mirror of
https://github.com/emmansun/gmsm.git
synced 2025-10-13 23:00:47 +08:00
d57142dda1
* build(deps): bump github/codeql-action from 3.29.11 to 3.30.0 (#361) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.29.11 to 3.30.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](3c3833e0f8...2d92b76c45) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.30.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump codecov/codecov-action from 5.5.0 to 5.5.1 (#362) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.5.0 to 5.5.1. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](fdcc847654...5a1091511a) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-version: 5.5.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump actions/setup-go from 5.5.0 to 6.0.0 (#363) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.5.0 to 6.0.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](d35c59abb0...4469467582) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github/codeql-action from 3.30.0 to 3.30.1 (#364) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.30.0 to 3.30.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](2d92b76c45...f1f6e5f6af) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.30.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1 (#367) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.13.0 to 2.13.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](ec9f2d5744...f4a75cfd61) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.13.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github/codeql-action from 3.30.1 to 3.30.2 (#368) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.30.1 to 3.30.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](f1f6e5f6af...d3678e237b) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.30.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat(mlkem): initialize mlkem from golang standard library * chore(mlkem): refactoring, reduce alloc times * build(deps): bump github/codeql-action from 3.30.2 to 3.30.3 (#369) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.30.2 to 3.30.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](d3678e237b...192325c861) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.30.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * doc(README): include MLKEM * mldsa: refactor the implementation of key and sign/verify * mldsa,slhdsa: crypto.Signer assertion * fix(slhdsa): GenerateKey slice issue #72 * fix(slhdsa): copy/paste issue * slhdsa: supplements package level document * internal/zuc: eea supports encoding.BinaryMarshaler & encoding.BinaryUnmarshaler interfaces * mlkem: use clear built-in * build(deps): bump github/codeql-action from 3.30.3 to 3.30.4 (#376) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.30.3 to 3.30.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](192325c861...303c0aef88) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.30.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * cipher: initial support gxm & mur modes * cipher: update comments * build(deps): bump github/codeql-action from 3.30.4 to 3.30.5 (#377) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.30.4 to 3.30.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](303c0aef88...3599b3baa1) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.30.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * 增加了DRBG销毁内部状态的方法 (#378) * 增加了DRBG销毁内部状态的方法 * 统一前缀 * 修改随机数长度 * 分组和注释 * 错误函数描述 * zuc: expose methods to support encoding.BinaryMarshaler and encoding.BinaryUnmarshaler * drbg: align comments style * internal/zuc: support fast forward * internal/zuc: supplement comments --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Sun Yimin <emmansun@users.noreply.github.com> Co-authored-by: Guanyu Quan <quanguanyu@qq.com>
131 lines
4.1 KiB
Go
131 lines
4.1 KiB
Go
// Copyright 2025 Sun Yimin. All rights reserved.
|
|
// Use of this source code is governed by a MIT-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package cipher
|
|
|
|
import "github.com/emmansun/gmsm/internal/byteorder"
|
|
|
|
const (
|
|
ghashBlockSize = 16
|
|
)
|
|
|
|
// ghashFieldElement represents a value in GF(2¹²⁸). In order to reflect the GCM
|
|
// standard and make binary.BigEndian suitable for marshaling these values, the
|
|
// bits are stored in big endian order. For example:
|
|
//
|
|
// the coefficient of x⁰ can be obtained by v.low >> 63.
|
|
// the coefficient of x⁶³ can be obtained by v.low & 1.
|
|
// the coefficient of x⁶⁴ can be obtained by v.high >> 63.
|
|
// the coefficient of x¹²⁷ can be obtained by v.high & 1.
|
|
type ghashFieldElement struct {
|
|
low, high uint64
|
|
}
|
|
|
|
// reverseBits reverses the order of the bits of 4-bit number in i.
|
|
func reverseBits(i int) int {
|
|
i = ((i << 2) & 0xc) | ((i >> 2) & 0x3)
|
|
i = ((i << 1) & 0xa) | ((i >> 1) & 0x5)
|
|
return i
|
|
}
|
|
|
|
// hctrAdd adds two elements of GF(2¹²⁸) and returns the sum.
|
|
func ghashAdd(x, y *ghashFieldElement) ghashFieldElement {
|
|
// Addition in a characteristic 2 field is just XOR.
