poly1305: Use UniversalHash trait

A first pass at adapting Poly1305 to use the `UniversalHash` trait

Author: tarcieri

poly1305/Cargo.toml

@@ -12,12 +12,9 @@ readme = "README.md"
 edition = "2018"
 
 [dependencies]
-subtle = { version = "2", default-features = false }
+universal-hash = "0.2"
 zeroize = { version = "0.9", optional = true, default-features = false }
 
-[dev-dependencies]
-crypto-mac = { version = "0.7", features = ["dev"] }
-
 [badges]
 maintenance = { status = "experimental" }
 travis-ci = { repository = "RustCrypto/universal-hashes" }

poly1305/benches/poly1305.rs

@@ -1,45 +1,29 @@
 #![feature(test)]
 
-use crypto_mac::generic_array::{
-    typenum::{U16, U32},
-    GenericArray,
-};
-use crypto_mac::{MacResult, bench};
-use poly1305::{Block, Poly1305};
-use std::convert::TryInto;
-
-bench!(Poly1305Mac);
-
-/// Poly1305 isn't a traditional MAC and for that reason doesn't impl the
-/// `crypto_mac::Mac` trait.
-///
-/// This type is a newtype that impls a pseudo-MAC to leverage the benchmark
-/// functionality.
-///
-/// This is just for benchmarking! Don't copy and paste this into your program
-/// unless you really know what you're doing!!!
-#[derive(Clone)]
-struct Poly1305Mac(Poly1305);
-
-impl Mac for Poly1305Mac {
-    type OutputSize = U16;
-    type KeySize = U32;
-
-    fn new(key: &GenericArray<u8, Self::KeySize>) -> Poly1305Mac {
-        let poly = Poly1305::new(key.as_slice().try_into().unwrap());
-        Poly1305Mac(poly)
-    }
-
-    fn input(&mut self, data: &[u8]) {
-        self.0.input(data);
-    }
+extern crate test;
+
+use poly1305::{Poly1305, universal_hash::UniversalHash};
+use test::Bencher;
+
+macro_rules! bench {
+    ($name:ident, $bs:expr) => {
+        #[bench]
+        fn $name(b: &mut Bencher) {
+            let key = Default::default();
+            let mut m = Poly1305::new(&key);
+            let data = [0; $bs];
+
+            b.iter(|| {
+                m.update_padded(&data);
+            });
+
+            b.bytes = $bs;
+        }
+    };
+}
 
-    fn reset(&mut self) {
-        unimplemented!();
-    }
 
-    fn result(self) -> MacResult<Self::OutputSize> {
-        let tag: Block = self.0.result().into();
-        MacResult::new(tag.into())
-    }
-}
+bench!(bench1_10, 10);
+bench!(bench2_100, 100);
+bench!(bench3_1000, 1000);
+bench!(bench3_10000, 10000);

poly1305/src/lib.rs

@@ -16,10 +16,14 @@
 #![doc(html_logo_url = "https://raw.githubusercontent.com/RustCrypto/meta/master/logo_small.png")]
 #![warn(missing_docs, rust_2018_idioms)]
 
-pub use subtle;
+pub use universal_hash;
 
 use core::{cmp::min, convert::TryInto};
-use subtle::{Choice, ConstantTimeEq};
+use universal_hash::generic_array::{
+    typenum::{U16, U32},
+    GenericArray,
+};
+use universal_hash::{Output, UniversalHash};
 #[cfg(feature = "zeroize")]
 use zeroize::Zeroize;
 
@@ -50,9 +54,12 @@ pub struct Poly1305 {
     buffer: Block,
 }
 
-impl Poly1305 {
+impl UniversalHash for Poly1305 {
+    type KeySize = U32;
+    type OutputSize = U16;
+
     /// Initialize Poly1305 with the given key
-    pub fn new(key: &Key) -> Poly1305 {
+    fn new(key: &GenericArray<u8, U32>) -> Poly1305 {
         let mut poly = Poly1305 {
             r: [0u32; 5],
             h: [0u32; 5],
@@ -77,75 +84,28 @@ impl Poly1305 {
     }
 
     /// Input data into the Poly1305 universal hash function
-    pub fn input(&mut self, data: &[u8]) {
-        let mut m = data;
-
-        if self.leftover > 0 {
-            let want = min(16 - self.leftover, m.len());
-
-            for (i, byte) in m.iter().cloned().enumerate().take(want) {
-                self.buffer[self.leftover + i] = byte;
-            }
-
-            m = &m[want..];
-            self.leftover += want;
-
-            if self.leftover < BLOCK_SIZE {
-                return;
-            }
-
-            self.block(false);
-            self.leftover = 0;
-        }
-
-        while m.len() >= BLOCK_SIZE {
-            // TODO(tarcieri): avoid a copy here when `TryInto` is available (1.34+)
-            // We can avoid copying this data into the buffer, but do for now
-            // because it simplifies constant-time assessment.
-            self.buffer.copy_from_slice(&m[..BLOCK_SIZE]);
-            self.block(false);
-            m = &m[BLOCK_SIZE..];
-        }
-
-        self.buffer[..m.len()].copy_from_slice(m);
-        self.leftover = m.len();
+    fn update_block(&mut self, block: &GenericArray<u8, U16>) {
+        // TODO(tarcieri): pass block directly to `Poly1305::compute_block`
+        self.update(block.as_slice());
     }
 
