From adb0383133763a698e490bb12d7ef711723a7885 Mon Sep 17 00:00:00 2001 From: Hatter Jiang Date: Thu, 31 Aug 2023 00:20:23 +0800 Subject: [PATCH 1/5] feat: v0.2.0-alpha-1, performance improved from 36MB/s to ~450MB/s --- Cargo.toml | 7 ++- examples/bench.rs | 14 ++--- src/decryptor.rs | 4 ++ src/encryptor.rs | 19 ++++-- src/encryptor2.rs | 145 ++++++++++++++++++++++++++++++++++++++++++++++ src/lib.rs | 4 ++ 6 files changed, 180 insertions(+), 13 deletions(-) create mode 100644 src/encryptor2.rs diff --git a/Cargo.toml b/Cargo.toml index 8c54d1e..3bf1857 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "aes-gcm-stream" -version = "0.1.1" +version = "0.1.2" edition = "2021" authors = ["Hatter Jiang"] repository = "https://git.hatter.ink/hatter/aes-gcm-stream" @@ -13,9 +13,12 @@ categories = ["cryptography"] [dependencies] aes = { version = "0.8.3", features = ["zeroize"] } +ghash = "0.5.0" zeroize = { version = "1.6.0", features = ["zeroize_derive"] } -[dev-dependencies] hex = "0.4.3" + +[dev-dependencies] +#hex = "0.4.3" aes-gcm = { version = "0.10.2", features = ["zeroize"] } benchmark-simple = "0.1.8" diff --git a/examples/bench.rs b/examples/bench.rs index 691b8b5..d5535ee 100644 --- a/examples/bench.rs +++ b/examples/bench.rs @@ -2,7 +2,7 @@ use aes_gcm::{Aes256Gcm, KeyInit}; use aes_gcm::aead::{Aead, Nonce}; use benchmark_simple::{Bench, Options}; -use aes_gcm_stream::{Aes128GcmStreamEncryptor, Aes192GcmStreamEncryptor, Aes256GcmStreamEncryptor}; +use aes_gcm_stream::{Aes128GcmStreamEncryptor, Aes192GcmStreamEncryptor, Aes256GcmStreamEncryptor, Aes256GcmStreamEncryptor2}; fn test_aes128_encrypt(m: &mut [u8]) { let key = [0u8; 16]; @@ -25,7 +25,7 @@ fn test_aes192_encrypt(m: &mut [u8]) { fn test_aes256_encrypt(m: &mut [u8]) { let key = [0u8; 32]; let nonce = [0u8; 12]; - let mut encryptor = Aes256GcmStreamEncryptor::new(key, &nonce); + let mut encryptor = Aes256GcmStreamEncryptor2::new(key, &nonce); encryptor.update(m); encryptor.finalize(); @@ -55,11 +55,11 @@ fn main() { ..Default::default() }; - let res = bench.run(options, || test_aes128_encrypt(&mut m)); - println!("AES128 encrypt : {}", res.throughput(m.len() as _)); - - let res = bench.run(options, || test_aes192_encrypt(&mut m)); - println!("AES192 encrypt : {}", res.throughput(m.len() as _)); + // let res = bench.run(options, || test_aes128_encrypt(&mut m)); + // println!("AES128 encrypt : {}", res.throughput(m.len() as _)); + // + // let res = bench.run(options, || test_aes192_encrypt(&mut m)); + // println!("AES192 encrypt : {}", res.throughput(m.len() as _)); let res = bench.run(options, || test_aes256_encrypt(&mut m)); println!("AES256 encrypt : {}", res.throughput(m.len() as _)); diff --git a/src/decryptor.rs b/src/decryptor.rs index 2a7b244..a51e24a 100644 --- a/src/decryptor.rs +++ b/src/decryptor.rs @@ -42,6 +42,7 @@ impl $module { message_len: 0, }; let (ghash_key, normalized_nonce) = s.normalize_nonce(nonce); + println!("<<< KEY: {}", hex::encode(ghash_key.to_be_bytes())); s.ghash_key = ghash_key; s.init_nonce = normalized_nonce; s.encryption_nonce = normalized_nonce; @@ -126,7 +127,9 @@ impl $module { let mut bs = self.init_nonce.to_be_bytes().clone(); let block = Block::<$aesn>::from_mut_slice(&mut bs); self.crypto.encrypt_block(block); + println!("<<< final enc block: {}", hex::encode(&block.as_slice())); let tag_trunk = self.ghash_val.to_be_bytes(); + println!("<<< final block: {}", hex::encode(&tag_trunk)); let y = u8to128(&tag_trunk) ^ u8to128(&block.as_slice()); y.to_be_bytes().to_vec() } @@ -138,6 +141,7 @@ impl $module { let blocks_count = integrality_buffer_slice_len / 16; for i in 0..blocks_count { let buf = &integrality_buffer_slice[i * 16..