Lines Matching refs:As
130 The library serves as a toolkit for developers who have to solve cryptographic problems. Out of the box LibTomCrypt
149 know how to use Safer+, RC6, or Serpent as well. With all of the core functions there are central descriptor tables
161 with \textit{cycles per byte} timings that are comparable (and often favourable) to other libraries such as OpenSSL and
181 you have to update the associated support code as well. In LibTomCrypt the associated code (\textit{chaining modes in this case})
188 The project is hereby released as public domain.
192 The author (Tom St Denis) is not a patent lawyer so this section is not to be treated as legal advice. To the best
219 There have been quite a few other people as well. Please check the change log to see who else has contributed from
296 There are 32 and 64-bit cyclic rotations as well:
319 Certain functions such as (for example) \textit{rsa\_export()} give an output that is variable length. To prevent buffer overflows you
355 As of v1.13, most functions will update your length on failure to indicate the size required by the function. Not all functions
360 Certain functions such as \textit{rsa\_make\_key()} require a Pseudo Random Number Generator (PRNG). These functions do not setup
364 may be passed as \textbf{NULL} in such situations.
395 must pass in (a pointer to) an array of 32 \textit{unsigned char} variables. Certain routines (such as SAFER+) take
405 or use one of the provided chaining modes. All of the ciphers are written as ECB interfaces since it allows the rest of
410 have the same prototype and store their keys as naturally as possible. This also removes the need for dynamic memory
447 return \textbf{CRYPT\_OK} on success. To test a particular cipher against test vectors\footnote{As published in their design papers.}
459 For each cipher there is a function which will help find a desired key size. It is specified as follows:
545 As a general rule of thumb, do not use symmetric keys under 80 bits if you can help it. Only a few of the ciphers support smaller
554 rounds. By passing zero as the number of rounds all ciphers will use their default number of rounds. Generally the
590 in bytes. As a good rule of thumb it is assumed that the cipher supports
600 As of this release the current cipher\_descriptors elements are the following:
639 For AES, (also known as Rijndael) there are four descriptors which complicate issues a little. The descriptors
648 as EAX, PMAC and OMAC only require the encryption function. So far this \textit{encrypt only} functionality has only been implemented for
649 Rijndael as it makes the most sense for this cipher.
659 to not pre-compute the Twofish \textit{$g(X)$} function as a set of four $8 \times 32$ s-boxes. This means that a scheduled
661 defined will force the Twofish code to use pre-computed tables for the two s-boxes $q_0, q_1$ as well as the multiplication
662 by the polynomials 5B and EF used in the MDS multiplication. As a result the code is faster and slightly larger. The
730 as there is no more room (it can have 32 ciphers at most) it will return {\bf{-1}}. If you try to add the same cipher more
768 $P$ under the key $k$ as $E_k(P)$. In some modes there exists an initial vector denoted as $C_{-1}$.
772 ECB or Electronic Codebook Mode is the simplest method to use. It is given as:
782 It is given as:
791 treated as a large binary counter the CTR mode is given as:
796 Where $W$ is the size of a block in bits (e.g. 64 for Blowfish). As long as the initial vector is random for each message
797 encrypted under the same key replay and swap attacks are infeasible. CTR mode may look simple but it is as secure
798 as the block cipher is under a chosen plaintext attack (provided the initial vector is unique).
802 CFB or Ciphertext Feedback Mode is a mode akin to CBC. It is given as:
809 blocks without a delay. When this mode is first setup it will initially encrypt the initial vector as required.
813 OFB or Output Feedback Mode is a mode akin to CBC as well. It is given as:
818 Like the CFB mode the output width in CFB mode is the same as the width of the block cipher. OFB mode will also
825 \item Provably as secure as the block cipher being used under a chosen plaintext attack.
