Merge pull request #6 from RustCrypto/polyval/use-universal-hash-trait

polyval: Use UniversalHash trait

Author: tarcieri

polyval/Cargo.toml

@@ -15,13 +15,15 @@ categories = ["cryptography", "no-std"]
 edition = "2018"
 
 [dependencies]
-subtle = { version = "2", default-features = false }
+universal-hash = { version = "0.2", default-features = false }
+zeroize = { version = "0.10", optional = true, default-features = false }
 
 [dev-dependencies]
-crypto-mac = { version = "0.7", features = ["dev"] }
 hex-literal = "0.1"
 
 [features]
+default = []
+std = ["universal-hash/std"]
 insecure-soft = []
 
 [badges]

polyval/benches/polyval.rs

@@ -1,85 +1,29 @@
 #![feature(test)]
 
-use crypto_mac::generic_array::{typenum::U16, GenericArray};
-use crypto_mac::{bench, MacResult};
-use polyval::{Block, Polyval};
-use std::{cmp::min, convert::TryInto};
+extern crate test;
 
-bench!(PolyvalMac);
+use polyval::{Polyval, universal_hash::UniversalHash};
+use test::Bencher;
 
-/// POLYVAL isn't a traditional MAC and for that reason doesn't impl the
-/// `crypto_mac::Mac` trait.
-///
-/// This type is a newtype that impls a pseudo-MAC to leverage the benchmark
-/// functionality.
-///
-/// This is just for benchmarking! Don't copy and paste this into your program
-/// unless you really know what you're doing!!!
-#[derive(Clone)]
-struct PolyvalMac {
-    poly: Polyval,
-    leftover: usize,
-    buffer: Block,
-}
-
-impl Mac for PolyvalMac {
-    type OutputSize = U16;
-    type KeySize = U16;
+// TODO(tarcieri): move this into the `universal-hash` crate
+macro_rules! bench {
+    ($name:ident, $bs:expr) => {
+        #[bench]
+        fn $name(b: &mut Bencher) {
+            let key = Default::default();
+            let mut m = Polyval::new(&key);
+            let data = [0; $bs];
 
-    fn new(key: &GenericArray<u8, Self::KeySize>) -> PolyvalMac {
-        let poly = Polyval::new(key.as_slice().try_into().unwrap());
+            b.iter(|| {
+                m.update_padded(&data);
+            });
 
-        PolyvalMac {
-            poly,
-            leftover: 0,
-            buffer: Block::default(),
+            b.bytes = $bs;
         }
-    }
-
-    fn input(&mut self, data: &[u8]) {
-        let mut m = data;
-
-        if self.leftover > 0 {
-            let want = min(16 - self.leftover, m.len());
-
-            for (i, byte) in m.iter().cloned().enumerate().take(want) {
-                self.buffer[self.leftover + i] = byte;
-            }
-
-            m = &m[want..];
-            self.leftover += want;
-
-            if self.leftover < 16 {
-                return;
-            }
-
-            self.block();
-            self.leftover = 0;
-        }
-
-        while m.len() >= 16 {
-            self.block();
-            m = &m[16..];
-        }
-
-        self.buffer[..m.len()].copy_from_slice(m);
-        self.leftover = m.len();
-    }
-
-    fn reset(&mut self) {
-        unimplemented!();
-    }
-
-    fn result(self) -> MacResult<Self::OutputSize> {
-        let tag: Block = self.poly.result().into();
-        MacResult::new(tag.into())
-    }
+    };
 }
 
-impl PolyvalMac {
-    /// Input the current internal buffer into POLYVAL
-    fn block(&mut self) {
-        let elem = self.buffer;
-        self.poly.input_block(elem)
-    }
-}
+bench!(bench1_10, 10);
+bench!(bench2_100, 100);
+bench!(bench3_1000, 1000);
+bench!(bench3_10000, 10000);

polyval/src/field.rs

@@ -14,16 +14,18 @@
 //!
 //! [RFC 8452 Section 3]: https://tools.ietf.org/html/rfc8452#section-3
 
