_length != 0) {
626 @memset(src[0..], 0);
627 @memcpy(src[0 .. ad.len % block_length], ad[i..][0 .. ad.len % block_length]);
628 state.absorb(&src);
629 }
630 i = 0;
631 while (i + block_length <= m.len) : (i += block_length) {
632 state.dec(m[i..][0..block_length], c[i..][0..block_length]);
633 }
634 if (m.len % block_length != 0) {
635 state.decLast(m[i..], c[i..]);
636 }
637 var computed_tag = state.finalize(tag_bits, ad.len, m.len);
638 const verify = crypto.timing_safe.eql([tag_length]u8, computed_tag, tag);
639 if (!verify) {
640 crypto.secureZero(u8, &computed_tag);
641 @memset(m, undefined);
642 return error.AuthenticationFailed;
643 }
644 }
645 };
646}
647
648/// The `Aegis128X4Mac` message authentication function outputs 256 bit tags.
649/// In addition to being extremely fast, its large state, non-linearity
650/// and non-invertibility provides the following properties:
651/// - 128 bit security, stronger than GHash/Polyval/Poly1305.
652/// - Recovering the secret key from the state would require ~2^128 attempts,
653/// which is infeasible for any practical adversary.
654/// - It has a large security margin against internal collisions.
655pub const Aegis128X4Mac = AegisMac(Aegis128X4_256);
656
657/// The `Aegis128X2Mac` message authentication function outputs 256 bit tags.
658/// In addition to being extremely fast, its large state, non-linearity
659/// and non-invertibility provides the following properties:
660/// - 128 bit security, stronger than GHash/Polyval/Poly1305.
661/// - Recovering the secret key from the state would require ~2^128 attempts,
662/// which is infeasible for any practical adversary.
663/// - It has a large security margin against internal collisions.
664pub const Aegis128X2Mac = AegisMac(Aegis128X2_256);
665
666/// The `Aegis128LMac` message authentication function outputs 256 bit tags.
667/// In addition to being extremely fast, its large state, non-linearity
668/// and non-invertibility provides the following properties:
669/// - 128 bit security, stronger than GHash/Polyval/Poly1305.
670/// - Recovering the secret key from the state would require ~2^128 attempts,
671/// which is infeasible for any practical adversary.
672/// - It has a large security margin against internal collisions.
673pub const Aegis128LMac = AegisMac(Aegis128L_256);
674
675/// The `Aegis256X4Mac` message authentication function has a 256-bit key size,
676/// and outputs 256 bit tags.
677/// The key size is the main practical difference with `Aegis128X4Mac`.
678/// AEGIS' large state, non-linearity and non-invertibility provides the
679/// following properties:
680/// - 256 bit security against forgery.
681/// - Recovering the secret key from the state would require ~2^256 attempts,
682/// which is infeasible for any practical adversary.
683/// - It has a large security margin against internal collisions.
684pub const Aegis256X4Mac = AegisMac(Aegis256X4_256);
685
686/// The `Aegis256X2Mac` message authentication function has a 256-bit key size,
687/// and outputs 256 bit tags.
688/// The key size is the main practical difference with `Aegis128X2Mac`.
689/// AEGIS' large state, non-linearity and non-invertibility provides the
690/// following properties:
691/// - 256 bit security against forgery.
692/// - Recovering the secret key from the state would require ~2^256 attempts,
693/// which is infeasible for any practical adversary.
694/// - It has a large security margin against internal collisions.
695pub const Aegis256X2Mac = AegisMac(Aegis256X2_256);
696
697/// The `Aegis256Mac` message authentication function has a 256-bit key size,
698/// and outputs 256 bit tags.
699/// The key size is the main practical difference with `Aegis128LMac`.
700/// AEGIS' large state, non-linearity and non-invertibility provides the
701/// following properties:
702/// - 256 bit security against forgery.
703/// - Recovering the secret key from the state would require ~2^256 attempts,
704/// which is infeasible for any practical adversary.
705/// - It has a large security margin against internal collisions.