|
|
return ghashFieldElement{x.low ^ y.low, x.high ^ y.high}
|
|
}
|
|
|
|
// hctrDouble returns the result of doubling an element of GF(2¹²⁸).
|
|
func ghashDouble(x *ghashFieldElement) (double ghashFieldElement) {
|
|
msbSet := x.high&1 == 1
|
|
|
|
// Because of the bit-ordering, doubling is actually a right shift.
|
|
double.high = x.high >> 1
|
|
double.high |= x.low << 63
|
|
double.low = x.low >> 1
|
|
|
|
// If the most-significant bit was set before shifting then it,
|
|
// conceptually, becomes a term of x^128. This is greater than the
|
|
// irreducible polynomial so the result has to be reduced. The
|
|
// irreducible polynomial is 1+x+x^2+x^7+x^128. We can subtract that to
|
|
// eliminate the term at x^128 which also means subtracting the other
|
|
// four terms. In characteristic 2 fields, subtraction == addition ==
|
|
// XOR.
|
|
if msbSet {
|
|
double.low ^= 0xe100000000000000
|
|
}
|
|
|
|
return
|
|
}
|
|
|
|
// ghashReductionTable is stored irreducible polynomial's double & add precomputed results.
|
|
// 0000 - 0
|
|
// 0001 - irreducible polynomial >> 3
|
|
// 0010 - irreducible polynomial >> 2
|
|
// 0011 - (irreducible polynomial >> 3 xor irreducible polynomial >> 2)
|
|
// ...
|
|
// 1000 - just the irreducible polynomial
|
|
var ghashReductionTable = []uint16{
|
|
0x0000, 0x1c20, 0x3840, 0x2460, 0x7080, 0x6ca0, 0x48c0, 0x54e0,
|
|
0xe100, 0xfd20, 0xd940, 0xc560, 0x9180, 0x8da0, 0xa9c0, 0xb5e0,
|
|
}
|
|
|
|
// ghashMul sets y to y*H, where H is the GHASH key, fixed during New.
|
|
func ghashMul(productTable *[16]ghashFieldElement, y *ghashFieldElement) {
|
|
var z ghashFieldElement
|
|
|
|
// Eliminate bounds checks in the loop.
|
|
_ = ghashReductionTable[0xf]
|
|
|
|
for i := 0; i < 2; i++ {
|
|
word := y.high
|
|
if i == 1 {
|
|
word = y.low
|
|
}
|
|
|
|
// Multiplication works by multiplying z by 16 and adding in
|
|
// one of the precomputed multiples of hash key.
|
|
for j := 0; j < 64; j += 4 {
|
|
msw := z.high & 0xf
|
|
z.high >>= 4
|
|
z.high |= z.low << 60
|
|
z.low >>= 4
|
|
z.low ^= uint64(ghashReductionTable[msw]) << 48
|
|
|
|
// the values in |table| are ordered for
|
|
// little-endian bit positions.
|
|
t := &productTable[word&0xf]
|
|
|
|
z.low ^= t.low
|
|
z.high ^= t.high
|
|
word >>= 4
|
|
}
|
|
}
|
|
|
|
*y = z
|
|
}
|
|
|
|
// updateBlocks extends y with more polynomial terms from blocks, based on
|
|
// Horner's rule. There must be a multiple of gcmBlockSize bytes in blocks.
|
|
func updateBlocks(productTable *[16]ghashFieldElement, y *ghashFieldElement, blocks []byte) {
|
|
for len(blocks) > 0 {
|
|
y.low ^= byteorder.BEUint64(blocks)
|
|
y.high ^= byteorder.BEUint64(blocks[8:])
|
|
ghashMul(productTable, y)
|
|
blocks = blocks[blockSize:]
|
|
}
|
|
}
|
|
|
|
// ghashUpdate extends y with more polynomial terms from data. If data is not a
|
|
// multiple of gcmBlockSize bytes long then the remainder is zero padded.
|
|
func ghashUpdate(productTable *[16]ghashFieldElement, y *ghashFieldElement, data []byte) {
|
|
fullBlocks := (len(data) >> 4) << 4
|
|
updateBlocks(productTable, y, data[:fullBlocks])
|
|
|
|
if len(data) != fullBlocks {
|
|
var partialBlock [blockSize]byte
|
|
copy(partialBlock[:], data[fullBlocks:])
|
|
updateBlocks(productTable, y, partialBlock[:])
|
|
}
|
|
}
|