834 The ECB and CBC modes process blocks of the same size as the cipher at a time. Therefore, they are less flexible than the
877 length as the block size\footnote{In other words the size of a block of plaintext for the cipher, e.g. 8 for DES, 16 for AES, etc.}
879 parameters \textit{key}, \textit{keylen} and \textit{num\_rounds} are the same as in the XXX\_setup() function call. The final parameter
884 If \textbf{CTR\_COUNTER\_ LITTLE\_ENDIAN} was specified then the counter will be treated as a little endian value. Otherwise, if
885 \textbf{CTR\_COUNTER\_BIG\_ENDIAN} was specified the counter will be treated as a big endian value. As of v1.15 the RFC 3686 style of
908 In all cases, \textit{len} is the size of the buffer (as number of octets) to encrypt or decrypt. The CTR, OFB and CFB modes are order sensitive but not
933 stored in \textit{len}. The XXX\_setiv will initialize the chaining mode state as if the original IV were the new IV specified. The length
938 What the \textit{setiv} function will do depends on the mode being changed. In CBC mode, the new IV replaces the existing IV as if it
939 were the last ciphertext block. In CFB mode, the IV is encrypted as if it were the prior encrypted pad. In CTR mode, the IV is encrypted without
1036 The key is specified as two strings the first key $K_1$ is the (normally AES) key and can be any length (typically 16, 24 or 32 octets long). The second key
1053 While LRW was specified to be used only with AES, LibTomCrypt will allow any 128--bit block cipher to be specified as indexed by \textit{cipher}. The
1086 These will get or set the 16--octet IV. Note that setting the IV is the same as \textit{seeking} and unlike other modes is not a free operation. It requires
1113 This will start the F8 mode state using \textit{key} as the secret key, \textit{IV} as the counter. It uses the \textit{salt\_key} as IV encryption key
1169 The mode can then process plaintext producing ciphertext as well as compute a partial checksum. The actual checksum
1171 sized message block to send to the recipient as ciphertext. This makes the EAX mode especially suited for streaming modes
1193 encrypted in EAX mode. Note: if \textit{headerlen} is zero you may pass \textit{header} as \textbf{NULL} to indicate there is no initial header data.
1325 have the same meaning as with those respective functions.
1327 The only difference is eax\_decrypt\_verify\_memory() does not emit a tag. Instead you pass it a tag as input and it compares it against
1346 and the random \textit{nonce}. Note that \textit{nonce} must be a random (public) string the same length as the block ciphers
1364 They assume that \textit{pt} and \textit{ct} are the same size as the block cipher's block size. Note that you cannot call
1439 as a primitive. Unlike EAX and OCB mode,
1460 The key can be specified in one of two fashions. First, it can be passed as an array of octets in \textit{key} of length \textit{keylen}. Alternatively,
1461 it can be passed in as a previously scheduled key in \textit{uskey}. The latter fashion saves time when the same key is used for multiple packets. If
1466 you can pass \textit{header} as \textbf{NULL}).
1468 The plaintext is stored in \textit{pt}, and the ciphertext in \textit{ct}. The length of both are expected to be equal and is passed in as \textit{ptlen}. It is
1472 As implemented, this version of CCM cannot handle header or plaintext data longer than $2^{32} - 1$ octets long.
1571 This adds the initial vector octets from \textit{IV} of length \textit{IVlen} to the GCM state \textit{gcm}. You can call this function as many times as required
1579 authentication data (AAD) for security. The AAD is meant to be used as side--channel data you want to be authenticated with the packet. Note: once
1645 message tag. The definition of the variables is the same as it is for all the manual functions.
1647 If you are processing many packets under the same key you shouldn't use this function as it invokes the pre--computation with each call.
1732 /* use IV as counter (12 byte counter) */
1765 are buffered. The data can be passed in any sized chunks as long as the order of the bytes are the same the message digest (hash output) will be the same. For example,
1771 Will produce the same message digest as the single call:
1817 Like the set of ciphers, the set of hashes have descriptors as well. They are stored in an array called \textit{hash\_descriptor} and
1846 There is a function to search the array as well called \textit{int find\_hash(char *name)}. It returns -1 if the hash is not found, otherwise, the
1984 The following hashes are provided as of this release within the LibTomCrypt library:
2015 applicable block ciphers (such as AES) can be turned into hash functions that other LTC functions can use. In
2072 The other hashes such as the SHA-1, SHA-2 (that includes SHA-512, SHA-384 and SHA-256) and TIGER-192 are still considered secure
2113 the HMAC code) then the HMAC code is truncated as per FIPS-198 specifications (e.g. take the first \textit{outlen} bytes).
2140 \textit{key} is the array of octets to use as the key of length \textit{keylen}. \textit{out} is the array of octets where the
2201 algorithm which produces a Message Authentication Code (MAC) using only a block cipher such as AES. Note: OMAC has been standardized as
2214 of the cipher\footnote{The cipher must have a 64 or 128 bit block size. Such as CAST5, Blowfish, DES, AES, Twofish, etc.} you
2232 Would produce the same result as,
2248 specification states that the output may be truncated. So if you pass in $outlen = 5$ and use AES as your cipher than
2265 rules as omac\_done.
2279 the same rules as omac\_done.
2339 API as the provided OMAC code.
2369 Would produce the same result as,
2399 rules as pmac\_done().