-pub mod backend;
-pub mod clmul;
+pub(crate) mod backend;
+mod clmul;
 
 use self::backend::Backend;
-use super::Block;
 use core::ops::{Add, Mul};
 
 /// Size of GF(2^128) in bytes (16-bytes).
 pub const FIELD_SIZE: usize = 16;
 
+/// POLYVAL field element bytestrings (16-bytes)
+pub type Block = [u8; FIELD_SIZE];
+
 /// Mask value used when performing Montgomery fast reduction.
 /// This corresponds to POLYVAL's polynomial with the highest bit unset.
 ///
@@ -32,7 +34,7 @@ const MASK: u128 = 1 << 127 | 1 << 126 | 1 << 121 | 1;
 
 /// POLYVAL field element.
 #[derive(Copy, Clone)]
-pub(crate) struct Element<B: Backend>(B);
+pub struct Element<B: Backend>(B);
 
 impl<B: Backend> Element<B> {
     /// Load a `FieldElement` from its bytestring representation.
@@ -57,6 +59,12 @@ impl<B: Backend> Element<B> {
     }
 }
 
+impl<B: Backend> Default for Element<B> {
+    fn default() -> Self {
+        Self::from_bytes(Block::default())
+    }
+}
+
 #[allow(clippy::suspicious_arithmetic_impl)]
 impl<B: Backend> Add for Element<B> {
     type Output = Self;

polyval/src/field/backend.rs

@@ -12,7 +12,7 @@ mod pclmulqdq;
 mod soft;
 
 use super::clmul::Clmul;
-use crate::Block;
+use super::Block;
 use core::ops::BitXor;
 
 #[cfg(not(any(

polyval/src/field/backend/pclmulqdq.rs

@@ -10,8 +10,8 @@ use core::arch::x86::*;
 use core::arch::x86_64::*;
 
 use super::Backend;
-use crate::{
-    field::clmul::{self, Clmul},
+use crate::field::{
+    clmul::{self, Clmul},
     Block,
 };
 use core::ops::BitXor;

polyval/src/field/backend/soft.rs

@@ -6,8 +6,10 @@
 // See: <https://bearssl.org/gitweb/?p=BearSSL;a=blob;f=src/hash/ghash_ctmul64.c>
 
 use super::Backend;
-use crate::field::clmul::{self, Clmul};
-use crate::Block;
+use crate::field::{
+    clmul::{self, Clmul},
+    Block,
+};
 use core::{convert::TryInto, ops::BitXor};
 
 /// 2 x `u64` values emulating an XMM register

polyval/src/lib.rs

@@ -47,77 +47,54 @@
 #![doc(html_logo_url = "https://raw.githubusercontent.com/RustCrypto/meta/master/logo_small.png")]
 #![warn(missing_docs, rust_2018_idioms)]
 
-pub use subtle;
-
 pub mod field;
-pub mod tag;
-
-use self::field::Element;
-pub use self::tag::Tag;
 
-// TODO(tarcieri): runtime selection of CLMUL vs soft backend when both are available
-use self::field::backend::M128i;
+pub use universal_hash;
 
-/// Size of a POLYVAL block (128-bits)
-pub const BLOCK_SIZE: usize = 16;
+use core::convert::TryInto;
+use universal_hash::generic_array::{typenum::U16, GenericArray};
+use universal_hash::{Output, UniversalHash};
 
-/// POLYVAL blocks (16-bytes)
-pub type Block = [u8; BLOCK_SIZE];
+// TODO(tarcieri): runtime selection of CLMUL vs soft backend when both are available
+use field::backend::M128i;
 
 /// **POLYVAL**: GHASH-like universal hash over GF(2^128).
 #[allow(non_snake_case)]
 #[derive(Clone)]
 #[repr(align(16))]
 pub struct Polyval {
     /// GF(2^128) field element input blocks are multiplied by
-    H: Element<M128i>,
+    H: field::Element<M128i>,
 
     /// Field element representing the computed universal hash
-    S: Element<M128i>,
+    S: field::Element<M128i>,
 }
 