(i + 1) * 16]; + println!("<<< block: {}", hex::encode(buf)); self.ghash_val = gmul_128(self.ghash_val ^ u8to128(buf), self.ghash_key) } self.integrality_buffer = integrality_buffer_slice[blocks_count * 16..].to_vec(); diff --git a/src/encryptor.rs b/src/encryptor.rs index 9a01b47..5a417c5 100644 --- a/src/encryptor.rs +++ b/src/encryptor.rs @@ -66,11 +66,21 @@ impl $module { } let blocks_count = message_buffer_len / 16; let mut encrypted_message = Vec::with_capacity(blocks_count * 16); - for i in 0..blocks_count { + let mut blocks = Vec::with_capacity(blocks_count); + for _ in 0..blocks_count { self.encryption_nonce = inc_32(self.encryption_nonce); - let mut ctr = self.encryption_nonce.to_be_bytes(); - let block = Block::<$aesn>::from_mut_slice(&mut ctr); - self.crypto.encrypt_block(block); + let ctr = self.encryption_nonce.to_be_bytes(); + let block = Block::<$aesn>::clone_from_slice(&ctr); + blocks.push(block); + } + // println!("block site: {}", blocks.len()); + self.crypto.encrypt_blocks(&mut blocks); + for i in 0..blocks_count { + // self.encryption_nonce = inc_32(self.encryption_nonce); + // let mut ctr = self.encryption_nonce.to_be_bytes(); + // let block = Block::<$aesn>::from_mut_slice(&mut ctr); + // self.crypto.encrypt_block(block); + let block = &blocks[i]; let chunk = &message_buffer_slice[i * 16..(i + 1) * 16]; let y = u8to128(chunk) ^ u8to128(&block.as_slice()); encrypted_message.extend_from_slice(&y.to_be_bytes()); @@ -125,6 +135,7 @@ impl $module { } fn update_integrality_buffer(&mut self) { + // self.integrality_buffer.clear(); let integrality_buffer_slice = self.integrality_buffer.as_slice(); let integrality_buffer_slice_len = integrality_buffer_slice.len(); if integrality_buffer_slice_len >= 16 { diff --git a/src/encryptor2.rs b/src/encryptor2.rs new file mode 100644 index 0000000..3c516e1 --- /dev/null +++ b/src/encryptor2.rs @@ -0,0 +1,145 @@ +use aes::Aes256; +use aes::cipher::{Block, BlockEncrypt, BlockSizeUser, KeyInit}; +use aes::cipher::consts::U16; +use aes::cipher::generic_array::GenericArray; +use ghash::GHash; +use ghash::universal_hash::UniversalHash; +use zeroize::Zeroize; + +use crate::util::{inc_32, msb_s, normalize_nonce, u8to128}; + +struct AesBlock {} + +impl BlockSizeUser for AesBlock { + type BlockSize = U16; +} + +const BLOCK_SIZE: usize = 16; + +// #[derive(ZeroizeOnDrop)] +pub struct Aes256GcmStreamEncryptor2 { + cipher: Aes256, + message_buffer: Vec, + ghash: GHash, + ghash_key: u128, + init_nonce: u128, + encryption_nonce: u128, + adata_len: usize, + message_len: usize, +} + +impl Aes256GcmStreamEncryptor2 { + pub fn new(key: [u8; 32], nonce: &[u8]) -> Self { + let key = GenericArray::from(key); + let aes = Aes256::new(&key); + + let mut ghash_key = ghash::Key::default(); + aes.encrypt_block(&mut ghash_key); + let ghash = GHash::new(&ghash_key); + ghash_key.zeroize(); + + let mut s = Self { + cipher: aes, + message_buffer: vec![], + ghash, + ghash_key: 0, + init_nonce: 0, + encryption_nonce: 0, + adata_len: 0, + message_len: 0, + }; + let (ghash_key, normalized_nonce) = s.normalize_nonce(nonce); + s.ghash_key = ghash_key; + s.init_nonce = normalized_nonce; + s.encryption_nonce = normalized_nonce; + s + } + + pub fn init_adata(&mut self, adata: &[u8]) { + if adata.len() > 0 { + self.adata_len += adata.len(); + self.ghash.update_padded(adata); + } + } + + pub fn update(&mut self, message: &[u8]) -> Vec { + self.message_buffer.extend_from_slice(message); + let message_buffer_slice = self.message_buffer.as_slice(); + if message_buffer_slice.len() < BLOCK_SIZE { + return Vec::with_capacity(0); + } + let blocks_count = message_buffer_slice.len() / BLOCK_SIZE; + let mut blocks = Vec::with_capacity(blocks_count); + for _ in 0..blocks_count { + self.encryption_nonce = inc_32(self.encryption_nonce); + let ctr = self.encryption_nonce.to_be_bytes(); + blocks.push(Block::::clone_from_slice(&ctr)); + } + self.cipher.encrypt_blocks(&mut blocks); + + let mut encrypted_message = message_buffer_slice[0..blocks_count * BLOCK_SIZE].to_vec(); + for i in 0..blocks_count { + let chunk = &mut encrypted_message[i * BLOCK_SIZE..