4 * The EAX authenticated encryption mode of operation,
\r
5 * designed by M. Bellare, P. Rogaway and D. Wagner.
\r
7 * @author Paulo S. L. M. Barreto
\r
11 * This software is hereby placed in the public domain.
\r
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
\r
14 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
\r
15 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
\r
16 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
\r
17 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
\r
18 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
\r
19 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
\r
20 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
\r
21 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
\r
22 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
\r
23 * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
\r
28 #include "BlockCipher.h"
\r
34 typedef unsigned char byte;
\r
35 typedef unsigned long uint; /* assuming sizeof(uint) == 4 */
\r
36 #endif /* USUAL_TYPES */
\r
44 * Key and parameter setup to init a EAX context data structure.
\r
46 void initialize(const byte* K, uint k, uint t, BlockCipher* E);
\r
49 * Session is over; destroy all key material and cleanup!
\r
53 /*********************************************************************
\r
54 * Calls common to incremental and non-incremental API
\r
55 ********************************************************************/
\r
58 * Supply a message header. The header "grows" with each call
\r
59 * until a eax_provide_header() call is made that follows a
\r
60 * eax_encrypt(), eax_decrypt(), eax_provide_plaintext(),
\r
61 * eax_provide_ciphertext() or eax_compute_plaintext() call.
\r
62 * That starts reinitializes the header.
\r
64 void provideHeader(const byte* H, uint h);
\r
67 /*********************************************************************
\r
68 * All-in-one, non-incremental interface
\r
69 ********************************************************************/
\r
72 * Encrypt the given message with the given key, nonce and header.
\r
73 * Specify the header (if nonempty) with eax_provide_header().
\r
76 const byte* N, // the nonce and
\r
77 uint n, // its length (in bytes), and
\r
78 const byte* M, // the plaintext and
\r
79 uint m, // its length (in bytes).
\r
80 byte* C, // The m-byte ciphertext
\r
84 * Decrypt the given ciphertext with the given key, nonce and header.
\r
85 * Specify the header (if nonempty) with eax_provide_header().
\r
86 * Returns 1 for a valid ciphertext, 0 for an invalid ciphertext and for invalid or missing parameters.
\r
89 const byte* N, // the nonce and
\r
90 uint n, // its length (in bytes), and
\r
91 const byte* C, // the ciphertext and
\r
92 uint c, // its length (in bytes), and
\r
93 const byte* T, // the tag.
\r
97 /*********************************************************************
\r
98 * Incremental interface
\r
99 ********************************************************************/
\r
102 * Provide a nonce. For encryption, do this before calling
\r
103 * eax_compute_ciphertext() and eax_compute_tag();
\r
104 * for decryption, do this before calling
\r
105 * eax_provide_ciphertext(), eax_check_tag, or eax_compute_plaintext().
\r
107 void provideNonce(const byte* N, uint n);
\r
110 * Encrypt a message or a part of a message.
\r
111 * The nonce needs already to have been
\r
112 * specified by a call to eax_provide_nonce().
\r
114 void computeCiphertext(const byte* M, uint m, byte* C);
\r
117 * Message and header finished: compute the authentication tag that is a part
\r
118 * of the complete ciphertext.
\r
120 void computeTag(byte* T);
\r
123 * Supply the ciphertext, or the next piece of ciphertext.
\r
124 * This is used to check for the subsequent authenticity check eax_check_tag().
\r
126 void provideCiphertext(const byte* C, uint c);
\r
129 * The nonce, ciphertext and header have all been fully provided; check if
\r
130 * they are valid for the given tag.
\r
131 * Returns true for a valid ciphertext, false for an invalid ciphertext
\r
132 * (in which case plaintext/ciphertext might be zeroized as well).
\r
134 bool checkTag(const byte* T);
\r
137 * Recover the plaintext from the provided ciphertext.
\r
138 * A call to eax_provide_nonce() needs to precede this call.
\r
139 * The caller is responsible for separately checking if the ciphertext is valid.
\r
140 * Normally this would be done before computing the plaintext with
\r
141 * eax_compute_plaintext().
\r
143 void computePlaintext(const byte* C, uint c, byte* P);
\r
146 BlockCipher* _E;// block cipher context
\r
149 byte* t_n; // [t]_n
\r
150 OMAC _N; // nonce OMAC
\r
151 OMAC _H; // header OMAC
\r
152 OMAC _M; // message OMAC
\r
153 CTR* _C; // CTR context
\r
159 #endif /* __EAX_H */
\r