2413 the same rules as pmac\_done().
2423 Pelican MAC is a new (experimental) MAC by the AES team that uses four rounds of AES as a \textit{mixing function}. It achieves a very high
2425 as it calls AES directly.
2441 This will process \textit{inlen} bytes of \textit{in} through the Pelican MAC. It's best that you pass in multiples of 16 bytes as it makes the
2442 routine more efficient but you may pass in any length of text. You can call this function as many times as required to process
2499 As of LibTomCrypt v1.15, XCBC-MAC (RFC 3566) has been provided to support TLS encryption suites. Like OMAC, it computes a message authentication code
2549 specified by the \textit{cipher}'th entry in the cipher\_descriptor table. It will store the MAC in \textit{out} with the same rules as xcbc\_done().
2562 specified by the \textit{cipher}'th entry in the cipher\_descriptor table. It will store the MAC in \textit{out} with the same rules as xcbc\_done().
2635 specified by the \textit{cipher}'th entry in the cipher\_descriptor table. It will store the MAC in \textit{out} with the same rules as f9\_done().
2648 specified by the \textit{cipher}'th entry in the cipher\_descriptor table. It will store the MAC in \textit{out} with the same rules as f9\_done().
2663 The library provides an array of core functions for Pseudo-Random Number Generators (PRNGs) as well. A cryptographic PRNG is
2664 used to expand a shorter bit string into a longer bit string. PRNGs are used wherever random data is required such as Public Key (PK)
2713 the export is meant to be used as a \textit{seed file}. That is, when the program starts up there will not likely
2724 \textit{in} of length \textit{inlen} as the initial seed. You must pass the same seed length as was exported
2740 import function and go on your way. It is ideal that (as soon as possible) after start up you export a
2831 Just like the ciphers and hashes, you must register your prng before you can use it. The two functions provided work exactly as those for the cipher registry functions.
2887 RC4 is an old stream cipher that can also double duty as a PRNG in a pinch. You key RC4 by
2892 as an encrypt (and decrypt) function.
2900 calling add\_entropy(). There is no need to call ready() for this PRNG as it does not do anything.
2911 sober128\_read() as an encrypt (and decrypt) function.
2932 /* use "key" as the key */
2978 any RNG source. There is a function to help setup a PRNG as well:
3025 as the PK API. This simplifies the cryptosystem on platforms where the secure RNG is fast. The secure PRNG never
3086 Only encryption padding requires a PRNG. When performing signature padding the \textit{prng\_idx} parameter may be left to zero as it is not checked for validity.
3107 PKCS \#1 RSA Encryption amounts to OAEP padding of the input message followed by the modular exponentiation. As far as this portion of
3129 This accepts \textit{msg} as input of length \textit{msglen} which will be OAEP padded. The \textit{lparam} variable is an additional system specific
3133 OAEP encoding requires the length of the modulus in bits in order to calculate the size of the output. This is passed as the parameter
3140 $m - 2h - 2$. For example, with a $1024$--bit RSA key and SHA--1 as the hash the maximum payload is $86$ bytes.
3218 it is set to zero. The rest of the parameters are as in the PSS encode call.
3220 It's important to use the same \textit{saltlen} and hash for both encoding and decoding as otherwise the procedure will not work.
3230 multiplicative sub-group formed modulo $N$ is given as $\phi(N) = (p - 1)(q - 1)$ which can be reduced to
3233 often simply denoted as $de \equiv 1\mbox{ }(\mbox{mod }\phi(N))$.
3277 RSA key which includes the CRT parameters\footnote{As of v0.99 the PK\_PRIVATE\_OPTIMIZED type has been deprecated, and has been replaced by the
3292 This will load the bignum from \textit{in} as a big endian integer in the format PKCS \#1 specifies, raises it to either \textit{e} or \textit{d} and stores the result
3294 (i.e. for encryption/verifying) and set to {\bf PK\_PRIVATE} to use \textit{d} as the exponent (i.e. for decrypting/signing).
3296 Note: the output of this function is zero--padded as per PKCS \#1 specification. This allows this routine to work with PKCS \#1 padding functions properly.
3321 As of v1.15, the library supports both v1.5 and v2.1 PKCS \#1 style paddings in these higher level functions. The following is the extended
3341 The parameters are all the same as for rsa\_encrypt\_key() except for the addition of the \textit{padding} parameter. It must be set to
3367 As of v1.15, the library supports both v1.5 and v2.1 PKCS \#1 style paddings in these higher level functions. The following is the extended
3411 The \textit{hash\_idx} parameter indicates which hash will be used to create the PSS encoding. It should be the same as the hash used to
3418 As of v1.15, the library supports both v1.5 and v2.1 signatures. The extended signature generation function has the following prototype:
3441 values such as $\lbrace$\textbf{NULL}, 0, 0$\rbrace$.