(i + 1) * BLOCK_SIZE]; + let block = blocks[i].as_slice(); + for k in 0..BLOCK_SIZE { + chunk[k] ^= block[k]; + } + } + self.ghash.update_padded(&encrypted_message); + self.message_buffer = message_buffer_slice[blocks_count * BLOCK_SIZE..].to_vec(); + self.message_len += encrypted_message.len(); + + encrypted_message + } + + pub fn finalize(&mut self) -> (Vec, Vec) { + let mut final_encrypted_message = Vec::with_capacity(BLOCK_SIZE); + if !self.message_buffer.is_empty() { + // last block and this block len may less than 128 bits (16 bytes) + self.encryption_nonce = inc_32(self.encryption_nonce); + let mut ctr = self.encryption_nonce.to_be_bytes(); + let block = Block::::from_mut_slice(&mut ctr); + self.cipher.encrypt_block(block); + + let chunk = self.message_buffer.as_slice(); + let msb = msb_s(chunk.len() * 8, block.as_slice()); + let y = u8to128(chunk) ^ u8to128(&msb); + final_encrypted_message.extend_from_slice(&y.to_be_bytes()[16 - chunk.len()..16]); + self.ghash.update_padded(&final_encrypted_message); + self.message_len += final_encrypted_message.len(); + } + let adata_bit_len = self.adata_len * 8; + let message_bit_len = self.message_len * 8; + let mut adata_and_message_len = Vec::with_capacity(BLOCK_SIZE); + adata_and_message_len.extend_from_slice(&(adata_bit_len as u64).to_be_bytes()); + adata_and_message_len.extend_from_slice(&(message_bit_len as u64).to_be_bytes()); + self.ghash.update_padded(&adata_and_message_len); + + + let tag = self.compute_tag(); + + (final_encrypted_message, tag) + } + + fn compute_tag(&mut self) -> Vec { + let mut bs = self.init_nonce.to_be_bytes().clone(); + let block = Block::::from_mut_slice(&mut bs); + self.cipher.encrypt_block(block); + let ghash = self.ghash.clone().finalize(); + let tag_trunk = ghash.as_slice(); + let y = u8to128(&tag_trunk) ^ u8to128(&block.as_slice()); + y.to_be_bytes().to_vec() + } + + fn ghash_key(&mut self) -> u128 { + let mut block = [0u8; BLOCK_SIZE]; + let block = Block::::from_mut_slice(&mut block); + self.cipher.encrypt_block(block); + u8to128(&block.as_slice()) + } + + fn normalize_nonce(&mut self, nonce_bytes: &[u8]) -> (u128, u128) { + let ghash_key = self.ghash_key(); + normalize_nonce(ghash_key, nonce_bytes) + } +} diff --git a/src/lib.rs b/src/lib.rs index 81c6f02..8de03db 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -17,11 +17,14 @@ pub use decryptor::Aes256GcmStreamDecryptor; pub use encryptor::Aes128GcmStreamEncryptor; pub use encryptor::Aes192GcmStreamEncryptor; pub use encryptor::Aes256GcmStreamEncryptor; +pub use encryptor2::Aes256GcmStreamEncryptor2; mod util; mod encryptor; mod decryptor; +mod encryptor2; + #[test] fn test128() { use aes_gcm::{aead::{Aead, Nonce, Payload}, Aes128Gcm, KeyInit}; @@ -198,6 +201,7 @@ fn test256() { ]; for (key, nonce, aad, plaintext) in knp { + println!