706pub const Aegis256Mac = AegisMac(Aegis256_256);
707
708/// AEGIS-128X4 MAC with 128-bit tags
709pub const Aegis128X4Mac_128 = AegisMac(Aegis128X4);
710
711/// AEGIS-128X2 MAC with 128-bit tags
712pub const Aegis128X2Mac_128 = AegisMac(Aegis128X2);
713
714/// AEGIS-128L MAC with 128-bit tags
715pub const Aegis128LMac_128 = AegisMac(Aegis128L);
716
717/// AEGIS-256X4 MAC with 128-bit tags
718pub const Aegis256X4Mac_128 = AegisMac(Aegis256X4);
719
720/// AEGIS-256X2 MAC with 128-bit tags
721pub const Aegis256X2Mac_128 = AegisMac(Aegis256X2);
722
723/// AEGIS-256 MAC with 128-bit tags
724pub const Aegis256Mac_128 = AegisMac(Aegis256);
725
726fn AegisMac(comptime T: type) type {
727 return struct {
728 const Mac = @This();
729
730 pub const mac_length = T.tag_length;
731 pub const key_length = T.key_length;
732 pub const nonce_length = T.nonce_length;
733 pub const block_length = T.block_length;
734
735 state: T.State,
736 buf: [block_length]u8 = undefined,
737 off: usize = 0,
738 msg_len: usize = 0,
739
740 /// Initialize a state for the MAC function, with a key and a nonce
741 pub fn initWithNonce(key: *const [key_length]u8, nonce: *const [nonce_length]u8) Mac {
742 return Mac{
743 .state = T.State.init(key.*, nonce.*),
744 };
745 }
746
747 /// Initialize a state for the MAC function, with a default nonce
748 pub fn init(key: *const [key_length]u8) Mac {
749 return Mac{
750 .state = T.State.init(key.*, [_]u8{0} ** nonce_length),
751 };
752 }
753
754 /// Add data to the state
755 pub fn update(self: *Mac, b: []const u8) void {
756 self.msg_len += b.len;
757
758 const len_partial = @min(b.len, block_length - self.off);
759 @memcpy(self.buf[self.off..][0..len_partial], b[0..len_partial]);
760 self.off += len_partial;
761 if (self.off < block_length) {
762 return;
763 }
764 self.state.absorb(&self.buf);
765
766 var i = len_partial;
767 self.off = 0;
768 while (i + block_length * 2 <= b.len) : (i += block_length * 2) {
769 self.state.absorb(b[i..][0..block_length]);
770 self.state.absorb(b[i..][block_length .. block_length * 2]);
771 }
772 while (i + block_length <= b.len) : (i += block_length) {
773 self.state.absorb(b[i..][0..block_length]);
774 }
775 if (i != b.len) {
776 self.off = b.len - i;
777 @memcpy(self.buf[0..self.off], b[i..]);
778 }
779 }
780
781 /// Return an authentication tag for the current state
782 pub fn final(self: *Mac, out: *[mac_length]u8) void {
783 if (self.off > 0) {
784 var pad = [_]u8{0} ** block_length;
785 @memcpy(pad[0..self.off], self.buf[0..self.off]);
786 self.state.absorb(&pad);
787 }
788 out.* = self.state.finalizeMac(T.tag_length * 8, self.msg_len);
789 }
790
791 /// Return an authentication tag for a message, a key and a nonce
792 pub fn createWithNonce(out: *[mac_length]u8, msg: []const u8, key: *const [key_length]u8, nonce: *const [nonce_length]u8) void {
793 var ctx = Mac.initWithNonce(key, nonce);
794 ctx.update(msg);
795 ctx.final(out);
796 }
797
798 /// Return an authentication tag for a message and a key
799 pub fn create(out: *[mac_length]u8, msg: []const u8, key: *const [key_length]u8) void {
800 var ctx = Mac.init(key);
801 ctx.update(msg);
802 ctx.final(out);
803 }
804 };
805}
806
807const htest = @import("test.zig");
808const testing = std.testing;
809
810test "Aegis128L test vector 1" {
811 const key: [Aegis128L.key_length]u8 = [_]u8{ 0x10, 0x01 } ++ [_]u8{0x00} ** 14;