3464 As of v1.15, the library supports both v1.5 and v2.1 signature verification. The extended signature verification function has the following prototype:
3566 The RSA key format adopted for exporting and importing keys is the PKCS \#1 format defined by the ASN.1 constructs known as
3595 As of v1.06 this function can also import OpenSSL DER formatted public RSA keys. They are essentially encapsulated RSAPublicKeys. LibTomCrypt will
3596 import the key, strip off the additional data (it's the preferred hash) and fill in the rsa\_key structure as if it were a native RSAPublicKey. Note that
3602 The library provides a set of core ECC functions as well that are designed to be the Elliptic Curve analogy of all of the
3613 As of v1.15 three new curves from the SECG standards are also included they are the secp112r1, secp128r1, and secp160r1 curves. These curves were added to
3614 support smaller devices which do not need as large keys for security.
3629 As of v1.12 of LibTomCrypt, support for Fixed Point ECC point multiplication has been added. It is a generic optimization that is
3630 supported by any conforming math plugin. It is enabled by defining \textbf{MECC\_FP} during the build, such as
3636 which will build LTC using the TFM math library and enabling this new feature. The feature is not enabled by default as it is \textbf{NOT} thread
3637 safe (by default). It supports the LTC locking macros (such as by enabling LTC\_PTHREAD), but by default is not locked.
3664 In the case of LibTomCrypt, it is meant \textbf{solely} for NIST and SECG $GF(p)$ curves. The format of the keys is as follows:
3693 The library uses the following structure to describe an elliptic curve. This is used internally, as well as by the new
3743 As of v1.16, the library supports an extended key generation routine which allows the user to specify their own curve. It is specified as follows:
3847 Note: this function stores only the $x$ co-ordinate of the shared elliptic point as described in ANSI X9.63 ECC--DH.
3867 As the name implies this function encrypts a (symmetric) key, and is not intended for encrypting long messages directly. It will encrypt the
4007 $15 < group\_size < 1024$ and $modulus\_size - group\_size < 512$. Suggested values for the pairs are as follows.
4069 and should not be used at all. If the result is $stat = 1$ the DSA key is valid (as far as valid mathematics are concerned).
4106 As of version 1.07, the DSA keys can be used to encrypt and decrypt small payloads. It works similar to the ECC encryption where
4177 in the same manner as the other data types except they use list of objects known as the \textbf{ltc\_asn1\_list} structure. It is defined as the following:
4279 (in certain cases). For types such as IA5 STRING, BIT STRING, OCTET STRING (etc) the \textit{size} field is updated after successful decoding to reflect how many
4331 The list of items are specified as a triple of the form \textit{(type, size, data)} where \textit{type} is an \textbf{int}, \textit{size} is a \textbf{unsigned long}
4334 It is ideal that you cast the \textit{size} values to unsigned long to ensure that the proper data type is passed to the function. Constants such as \textit{1} without
4355 on the size parameters. This forces the compiler to pass the numbers as the required \textbf{unsigned long} type that the function expects.
4380 This function will \textbf{NOT} recognize \textit{DEFAULT} objects, and it is the responsibility of the caller to remove them as required.
4396 as required) through the list to decode all the objects.
4482 as a one bit, and a zero value a zero bit.
4594 mapping and treat the characters as literals.
4647 There is no encoder for the CHOICE type as the actual DER encoding is the encoding of the chosen type.
4658 \textit{outlen} elements. The \textit{inlen} field will be updated with the length of the decoded data type, as well as the respective entry in the \textit{list} field
4667 and \textit{child}. The list works as a \textit{doubly-linked list} structure where decoded items at the same level are siblings (using next and prev) and items
4668 encoded in a SEQUENCE are stored as a child element.