("======= {} {} {} {}", hex::encode(key), hex::encode(nonce), hex::encode(aad), hex::encode(plaintext)); // encrypt let mut ciphertext = vec![]; let mut encryptor = Aes256GcmStreamEncryptor::new(key.clone(), &nonce); From 0ad4e5ce2861f57417245cb81de437b244f825c1 Mon Sep 17 00:00:00 2001 From: Hatter Jiang Date: Thu, 31 Aug 2023 00:22:46 +0800 Subject: [PATCH 2/5] feat: v0.2.0-alpha-1 --- Cargo.toml | 6 ++---- src/decryptor.rs | 4 ---- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 3bf1857..7c502eb 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "aes-gcm-stream" -version = "0.1.2" +version = "0.2.0" edition = "2021" authors = ["Hatter Jiang"] repository = "https://git.hatter.ink/hatter/aes-gcm-stream" @@ -16,9 +16,7 @@ aes = { version = "0.8.3", features = ["zeroize"] } ghash = "0.5.0" zeroize = { version = "1.6.0", features = ["zeroize_derive"] } -hex = "0.4.3" - [dev-dependencies] -#hex = "0.4.3" +hex = "0.4.3" aes-gcm = { version = "0.10.2", features = ["zeroize"] } benchmark-simple = "0.1.8" diff --git a/src/decryptor.rs b/src/decryptor.rs index a51e24a..2a7b244 100644 --- a/src/decryptor.rs +++ b/src/decryptor.rs @@ -42,7 +42,6 @@ impl $module { message_len: 0, }; let (ghash_key, normalized_nonce) = s.normalize_nonce(nonce); - println!("<<< KEY: {}", hex::encode(ghash_key.to_be_bytes())); s.ghash_key = ghash_key; s.init_nonce = normalized_nonce; s.encryption_nonce = normalized_nonce; @@ -127,9 +126,7 @@ impl $module { let mut bs = self.init_nonce.to_be_bytes().clone(); let block = Block::<$aesn>::from_mut_slice(&mut bs); self.crypto.encrypt_block(block); - println!("<<< final enc block: {}", hex::encode(&block.as_slice())); let tag_trunk = self.ghash_val.to_be_bytes(); - println!("<<< final block: {}", hex::encode(&tag_trunk)); let y = u8to128(&tag_trunk) ^ u8to128(&block.as_slice()); y.to_be_bytes().to_vec() } @@ -141,7 +138,6 @@ impl $module { let blocks_count = integrality_buffer_slice_len / 16; for i in 0..blocks_count { let buf = &integrality_buffer_slice[i * 16..(i + 1) * 16]; - println!("<<< block: {}", hex::encode(buf)); self.ghash_val = gmul_128(self.ghash_val ^ u8to128(buf), self.ghash_key) } self.integrality_buffer = integrality_buffer_slice[blocks_count * 16..].to_vec(); From aab2c97eaa9d99ea30aa61357950885a15d7d858 Mon Sep 17 00:00:00 2001 From: Hatter Jiang Date: Fri, 1 Sep 2023 23:50:15 +0800 Subject: [PATCH 3/5] feat: encryptor performance updated --- Cargo.toml | 6 +- examples/bench.rs | 14 ++--- src/encryptor.rs | 136 +++++++++++++++++++--------------------------- src/encryptor2.rs | 19 +------ src/lib.rs | 1 - src/util.rs | 12 ++++ 6 files changed, 83 insertions(+), 105 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 7c502eb..0adbbd9 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -12,11 +12,15 @@ categories = ["cryptography"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] +aead = "0.5.2" aes = { version = "0.8.3", features = ["zeroize"] } +aes-gcm = { version = "0.10.2", features = ["zeroize"] } +cipher = "0.4.4" +ctr = "0.9.2" ghash = "0.5.0" +subtle = "2.5.0" zeroize = { version = "1.6.0", features = ["zeroize_derive"] } [dev-dependencies] hex = "0.4.3" -aes-gcm = { version = "0.10.2", features = ["zeroize"] } benchmark-simple = "0.1.8" diff --git a/examples/bench.rs b/examples/bench.rs index d5535ee..691b8b5 100644 --- a/examples/bench.rs +++ b/examples/bench.rs @@ -2,7 +2,7 @@ use aes_gcm::{Aes256Gcm, KeyInit}; use aes_gcm::aead::{Aead, Nonce}; use benchmark_simple::{Bench, Options}; -use aes_gcm_stream::{Aes128GcmStreamEncryptor, Aes192GcmStreamEncryptor, Aes256GcmStreamEncryptor, Aes256GcmStreamEncryptor2}; +use aes_gcm_stream::{Aes128GcmStreamEncryptor, Aes192GcmStreamEncryptor, Aes256GcmStreamEncryptor}; fn test_aes128_encrypt(m: &mut [u8]) { let key = [0u8; 16]; @@ -25,7 +25,7 @@ fn test_aes192_encrypt(m: &mut [u8]) { fn test_aes256_encrypt(m: &mut [u8]) { let key = [0u8; 32]; let nonce = [0u8; 12]; - let mut encryptor = Aes256GcmStreamEncryptor2::new(key, &nonce); + let mut encryptor = Aes256GcmStreamEncryptor::new(key, &nonce); encryptor.update(m); encryptor.finalize(); @@ -55,11 +55,11 @@ fn main() { ..Default::default() }; - // let res = bench.run(options, || test_aes128_encrypt(&mut m)); - // println!