812 const nonce: [Aegis128L.nonce_length]u8 = [_]u8{ 0x10, 0x00, 0x02 } ++ [_]u8{0x00} ** 13;
813 const ad = [8]u8{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
814 const m = [32]u8{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f };
815 var c: [m.len]u8 = undefined;
816 var m2: [m.len]u8 = undefined;
817 var tag: [Aegis128L.tag_length]u8 = undefined;
818
819 Aegis128L.encrypt(&c, &tag, &m, &ad, nonce, key);
820 try Aegis128L.decrypt(&m2, &c, tag, &ad, nonce, key);
821 try testing.expectEqualSlices(u8, &m, &m2);
822
823 try htest.assertEqual("79d94593d8c2119d7e8fd9b8fc77845c5c077a05b2528b6ac54b563aed8efe84", &c);
824 try htest.assertEqual("cc6f3372f6aa1bb82388d695c3962d9a", &tag);
825
826 c[0] +%= 1;
827 try testing.expectError(error.AuthenticationFailed, Aegis128L.decrypt(&m2, &c, tag, &ad, nonce, key));
828 c[0] -%= 1;
829 tag[0] +%= 1;
830 try testing.expectError(error.AuthenticationFailed, Aegis128L.decrypt(&m2, &c, tag, &ad, nonce, key));
831}
832
833test "Aegis128L test vector 2" {
834 const key: [Aegis128L.key_length]u8 = [_]u8{0x00} ** 16;
835 const nonce: [Aegis128L.nonce_length]u8 = [_]u8{0x00} ** 16;
836 const ad = [_]u8{};
837 const m = [_]u8{0x00} ** 16;
838 var c: [m.len]u8 = undefined;
839 var m2: [m.len]u8 = undefined;
840 var tag: [Aegis128L.tag_length]u8 = undefined;
841
842 Aegis128L.encrypt(&c, &tag, &m, &ad, nonce, key);
843 try Aegis128L.decrypt(&m2, &c, tag, &ad, nonce, key);
844 try testing.expectEqualSlices(u8, &m, &m2);
845
846 try htest.assertEqual("41de9000a7b5e40e2d68bb64d99ebb19", &c);
847 try htest.assertEqual("f4d997cc9b94227ada4fe4165422b1c8", &tag);
848}
849
850test "Aegis128L test vector 3" {
851 const key: [Aegis128L.key_length]u8 = [_]u8{0x00} ** 16;
852 const nonce: [Aegis128L.nonce_length]u8 = [_]u8{0x00} ** 16;
853 const ad = [_]u8{};
854 const m = [_]u8{};
855 var c: [m.len]u8 = undefined;
856 var m2: [m.len]u8 = undefined;
857 var tag: [Aegis128L.tag_length]u8 = undefined;
858
859 Aegis128L.encrypt(&c, &tag, &m, &ad, nonce, key);
860 try Aegis128L.decrypt(&m2, &c, tag, &ad, nonce, key);
861 try testing.expectEqualSlices(u8, &m, &m2);
862
863 try htest.assertEqual("83cc600dc4e3e7e62d4055826174f149", &tag);
864}
865
866test "Aegis128X2 test vector 1" {
867 const key: [Aegis128X2.key_length]u8 = [_]u8{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f };
868 const nonce: [Aegis128X2.nonce_length]u8 = [_]u8{ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f };
869 var empty = [_]u8{};
870 var tag: [Aegis128X2.tag_length]u8 = undefined;
871 var tag256: [Aegis128X2_256.tag_length]u8 = undefined;
872
873 Aegis128X2.encrypt(&empty, &tag, &empty, &empty, nonce, key);
874 Aegis128X2_256.encrypt(&empty, &tag256, &empty, &empty, nonce, key);
875 try htest.assertEqual("63117dc57756e402819a82e13eca8379", &tag);
876 try htest.assertEqual("b92c71fdbd358b8a4de70b27631ace90cffd9b9cfba82028412bac41b4f53759", &tag256);
877 tag[0] +%= 1;
878 try testing.expectError(error.AuthenticationFailed, Aegis128X2.decrypt(&empty, &empty, tag, &empty, nonce, key));
879 tag256[0] +%= 1;
880 try testing.expectError(error.AuthenticationFailed, Aegis128X2_256.decrypt(&empty, &empty, tag256, &empty, nonce, key));
881}
882
883test "Aegis256 test vector 1" {
884 const key: [Aegis256.key_length]u8 = [_]u8{ 0x10, 0x01 } ++ [_]u8{0x00} ** 30;
885 const nonce: [Aegis256.nonce_length]u8 = [_]u8{ 0x10, 0x00, 0x02 } ++ [_]u8{0x00} ** 29;