-    /// Input data into Poly1305, first padding it to Poly1305's block size
-    /// ala the `pad16()` function described in RFC 8439 section 2.8.1:
-    /// <https://tools.ietf.org/html/rfc8439#section-2.8.1>
-    ///
-    /// This is primarily useful for implementing Salsa20 family authenticated
-    /// encryption constructions.
-    pub fn input_padded(&mut self, data: &[u8]) {
-        self.input(data);
-
-        // Pad associated data with `\0` if it's unaligned with the block size
-        let unaligned_len = data.len() % BLOCK_SIZE;
-
-        if unaligned_len != 0 {
-            let pad = Block::default();
-            let pad_len = BLOCK_SIZE - unaligned_len;
-            self.input(&pad[..pad_len]);
-        }
-    }
-
-    /// Process input messages in a chained manner
-    pub fn chain(mut self, data: &[u8]) -> Self {
-        self.input(data);
-        self
+    /// Reset internal state
+    fn reset(&mut self) {
+        self.h = Default::default();
+        self.buffer = Default::default();
+        self.leftover = 0;
     }
 
     /// Get the hashed output
-    pub fn result(mut self) -> Tag {
+    fn result(mut self) -> Output<U16> {
         if self.leftover > 0 {
             self.buffer[self.leftover] = 1;
 
             for i in (self.leftover + 1)..BLOCK_SIZE {
                 self.buffer[i] = 0;
             }
 
-            self.block(true);
+            self.compute_block(true);
         }
 
         // fully carry h
@@ -229,17 +189,58 @@ impl Poly1305 {
         f = u64::from(h3) + u64::from(self.pad[3]) + (f >> 32);
         h3 = f as u32;
 
-        let mut tag = Block::default();
-        tag[0..4].copy_from_slice(&h0.to_le_bytes());
-        tag[4..8].copy_from_slice(&h1.to_le_bytes());
-        tag[8..12].copy_from_slice(&h2.to_le_bytes());
-        tag[12..16].copy_from_slice(&h3.to_le_bytes());
+        let mut output = GenericArray::default();
+        output[0..4].copy_from_slice(&h0.to_le_bytes());
+        output[4..8].copy_from_slice(&h1.to_le_bytes());
+        output[8..12].copy_from_slice(&h2.to_le_bytes());
+        output[12..16].copy_from_slice(&h3.to_le_bytes());
 
-        Tag::new(tag)
+        Output::new(output)
+    }
+}
+
+impl Poly1305 {
+    /// Input data into the Poly1305 universal hash function
+    pub fn update(&mut self, data: &[u8]) {
+        let mut m = data;
+
+        if self.leftover > 0 {
+            let want = min(16 - self.leftover, m.len());
+
+            for (i, byte) in m.iter().cloned().enumerate().take(want) {
+                self.buffer[self.leftover + i] = byte;
+            }
+
+            m = &m[want..];
+            self.leftover += want;
+
+            if self.leftover < BLOCK_SIZE {
+                return;
+            }
+
+            self.compute_block(false);
+            self.leftover = 0;
+        }
+
+        while m.len() >= BLOCK_SIZE {
+            // TODO(tarcieri): avoid copying data into the buffer here
+            self.buffer.copy_from_slice(&m[..BLOCK_SIZE]);
+            self.compute_block(false);
+            m = &m[BLOCK_SIZE..];
+        }
+
+        self.buffer[..m.len()].copy_from_slice(m);
+        self.leftover = m.len();
+    }
+
+    /// Process input messages in a chained manner
+    pub fn chain(mut self, data: &[u8]) -> Self {
+        self.update(data);
+        self
     }
 