("AES128 encrypt : {}", res.throughput(m.len() as _)); - // - // let res = bench.run(options, || test_aes192_encrypt(&mut m)); - // println!("AES192 encrypt : {}", res.throughput(m.len() as _)); + let res = bench.run(options, || test_aes128_encrypt(&mut m)); + println!("AES128 encrypt : {}", res.throughput(m.len() as _)); + + let res = bench.run(options, || test_aes192_encrypt(&mut m)); + println!("AES192 encrypt : {}", res.throughput(m.len() as _)); let res = bench.run(options, || test_aes256_encrypt(&mut m)); println!("AES256 encrypt : {}", res.throughput(m.len() as _)); diff --git a/src/encryptor.rs b/src/encryptor.rs index 5a417c5..6766d25 100644 --- a/src/encryptor.rs +++ b/src/encryptor.rs @@ -1,9 +1,11 @@ use aes::{Aes128, Aes192, Aes256}; use aes::cipher::{Block, BlockEncrypt, KeyInit}; use aes::cipher::generic_array::GenericArray; -use zeroize::ZeroizeOnDrop; +use ghash::GHash; +use ghash::universal_hash::UniversalHash; +use zeroize::Zeroize; -use crate::util::{gmul_128, inc_32, msb_s, normalize_nonce, u8to128}; +use crate::util::{AesBlock, BLOCK_SIZE, inc_32, msb_s, normalize_nonce, u8to128}; macro_rules! define_aes_gcm_stream_encryptor_impl { ( @@ -11,14 +13,10 @@ macro_rules! define_aes_gcm_stream_encryptor_impl { $aesn:tt, $key_size:tt ) => { - -#[derive(ZeroizeOnDrop)] pub struct $module { - crypto: $aesn, + cipher: $aesn, message_buffer: Vec, - integrality_buffer: Vec, - ghash_key: u128, - ghash_val: u128, + ghash: GHash, init_nonce: u128, encryption_nonce: u128, adata_len: usize, @@ -30,128 +28,106 @@ impl $module { let key = GenericArray::from(key); let aes = $aesn::new(&key); + let mut ghash_key = ghash::Key::default(); + aes.encrypt_block(&mut ghash_key); + let ghash = GHash::new(&ghash_key); + ghash_key.zeroize(); + let mut s = Self { - crypto: aes, + cipher: aes, message_buffer: vec![], - integrality_buffer: vec![], - ghash_key: 0, - ghash_val: 0, + ghash, init_nonce: 0, encryption_nonce: 0, adata_len: 0, message_len: 0, }; - let (ghash_key, normalized_nonce) = s.normalize_nonce(nonce); - s.ghash_key = ghash_key; + let (_, normalized_nonce) = s.normalize_nonce(nonce); s.init_nonce = normalized_nonce; s.encryption_nonce = normalized_nonce; s } pub fn init_adata(&mut self, adata: &[u8]) { - self.integrality_buffer.extend_from_slice(adata); - self.adata_len += adata.len(); - - let adata_bit_len = self.adata_len * 8; - let v = 128 * ((adata_bit_len + 128 - 1) / 128) - adata_bit_len; - self.integrality_buffer.extend_from_slice(&vec![0x00; v / 8]); + if adata.len() > 0 { + self.adata_len += adata.len(); + self.ghash.update_padded(adata); + } } - pub fn update(&mut self, bytes: &[u8]) -> Vec { - self.message_buffer.extend_from_slice(bytes); + pub fn update(&mut self, message: &[u8]) -> Vec { + self.message_buffer.extend_from_slice(message); let message_buffer_slice = self.message_buffer.as_slice(); - let message_buffer_len = message_buffer_slice.len(); - if message_buffer_len < 16 { + if message_buffer_slice.len() < BLOCK_SIZE { return Vec::with_capacity(0); } - let blocks_count = message_buffer_len / 16; - let mut encrypted_message = Vec::with_capacity(blocks_count * 16); + let blocks_count = message_buffer_slice.len() / BLOCK_SIZE; let mut blocks = Vec::with_capacity(blocks_count); for _ in 0..blocks_count { self.encryption_nonce = inc_32(self.encryption_nonce); let ctr = self.encryption_nonce.to_be_bytes(); - let block = Block::<$aesn>::clone_from_slice(&ctr); - blocks.push(block); + blocks.push(Block::::clone_from_slice(&ctr)); } - // println!