More inline equations from the spec
This commit is contained in:
39
Ascon.cry
39
Ascon.cry
@@ -25,10 +25,10 @@ private
|
|||||||
/** Parse function.
|
/** Parse function.
|
||||||
*
|
*
|
||||||
* The parse(𝑋, 𝑟) function parses the input bitstring 𝑋 into a sequence
|
* The parse(𝑋, 𝑟) function parses the input bitstring 𝑋 into a sequence
|
||||||
* of blocks 𝑋₀, 𝑋₁, …, 𝑋̃ℓ, where 𝓁 ← ⌊|𝑋|/𝑟⌋ (i.e., 𝑋 ← 𝑋₀ ∥ 𝑋₁ ∥ … ∥ 𝑋̃ℓ).
|
* of blocks 𝑋₀, 𝑋₁, …, 𝑋͠ℓ, where 𝓁 ← ⌊|𝑋|/𝑟⌋ (i.e., 𝑋 ← 𝑋₀ ∥ 𝑋₁ ∥ … ∥ 𝑋͠ℓ).
|
||||||
* The 𝑋ᵢ blocks for 0 ≤ i ≤ 𝓁 − 1 each have a bit length 𝑟, whereas
|
* The 𝑋ᵢ blocks for 0 ≤ i ≤ 𝓁 − 1 each have a bit length 𝑟, whereas
|
||||||
* 0 ≤ |𝑋̃ℓ| ≤ 𝑟 − 1 (see Algorithm 1). When |𝑋| mod 𝑟 = 0, the final
|
* 0 ≤ |𝑋͠ℓ| ≤ 𝑟 − 1 (see Algorithm 1). When |𝑋| mod 𝑟 = 0, the final
|
||||||
* block is empty (i.e., |𝑋̃ℓ| = 0).
|
* block is empty (i.e., |𝑋͠ℓ| = 0).
|
||||||
*/
|
*/
|
||||||
parse : {r, m} (fin m, fin r, r >= 1) => [m] -> ([m / r][r], [m % r])
|
parse : {r, m} (fin m, fin r, r >= 1) => [m] -> ([m / r][r], [m % r])
|
||||||
parse (M # Ml) = (split M, Ml)
|
parse (M # Ml) = (split M, Ml)
|
||||||
@@ -201,9 +201,18 @@ AEAD128_encrypt K N A P = C # T
|
|||||||
[K0, K1] = bitsToWords K
|
[K0, K1] = bitsToWords K
|
||||||
[N0, N1] = bitsToWords N
|
[N0, N1] = bitsToWords N
|
||||||
|
|
||||||
|
// 𝑆 ← 𝐼𝑉 ‖ 𝐾 ‖ 𝑁 (15)
|
||||||
|
// 𝑆 ← Ascon-p[12](𝑆) (16)
|
||||||
|
// 𝑆 ← 𝑆 ⊕ (0¹⁹² ‖ K) (17)
|
||||||
S0 = Ascon_p`{12} [AEAD128_IV, K0, K1, N0, N1] ^ [0, 0, 0, K0, K1]
|
S0 = Ascon_p`{12} [AEAD128_IV, K0, K1, N0, N1] ^ [0, 0, 0, K0, K1]
|
||||||
|
|
||||||
SA = AddAD S0 A
|
SA = AddAD S0 A
|
||||||
|
|
||||||
|
// 𝑃₀, 𝑃₁, …, 𝑃ₙ₋₁, 𝑃͠ₙ ← parse(𝑃,128) (23)
|
||||||
|
// For each 𝑃ᵢ, 0 ≤ 𝑖 ≤ 𝑛−1
|
||||||
|
// 𝑆[0:127] ← 𝑆[0:127] ⊕ 𝑃ᵢ (24)
|
||||||
|
// 𝐶ᵢ ← 𝑆[0:127] (25)
|
||||||
|
// 𝑆 ← Ascon-p[8](𝑆) (26)
|
||||||
SCs = [XorBlock s p | s <- [SA] # map Ascon_p`{8} SCs | p <- toBlocks P]
|
SCs = [XorBlock s p | s <- [SA] # map Ascon_p`{8} SCs | p <- toBlocks P]
|
||||||
C = take (join (map ExtractC SCs))
|
C = take (join (map ExtractC SCs))
|
||||||
|
|
||||||
@@ -292,14 +301,28 @@ private
|
|||||||
/** Absorb all of the associated data into the permutation state. */
|
/** Absorb all of the associated data into the permutation state. */
|
||||||
AddAD : {a} (fin a) => State -> [a] -> State
|
AddAD : {a} (fin a) => State -> [a] -> State
|
||||||
AddAD S A
|
AddAD S A
|
||||||
| a == 0 => DomainSep S
|
|
||||||
|
/* If the AD is non-empty (i.e., |𝐴| > 0):
|
||||||
|
* 𝐴₀, 𝐴₁, …, 𝐴ₘ₋₁, 𝐴͠ₘ ← parse(𝐴,128) (18)
|
||||||
|
* 𝐴ₘ ← pad(𝐴͠ₘ,128) (19)
|
||||||
|
*/
|
||||||
| a > 0 => DomainSep (foldl AbsorbADBlock S (toBlocks A))
|
| a > 0 => DomainSep (foldl AbsorbADBlock S (toBlocks A))
|
||||||
|
|
||||||
/** Absorb a single block of associated data into the permutation state. */
|
/* If the AD is empty (i.e., |𝐴| = 0): Only the final step
|
||||||
AbsorbADBlock : State -> [128] -> State
|
* described in (22) is applied.
|
||||||
AbsorbADBlock S X = Ascon_p`{8} (XorBlock S X)
|
*/
|
||||||
|
| a == 0 => DomainSep S
|
||||||
|
|
||||||
/** Toggle the domain separation bit indicating end of associated data. */
|
/* Absorb a block in input into the state.
|
||||||
|
* 𝑆[0:127] ← 𝑆[0:127] ⊕ 𝐴ᵢ (20)
|
||||||
|
* 𝑆 ← Ascon-p[8](𝑆) (21)
|
||||||
|
**/
|
||||||
|
AbsorbADBlock : State -> [128] -> State
|
||||||
|
AbsorbADBlock S Ai = Ascon_p`{8} (XorBlock S Ai)
|
||||||
|
|
||||||
|
/** Toggle the domain separation bit indicating end of associated data.
|
||||||
|
* 𝑆 ← 𝑆 ⊕ (0³¹⁹ ‖ 1) (22)
|
||||||
|
*/
|
||||||
DomainSep : State -> State
|
DomainSep : State -> State
|
||||||
DomainSep [s0, s1, s2, s3, s4] = [s0, s1, s2, s3, s4 ^ 0b1#0]
|
DomainSep [s0, s1, s2, s3, s4] = [s0, s1, s2, s3, s4 ^ 0b1#0]
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user