4670 When a SEQUENCE or SET has been encountered a SEQUENCE (or SET resp.) item will be added as a sibling (e.g. list.type == LTC\_ASN1\_SEQUENCE) and the child
4689 have to convert the list by first storing all of the siblings in an array then storing all the children as sub-lists of a sequence using the \textit{.data}
4771 Algorithm One accepts as input a password, an 8--byte salt, and an iteration counter. The iteration counter is meant to act as delay for
4795 hash functions output. As such, it can easily be used to derive session keys for ciphers and MACs as well initial vectors as required
4883 The library includes primality testing and random prime functions as well. The primality tester will perform the test in
4893 math operations. As a result the routine can scan ahead to the next number required for testing with very little work
4898 as $\phi(pq)$ or $(p - 1)(q - 1)$. The decryption exponent $d$ is found as $de \equiv 1\mbox{ }(\mbox{mod } \phi(pq))$. If either $p$ or $q$ is composite the value of $d$ will be incorrect and the user
4927 does provide two RNG sources that will address the largest amount of end users as possible. The \textit{sprng} PRNG provides an easy to
4939 Also, virtually all of the functions return an error code or {\bf CRYPT\_OK}. You should detect all errors, as simple
4940 typos can cause algorithms to fail to work as desired.
4954 For symmetric ciphers, use as large as of a key as possible. For the most part \textit{bits are cheap} so using a 256--bit key
4955 is not a hard thing to do. As a good rule of thumb do not use a key smaller than 128 bits.
5017 such as register\_cipher() are not thread safe no matter what you do. It is best to call them from your programs initialization
5020 The rest of the code uses state variables you must pass it such as hash\_state, hmac\_state, etc. This means that if each
5026 pthreads based mutex locking in various routines such as the Yarrow and Fortuna PRNGs, the fixed point ECC multiplier, and other routines.
5034 As
5035 LibTomCrypt no longer provides a math API on its own and relies on third party libraries (such as LibTomMath, GnuMP, or TomsFastMath).
5062 \begin{flushleft} will build the library using \textit{arm--gcc} as the compiler and \textit{arm--ar} as the archiver. \end{flushleft}
5152 Building a static library is fairly trivial as it only requires one invocation of the GNU make command.
5159 the built--in LibTomMath descriptor as well (or in place of the TomsFastMath descriptor). Similarly, you can build the library with no built--in
5169 Note that even if you include the built--in descriptors you must link against the source library as well.
5175 This will compile \textit{myprogram} and link it against the LibTomCrypt library as well as TomsFastMath (which must have been previously installed). Note that
5181 LibTomCrypt can also be built as a shared library through the \textit{makefile.shared} make script. It is similar to use as the static script except
5188 This will build and install the library and link the shared object against the TomsFastMath library (which must be installed as a shared object as well). The
5210 Currently LibTomCrypt will detect x86-32, x86-64, MIPS R5900, SPARC and SPARC64 running GCC as well as x86-32 running MSVC.
5217 At the top of tomcrypt\_custom.h are a series of macros denoted as XMALLOC, XCALLOC, XREALLOC, XFREE, and so on. They resolve to
5219 If you substitute in your own functions they must behave like the standard C library functions in terms of what they expect as input and
5247 This mode (auto-detected with x86\_32,x86\_64 platforms with GCC or MSVC) configures various routines such as ctr\_encrypt() or
5294 tables at a cost of 4KB of memory. The cipher will be much faster as a result.
5297 useful when TWOFISH\_SMALL is defined as the table values are computed on the fly. When this is defined the code size
5311 When this is defined some of the code such as the Rijndael and SAFER+ ciphers are replaced with smaller code variants.
5329 descriptors for the respective library are built and included in the library as \textit{gmp\_desc}, \textit{ltm\_desc}, or \textit{tfm\_desc} respectively.
5348 to be highly portable and easy to build out of the box on pretty much any platform. As such there are no assembler inlines throughout the code, I make no assumptions
5711 While both encrypt and decrypt accelerators are not required it is suggested as it makes lrw\_setiv() more efficient.
5856 to be able to process multiple blocks per MAC then you will have to simply provide a process() callback and use hmac\_memory() as provided in LibTomCrypt.
5955 if it does as many protocols do not retry reads and will fail on the first try.
6091 /** get size as unsigned char string
6097 /** store an integer as an array of octets
6104 /** read an array of octets and store as integer
6398 free the bignum as well as the structure you allocated to place it in.
6405 then partition your digits. Normally this does not matter as \textit{unsigned long} will be the same size as your register size. Note that if your digit is smaller
6406 than an \textit{unsigned long} that is also acceptable as the \textit{bits\_per\_digit} parameter will specify this.
6414 that (x,y,z) => (x/z^2, y/z^3, 1) when interpreted as affine */
6475 The call reads the \textit{in} buffer as an unsigned char array in big endian format. Then it performs the exponentiation and stores the output in big endian format
6479 Since the function is given the entire RSA key (for private keys only) CRT is possible as prescribed in the PKCS \#1 v2.1 specification.
