Lines Matching refs:Counter
65 // gcm represents a Galois Counter Mode with a specific key. See
75 // NewGCM returns the given 128-bit, block cipher wrapped in Galois Counter Mode
86 // Counter Mode, which accepts nonces of the given length.
148 var counter, tagMask [gcmBlockSize]byte
149 g.deriveCounter(&counter, nonce)
151 g.cipher.Encrypt(tagMask[:], counter[:])
152 gcmInc32(&counter)
154 g.counterCrypt(out, plaintext, &counter)
177 var counter, tagMask [gcmBlockSize]byte
178 g.deriveCounter(&counter, nonce)
180 g.cipher.Encrypt(tagMask[:], counter[:])
181 gcmInc32(&counter)
199 g.counterCrypt(out, ciphertext, &counter)
328 // counterCrypt crypts in to out using g.cipher in counter mode.
329 func (g *gcm) counterCrypt(out, in []byte, counter *[gcmBlockSize]byte) {
333 g.cipher.Encrypt(mask[:], counter[:])
334 gcmInc32(counter)
342 g.cipher.Encrypt(mask[:], counter[:])
343 gcmInc32(counter)
348 // deriveCounter computes the initial GCM counter state from the given nonce.
349 // See NIST SP 800-38D, section 7.1. This assumes that counter is filled with
351 func (g *gcm) deriveCounter(counter *[gcmBlockSize]byte, nonce []byte) {
352 // GCM has two modes of operation with respect to the initial counter
355 // with a four-byte big-endian counter starting at one, is used
356 // directly as the starting counter. For other nonce sizes, the counter
359 copy(counter[:], nonce)
360 counter[gcmBlockSize-1] = 1
366 putUint64(counter[:8], y.low)
367 putUint64(counter[8:], y.high)