     /// Compute a single block of Poly1305 using the internal buffer
-    fn block(&mut self, finished: bool) {
+    fn compute_block(&mut self, finished: bool) {
         let hibit = if finished { 0 } else { 1 << 24 };
 
         let r0 = self.r[0];
@@ -340,31 +341,3 @@ impl Drop for Poly1305 {
         self.buffer.zeroize();
     }
 }
-
-/// Poly1305 authentication tags
-pub struct Tag(Block);
-
-impl Tag {
-    /// Create a new Poly1305 authentication tag
-    fn new(tag: Block) -> Self {
-        Tag(tag)
-    }
-}
-
-impl AsRef<Block> for Tag {
-    fn as_ref(&self) -> &Block {
-        &self.0
-    }
-}
-
-impl ConstantTimeEq for Tag {
-    fn ct_eq(&self, other: &Self) -> Choice {
-        self.0.ct_eq(other.0.as_ref())
-    }
-}
-
-impl From<Tag> for Block {
-    fn from(tag: Tag) -> Block {
-        tag.0
-    }
-}

poly1305/tests/lib.rs

@@ -1,4 +1,4 @@
-use poly1305::{Poly1305, KEY_SIZE};
+use poly1305::{universal_hash::UniversalHash, Poly1305, KEY_SIZE};
 use std::iter::repeat;
 
 #[test]
@@ -26,10 +26,10 @@ fn test_nacl_vector() {
         0xd9,
     ];
 
-    let result1 = Poly1305::new(&key).chain(&msg).result();
-    assert_eq!(&expected[..], result1.as_ref());
+    let result1 = Poly1305::new(key.as_ref().into()).chain(&msg).result();
+    assert_eq!(&expected[..], result1.into_bytes().as_slice());
 
-    let result2 = Poly1305::new(&key)
+    let result2 = Poly1305::new(key.as_ref().into())
         .chain(&msg[0..32])
         .chain(&msg[32..96])
         .chain(&msg[96..112])
@@ -43,7 +43,7 @@ fn test_nacl_vector() {
         .chain(&msg[130..131])
         .result();
 
-    assert_eq!(&expected[..], result2.as_ref());
+    assert_eq!(&expected[..], result2.into_bytes().as_slice());
 }
 
 #[test]
@@ -64,9 +64,11 @@ fn donna_self_test() {
         0x00,
     ];
 
-    let result = Poly1305::new(&wrap_key).chain(&wrap_msg).result();
+    let result = Poly1305::new(wrap_key.as_ref().into())
+        .chain(&wrap_msg)
+        .result();
 
-    assert_eq!(&wrap_mac[..], result.as_ref());
+    assert_eq!(&wrap_mac[..], result.into_bytes().as_slice());
 
     let total_key = [
         0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xff,
@@ -79,18 +81,18 @@ fn donna_self_test() {
         0x39,
     ];
 
-    let mut tpoly = Poly1305::new(&total_key);
+    let mut tpoly = Poly1305::new(total_key.as_ref().into());
 
     for i in 0..256 {
         let mut key = [0u8; KEY_SIZE];
         key.copy_from_slice(&repeat(i as u8).take(KEY_SIZE).collect::<Vec<_>>());
 
         let msg: Vec<u8> = repeat(i as u8).take(256).collect();
-        let tag = Poly1305::new(&key).chain(&msg[..i]).result();
-        tpoly.input(tag.as_ref());
+        let tag = Poly1305::new(key.as_ref().into()).chain(&msg[..i]).result();
+        tpoly.update(tag.into_bytes().as_slice());
     }
 
-    assert_eq!(&total_mac[..], tpoly.result().as_ref());
+    assert_eq!(&total_mac[..], tpoly.result().into_bytes().as_slice());
 }
 
 #[test]
@@ -104,17 +106,17 @@ fn test_tls_vectors() {
         0x07,
     ];
 
-    let result1 = Poly1305::new(&key).chain(&msg1).result();
-    assert_eq!(&expected1[..], result1.as_ref());
+    let result1 = Poly1305::new(key.as_ref().into()).chain(&msg1).result();
+    assert_eq!(&expected1[..], result1.into_bytes().as_slice());
 
     let msg2 = b"Hello world!";
     let expected2 = [
         0xa6, 0xf7, 0x45, 0x00, 0x8f, 0x81, 0xc9, 0x16, 0xa2, 0x0d, 0xcc, 0x74, 0xee, 0xf2, 0xb2,
         0xf0,
     ];
 
-    let result2 = Poly1305::new(&key).chain(&msg2[..]).result();
-    assert_eq!(&expected2[..], result2.as_ref());
+    let result2 = Poly1305::new(key.as_ref().into()).chain(&msg2[..]).result();
+    assert_eq!(&expected2[..], result2.into_bytes().as_slice());
 }
 
 #[test]
@@ -135,7 +137,7 @@ fn padded_input() {
         0xba,
     ];
 
-    let mut poly = Poly1305::new(&key);
-    poly.input_padded(&msg);
-    assert_eq!(&expected[..], poly.result().as_ref());
+    let mut poly = Poly1305::new(key.as_ref().into());
+    poly.update_padded(&msg);
+    assert_eq!(&expected[..], poly.result().into_bytes().as_slice());
 }