("block site: {}", blocks.len()); - self.crypto.encrypt_blocks(&mut blocks); - for i in 0..blocks_count { - // self.encryption_nonce = inc_32(self.encryption_nonce); - // let mut ctr = self.encryption_nonce.to_be_bytes(); - // let block = Block::<$aesn>::from_mut_slice(&mut ctr); - // self.crypto.encrypt_block(block); - let block = &blocks[i]; - let chunk = &message_buffer_slice[i * 16..(i + 1) * 16]; - let y = u8to128(chunk) ^ u8to128(&block.as_slice()); - encrypted_message.extend_from_slice(&y.to_be_bytes()); - } - self.message_buffer = message_buffer_slice[blocks_count * 16..].to_vec(); - self.integrality_buffer.extend_from_slice(&encrypted_message); - self.message_len += encrypted_message.len(); + self.cipher.encrypt_blocks(&mut blocks); - self.update_integrality_buffer(); + let mut encrypted_message = message_buffer_slice[0..blocks_count * BLOCK_SIZE].to_vec(); + for i in 0..blocks_count { + let chunk = &mut encrypted_message[i * BLOCK_SIZE..(i + 1) * BLOCK_SIZE]; + let block = blocks[i].as_slice(); + for k in 0..BLOCK_SIZE { + chunk[k] ^= block[k]; + } + } + self.ghash.update_padded(&encrypted_message); + self.message_buffer = message_buffer_slice[blocks_count * BLOCK_SIZE..].to_vec(); + self.message_len += encrypted_message.len(); encrypted_message } pub fn finalize(&mut self) -> (Vec, Vec) { - let mut encrypted_message = Vec::with_capacity(16); + let mut final_encrypted_message = Vec::with_capacity(BLOCK_SIZE); if !self.message_buffer.is_empty() { - // last block and this block len is less than 128 bits + // last block and this block len may less than 128 bits (16 bytes) self.encryption_nonce = inc_32(self.encryption_nonce); let mut ctr = self.encryption_nonce.to_be_bytes(); - let block = Block::<$aesn>::from_mut_slice(&mut ctr); - self.crypto.encrypt_block(block); + let block = Block::::from_mut_slice(&mut ctr); + self.cipher.encrypt_block(block); let chunk = self.message_buffer.as_slice(); let msb = msb_s(chunk.len() * 8, block.as_slice()); let y = u8to128(chunk) ^ u8to128(&msb); - encrypted_message.extend_from_slice(&y.to_be_bytes()[16 - chunk.len()..16]); - self.integrality_buffer.extend_from_slice(&encrypted_message); - self.message_len += encrypted_message.len(); + final_encrypted_message.extend_from_slice(&y.to_be_bytes()[16 - chunk.len()..16]); + self.ghash.update_padded(&final_encrypted_message); + self.message_len += final_encrypted_message.len(); } let adata_bit_len = self.adata_len * 8; let message_bit_len = self.message_len * 8; - let u = 128 * ((message_bit_len + 128 - 1) / 128) - message_bit_len; - self.integrality_buffer.extend_from_slice(&vec![0x00; u / 8]); - self.integrality_buffer.extend_from_slice(&(adata_bit_len as u64).to_be_bytes()); - self.integrality_buffer.extend_from_slice(&(message_bit_len as u64).to_be_bytes()); + let mut adata_and_message_len = Vec::with_capacity(BLOCK_SIZE); + adata_and_message_len.extend_from_slice(&(adata_bit_len as u64).to_be_bytes()); + adata_and_message_len.extend_from_slice(&(message_bit_len as u64).to_be_bytes()); + self.ghash.update_padded(&adata_and_message_len); - self.update_integrality_buffer(); - assert!(self.integrality_buffer.is_empty()); - let tag = self.calculate_tag(); + let tag = self.compute_tag(); - (encrypted_message, tag) + (final_encrypted_message, tag) } - fn calculate_tag(&mut self) -> Vec { + fn compute_tag(&mut self) -> Vec { let mut bs = self.init_nonce.to_be_bytes().clone(); - let block = Block::<$aesn>::from_mut_slice(&mut bs); - self.crypto.encrypt_block(block); - let tag_trunk = self.ghash_val.to_be_bytes(); + let block = Block::::from_mut_slice(&mut bs); + self.cipher.encrypt_block(block); + let ghash = self.ghash.clone().finalize(); + let tag_trunk = ghash.as_slice(); let y = u8to128(&tag_trunk) ^ u8to128(&block.as_slice()); y.to_be_bytes().to_vec() } - fn update_integrality_buffer(&mut self) { - // self.integrality_buffer.clear(); - let integrality_buffer_slice = self.integrality_buffer.as_slice(); - let integrality_buffer_slice_len = integrality_buffer_slice.len(); - if integrality_buffer_slice_len >= 16 { - let blocks_count = integrality_buffer_slice_len / 16; - for i in 0..blocks_count { - let buf = &integrality_buffer_slice[i * 16..