886 const ad = [8]u8{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
887 const m = [32]u8{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f };
888 var c: [m.len]u8 = undefined;
889 var m2: [m.len]u8 = undefined;
890 var tag: [Aegis256.tag_length]u8 = undefined;
891
892 Aegis256.encrypt(&c, &tag, &m, &ad, nonce, key);
893 try Aegis256.decrypt(&m2, &c, tag, &ad, nonce, key);
894 try testing.expectEqualSlices(u8, &m, &m2);
895
896 try htest.assertEqual("f373079ed84b2709faee373584585d60accd191db310ef5d8b11833df9dec711", &c);
897 try htest.assertEqual("8d86f91ee606e9ff26a01b64ccbdd91d", &tag);
898
899 c[0] +%= 1;
900 try testing.expectError(error.AuthenticationFailed, Aegis256.decrypt(&m2, &c, tag, &ad, nonce, key));
901 c[0] -%= 1;
902 tag[0] +%= 1;
903 try testing.expectError(error.AuthenticationFailed, Aegis256.decrypt(&m2, &c, tag, &ad, nonce, key));
904}
905
906test "Aegis256 test vector 2" {
907 const key: [Aegis256.key_length]u8 = [_]u8{0x00} ** 32;
908 const nonce: [Aegis256.nonce_length]u8 = [_]u8{0x00} ** 32;
909 const ad = [_]u8{};
910 const m = [_]u8{0x00} ** 16;
911 var c: [m.len]u8 = undefined;
912 var m2: [m.len]u8 = undefined;
913 var tag: [Aegis256.tag_length]u8 = undefined;
914
915 Aegis256.encrypt(&c, &tag, &m, &ad, nonce, key);
916 try Aegis256.decrypt(&m2, &c, tag, &ad, nonce, key);
917 try testing.expectEqualSlices(u8, &m, &m2);
918
919 try htest.assertEqual("b98f03a947807713d75a4fff9fc277a6", &c);
920 try htest.assertEqual("478f3b50dc478ef7d5cf2d0f7cc13180", &tag);
921}
922
923test "Aegis256 test vector 3" {
924 const key: [Aegis256.key_length]u8 = [_]u8{0x00} ** 32;
925 const nonce: [Aegis256.nonce_length]u8 = [_]u8{0x00} ** 32;
926 const ad = [_]u8{};
927 const m = [_]u8{};
928 var c: [m.len]u8 = undefined;
929 var m2: [m.len]u8 = undefined;
930 var tag: [Aegis256.tag_length]u8 = undefined;
931
932 Aegis256.encrypt(&c, &tag, &m, &ad, nonce, key);
933 try Aegis256.decrypt(&m2, &c, tag, &ad, nonce, key);
934 try testing.expectEqualSlices(u8, &m, &m2);
935
936 try htest.assertEqual("f7a0878f68bd083e8065354071fc27c3", &tag);
937}
938
939test "Aegis256X4 test vector 1" {
940 const key: [Aegis256X4.key_length]u8 = [_]u8{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f };
941 const nonce: [Aegis256X4.nonce_length]u8 = [_]u8{ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f };
942 var empty = [_]u8{};
943 var tag: [Aegis256X4.tag_length]u8 = undefined;
944 var tag256: [Aegis256X4_256.tag_length]u8 = undefined;
945
946 Aegis256X4.encrypt(&empty, &tag, &empty, &empty, nonce, key);
947 Aegis256X4_256.encrypt(&empty, &tag256, &empty, &empty, nonce, key);
948 try htest.assertEqual("3b7fee6cee7bf17888ad11ed2397beb4", &tag);
949 try htest.assertEqual("6093a1a8aab20ec635dc1ca71745b01b5bec4fc444c9ffbebd710d4a34d20eaf", &tag256);
950 tag[0] +%= 1;
951 try testing.expectError(error.AuthenticationFailed, Aegis256X4.decrypt(&empty, &empty, tag, &empty, nonce, key));
952 tag256[0] +%= 1;
953 try testing.expectError(error.AuthenticationFailed, Aegis256X4_256.decrypt(&empty, &empty, tag256, &empty, nonce, key));
954}
955
956test "Aegis MAC" {
957 const key = [_]u8{0x00} ** Aegis128LMac.key_length;
958 var msg: [64]u8 = undefined;
959 for (&msg, 0..) |*m, i| {
960 m.* = @as(u8, @truncate(i));
961 }
962 const st_init = Aegis128LMac.init(&key);
963 var st = st_init;
964 var tag: [Aegis128LMac.mac_length]u8 = undefined;
965
966 st.update(msg[0..32]);