-impl Polyval {
+impl UniversalHash for Polyval {
+    type KeySize = U16;
+    type OutputSize = U16;
+
     /// Initialize POLYVAL with the given `H` field element
-    pub fn new(h: Block) -> Self {
+    fn new(h: &GenericArray<u8, U16>) -> Self {
         Self {
-            H: Element::from_bytes(h),
-            S: Element::from_bytes(Block::default()),
+            H: field::Element::from_bytes(h.as_slice().try_into().unwrap()),
+            S: field::Element::default(),
         }
     }
 
     /// Input a field element `X` to be authenticated into POLYVAL.
-    pub fn input_block(&mut self, x: Block) {
-        // "The sum of any two elements in the field is the result of XORing them."
-        // -- RFC 8452 Section 3
-        let sum = self.S + Element::from_bytes(x);
-        self.S = sum * self.H;
-    }
-
-    /// Input data into POLYVAL, first padding it to the block size
-    /// ala the `right_pad_to_multiple_of_16_bytes()` function described in
-    /// RFC 8452 Section 4:
-    /// <https://tools.ietf.org/html/rfc8452#section-4>
-    pub fn input_padded(&mut self, data: &[u8]) {
-        for chunk in data.chunks(BLOCK_SIZE) {
-            if chunk.len() == BLOCK_SIZE {
-                // TODO(tarcieri): replace with `TryInto` in Rust 1.34+
-                self.input_block(unsafe { *(chunk.as_ptr() as *const Block) });
-            } else {
-                let mut padded_block = [0u8; BLOCK_SIZE];
-                padded_block[..chunk.len()].copy_from_slice(chunk);
-                self.input_block(padded_block);
-            }
-        }
+    fn update_block(&mut self, x: &GenericArray<u8, U16>) {
+        let x = field::Element::from_bytes(x.as_slice().try_into().unwrap());
+        self.S = (self.S + x) * self.H;
     }
 
-    /// Process input blocks in a chained manner
-    pub fn chain_block(mut self, x: Block) -> Self {
-        self.input_block(x);
-        self
+    /// Reset internal state
+    fn reset(&mut self) {
+        self.S = field::Element::default();
     }
 
     /// Get POLYVAL result (i.e. computed `S` field element)
-    pub fn result(self) -> Tag {
-        Tag::new(self.S.to_bytes())
+    fn result(self) -> Output<U16> {
+        Output::new(GenericArray::from(self.S.to_bytes()))
     }
 }

polyval/src/tag.rs

@@ -1,22 +1,26 @@
 #[macro_use]
 extern crate hex_literal;
 
-use polyval::{Block, Polyval};
+use polyval::{universal_hash::UniversalHash, Polyval};
 
 //
 // Test vectors or POLYVAL from RFC 8452 Appendix A
 // <https://tools.ietf.org/html/rfc8452#appendix-A>
 //
 
-const H: Block = hex!("25629347589242761d31f826ba4b757b");
-const X_1: Block = hex!("4f4f95668c83dfb6401762bb2d01a262");
-const X_2: Block = hex!("d1a24ddd2721d006bbe45f20d3c9f362");
+const H: [u8; 16] = hex!("25629347589242761d31f826ba4b757b");
+const X_1: [u8; 16] = hex!("4f4f95668c83dfb6401762bb2d01a262");
+const X_2: [u8; 16] = hex!("d1a24ddd2721d006bbe45f20d3c9f362");
 
 /// POLYVAL(H, X_1, X_2)
-const POLYVAL_RESULT: Block = hex!("f7a3b47b846119fae5b7866cf5e5b77e");
+const POLYVAL_RESULT: [u8; 16] = hex!("f7a3b47b846119fae5b7866cf5e5b77e");
 
 #[test]
 fn rfc_8452_test_vector() {
-    let result = Polyval::new(H).chain_block(X_1).chain_block(X_2).result();
-    assert_eq!(result.as_ref(), &POLYVAL_RESULT);
+    let mut poly = Polyval::new(&H.into());
+    poly.update_block(&X_1.into());
+    poly.update_block(&X_2.into());
+
+    let result = poly.result();
+    assert_eq!(&POLYVAL_RESULT[..], result.into_bytes().as_slice());
 }