(i + 1) * 16]; - self.ghash_val = gmul_128(self.ghash_val ^ u8to128(buf), self.ghash_key) - } - self.integrality_buffer = integrality_buffer_slice[blocks_count * 16..].to_vec(); - } - } - fn ghash_key(&mut self) -> u128 { - let mut block = [0u8; 16]; - let block = Block::<$aesn>::from_mut_slice(&mut block); - self.crypto.encrypt_block(block); + let mut block = [0u8; BLOCK_SIZE]; + let block = Block::::from_mut_slice(&mut block); + self.cipher.encrypt_block(block); u8to128(&block.as_slice()) } diff --git a/src/encryptor2.rs b/src/encryptor2.rs index 3c516e1..37822d2 100644 --- a/src/encryptor2.rs +++ b/src/encryptor2.rs @@ -1,27 +1,16 @@ use aes::Aes256; -use aes::cipher::{Block, BlockEncrypt, BlockSizeUser, KeyInit}; -use aes::cipher::consts::U16; +use aes::cipher::{Block, BlockEncrypt, KeyInit}; use aes::cipher::generic_array::GenericArray; use ghash::GHash; use ghash::universal_hash::UniversalHash; use zeroize::Zeroize; -use crate::util::{inc_32, msb_s, normalize_nonce, u8to128}; +use crate::util::{AesBlock, BLOCK_SIZE, inc_32, msb_s, normalize_nonce, u8to128}; -struct AesBlock {} - -impl BlockSizeUser for AesBlock { - type BlockSize = U16; -} - -const BLOCK_SIZE: usize = 16; - -// #[derive(ZeroizeOnDrop)] pub struct Aes256GcmStreamEncryptor2 { cipher: Aes256, message_buffer: Vec, ghash: GHash, - ghash_key: u128, init_nonce: u128, encryption_nonce: u128, adata_len: usize, @@ -42,14 +31,12 @@ impl Aes256GcmStreamEncryptor2 { cipher: aes, message_buffer: vec![], ghash, - ghash_key: 0, init_nonce: 0, encryption_nonce: 0, adata_len: 0, message_len: 0, }; - let (ghash_key, normalized_nonce) = s.normalize_nonce(nonce); - s.ghash_key = ghash_key; + let (_, normalized_nonce) = s.normalize_nonce(nonce); s.init_nonce = normalized_nonce; s.encryption_nonce = normalized_nonce; s diff --git a/src/lib.rs b/src/lib.rs index 8de03db..2ed20c1 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -17,7 +17,6 @@ pub use decryptor::Aes256GcmStreamDecryptor; pub use encryptor::Aes128GcmStreamEncryptor; pub use encryptor::Aes192GcmStreamEncryptor; pub use encryptor::Aes256GcmStreamEncryptor; -pub use encryptor2::Aes256GcmStreamEncryptor2; mod util; mod encryptor; diff --git a/src/util.rs b/src/util.rs index c92e04d..c03a37c 100644 --- a/src/util.rs +++ b/src/util.rs @@ -1,3 +1,15 @@ +use cipher::BlockSizeUser; +use cipher::consts::U16; + +pub(crate) struct AesBlock {} + +impl BlockSizeUser for AesBlock { + type BlockSize = U16; +} + +pub(crate) const BLOCK_SIZE: usize = 16; + + // R = 11100001 || 0(120) const R: u128 = 0b11100001 << 120; From d46fa7b03fca10b8aeee6ac939507a19b921a769 Mon Sep 17 00:00:00 2001 From: Hatter Jiang Date: Sat, 2 Sep 2023 00:10:17 +0800 Subject: [PATCH 4/5] feat: v0.2.0 performance improved, from 36MB/s to 477MB/s --- examples/bench.rs | 22 +++++++- src/decryptor.rs | 115 ++++++++++++++++++---------------------- src/encryptor2.rs | 132 ---------------------------------------------- src/lib.rs | 4 +- 4 files changed, 74 insertions(+), 199 deletions(-) delete mode 100644 src/encryptor2.rs diff --git a/examples/bench.rs b/examples/bench.rs index 691b8b5..ff29fcd 100644 --- a/examples/bench.rs +++ b/examples/bench.rs @@ -2,7 +2,7 @@ use aes_gcm::{Aes256Gcm, KeyInit}; use aes_gcm::aead::{Aead, Nonce}; use benchmark_simple::{Bench, Options}; -use