967 st.update(msg[32..]);
968 st.final(&tag);
969 try htest.assertEqual("f5eb88d90b7d31c9a679eb94ed1374cd14816b19cdb77930d1a5158f8595983b", &tag);
970
971 st = st_init;
972 st.update(msg[0..31]);
973 st.update(msg[31..]);
974 st.final(&tag);
975 try htest.assertEqual("f5eb88d90b7d31c9a679eb94ed1374cd14816b19cdb77930d1a5158f8595983b", &tag);
976
977 st = st_init;
978 st.update(msg[0..14]);
979 st.update(msg[14..30]);
980 st.update(msg[30..]);
981 st.final(&tag);
982 try htest.assertEqual("f5eb88d90b7d31c9a679eb94ed1374cd14816b19cdb77930d1a5158f8595983b", &tag);
983
984 // An update whose size is not a multiple of the block size
985 st = st_init;
986 st.update(msg[0..33]);
987 st.final(&tag);
988 try htest.assertEqual("07b3ba5ad9ceee5ef1906e3396f0fa540fbcd2f33833ef97c35bdc2ae9ae0535", &tag);
989}
990
991test "AEGISMAC-128* test vectors" {
992 const key = [_]u8{ 0x10, 0x01 } ++ [_]u8{0x00} ** (16 - 2);
993 const nonce = [_]u8{ 0x10, 0x00, 0x02 } ++ [_]u8{0x00} ** (16 - 3);
994 var msg: [35]u8 = undefined;
995 for (&msg, 0..) |*byte, i| byte.* = @truncate(i);
996 var mac128: [16]u8 = undefined;
997 var mac256: [32]u8 = undefined;
998
999 Aegis128LMac.createWithNonce(&mac256, &msg, &key, &nonce);
1000 Aegis128LMac_128.createWithNonce(&mac128, &msg, &key, &nonce);
1001 try htest.assertEqual("d3f09b2842ad301687d6902c921d7818", &mac128);
1002 try htest.assertEqual("9490e7c89d420c9f37417fa625eb38e8cad53c5cbec55285e8499ea48377f2a3", &mac256);
1003
1004 Aegis128X2Mac.createWithNonce(&mac256, &msg, &key, &nonce);
1005 Aegis128X2Mac_128.createWithNonce(&mac128, &msg, &key, &nonce);
1006 try htest.assertEqual("6873ee34e6b5c59143b6d35c5e4f2c6e", &mac128);
1007 try htest.assertEqual("afcba3fc2d63c8d6c7f2d63f3ec8fbbbaf022e15ac120e78ffa7755abccd959c", &mac256);
1008
1009 Aegis128X4Mac.createWithNonce(&mac256, &msg, &key, &nonce);
1010 Aegis128X4Mac_128.createWithNonce(&mac128, &msg, &key, &nonce);
1011 try htest.assertEqual("c45a98fd9ab8956ce616eb008cfe4e53", &mac128);
1012 try htest.assertEqual("26fdc76f41b1da7aec7779f6e964beae8904e662f05aca8345ae3befb357412a", &mac256);
1013}
1014
1015test "AEGISMAC-256* test vectors" {
1016 const key = [_]u8{ 0x10, 0x01 } ++ [_]u8{0x00} ** (32 - 2);
1017 const nonce = [_]u8{ 0x10, 0x00, 0x02 } ++ [_]u8{0x00} ** (32 - 3);
1018 var msg: [35]u8 = undefined;
1019 for (&msg, 0..) |*byte, i| byte.* = @truncate(i);
1020 var mac128: [16]u8 = undefined;
1021 var mac256: [32]u8 = undefined;
1022
1023 Aegis256Mac.createWithNonce(&mac256, &msg, &key, &nonce);
1024 Aegis256Mac_128.createWithNonce(&mac128, &msg, &key, &nonce);
1025 try htest.assertEqual("c08e20cfc56f27195a46c9cef5c162d4", &mac128);
1026 try htest.assertEqual("a5c906ede3d69545c11e20afa360b221f936e946ed2dba3d7c75ad6dc2784126", &mac256);
1027
1028 Aegis256X2Mac.createWithNonce(&mac256, &msg, &key, &nonce);
1029 Aegis256X2Mac_128.createWithNonce(&mac128, &msg, &key, &nonce);
1030 try htest.assertEqual("fb319cb6dd728a764606fb14d37f2a5e", &mac128);
1031 try htest.assertEqual("0844b20ed5147ceae89c7a160263afd4b1382d6b154ecf560ce8a342cb6a8fd1", &mac256);
1032
1033 Aegis256X4Mac.createWithNonce(&mac256, &msg, &key, &nonce);
1034 Aegis256X4Mac_128.createWithNonce(&mac128, &msg, &key, &nonce);
1035 try htest.assertEqual("a51f9bc5beae60cce77f0dbc60761edd", &mac128);
1036 try htest.assertEqual("b36a16ef07c36d75a91f437502f24f545b8dfa88648ed116943c29fead3bf10c", &mac256);
1037}