aes_gcm_stream::{Aes128GcmStreamEncryptor, Aes192GcmStreamEncryptor, Aes256GcmStreamEncryptor}; +use aes_gcm_stream::{Aes128GcmStreamEncryptor, Aes192GcmStreamEncryptor, Aes256GcmStreamDecryptor, Aes256GcmStreamEncryptor}; fn test_aes128_encrypt(m: &mut [u8]) { let key = [0u8; 16]; @@ -31,6 +31,23 @@ fn test_aes256_encrypt(m: &mut [u8]) { encryptor.finalize(); } +fn test_aes256_encrypted_and_decrypt(m: &mut [u8]) { + let key = [0u8; 32]; + let nonce = [0u8; 12]; + let mut encryptor = Aes256GcmStreamEncryptor::new(key.clone(), &nonce); + + let mut encrypted = encryptor.update(m); + let (last_block, tag) = encryptor.finalize(); + encrypted.extend_from_slice(&last_block); + encrypted.extend_from_slice(&tag); + + let mut decryptor = Aes256GcmStreamDecryptor::new(key, &nonce); + let mut decrypted = decryptor.update(&encrypted); + let last_block = decryptor.finalize().expect("decrypt failed"); + decrypted.extend_from_slice(&last_block); + assert_eq!(m, decrypted.as_slice()); +} + fn test_aes256_encrypt_aesgcm(m: &mut [u8]) { let key = [0u8; 32]; let nonce = [0u8; 12]; @@ -64,6 +81,9 @@ fn main() { let res = bench.run(options, || test_aes256_encrypt(&mut m)); println!("AES256 encrypt : {}", res.throughput(m.len() as _)); + let res = bench.run(options, || test_aes256_encrypted_and_decrypt(&mut m)); + println!("AES256 en/decrypt : {}", res.throughput(m.len() as _)); + let res = bench.run(options, || test_aes256_encrypt_aesgcm(&mut m)); println!("AES256 encrypt aes-gcm : {}", res.throughput(m.len() as _)); } \ No newline at end of file diff --git a/src/decryptor.rs b/src/decryptor.rs index 2a7b244..9f53f22 100644 --- a/src/decryptor.rs +++ b/src/decryptor.rs @@ -1,9 +1,11 @@ use aes::{Aes128, Aes192, Aes256}; use aes::cipher::{Block, BlockEncrypt, KeyInit}; use aes::cipher::generic_array::GenericArray; -use zeroize::ZeroizeOnDrop; +use ghash::GHash; +use ghash::universal_hash::UniversalHash; +use zeroize::Zeroize; -use crate::util::{gmul_128, inc_32, msb_s, normalize_nonce, u8to128}; +use crate::util::{AesBlock, BLOCK_SIZE, inc_32, msb_s, normalize_nonce, u8to128}; macro_rules! define_aes_gcm_stream_decryptor_impl { ( @@ -11,14 +13,10 @@ macro_rules! define_aes_gcm_stream_decryptor_impl { $aesn:tt, $key_size:tt ) => { - -#[derive(ZeroizeOnDrop)] pub struct $module { - crypto: $aesn, + cipher: $aesn, message_buffer: Vec, - integrality_buffer: Vec, - ghash_key: u128, - ghash_val: u128, + ghash: GHash, init_nonce: u128, encryption_nonce: u128, adata_len: usize, @@ -30,31 +28,31 @@ impl $module { let key = GenericArray::from(key); let aes = $aesn::new(&key); + let mut ghash_key = ghash::Key::default(); + aes.encrypt_block(&mut ghash_key); + let ghash = GHash::new(&ghash_key); + ghash_key.zeroize(); + let mut s = Self { - crypto: aes, + cipher: aes, message_buffer: vec![], - integrality_buffer: vec![], - ghash_key: 0, - ghash_val: 0, + ghash, init_nonce: 0, encryption_nonce: 0, adata_len: 0, message_len: 0, }; - let (ghash_key, normalized_nonce) = s.normalize_nonce(nonce); - s.ghash_key = ghash_key; + let (_, normalized_nonce) = s.normalize_nonce(nonce); s.init_nonce = normalized_nonce; s.encryption_nonce = normalized_nonce; s } pub fn init_adata(&mut self, adata: &[u8]) { - self.integrality_buffer.extend_from_slice(adata); - self.adata_len += adata.len(); - - let adata_bit_len = self.adata_len * 8; - let v = 128 * ((adata_bit_len + 128 - 1) / 128) - adata_bit_len; - self.integrality_buffer.extend_from_slice(&vec![0x00; v / 8]); + if adata.len() > 0 { + self.adata_len += adata.len(); + self.ghash.update_padded(adata); + } } pub fn update(&mut self, bytes: &[u8]) -> Vec { @@ -65,21 +63,27 @@ impl $module { return Vec::with_capacity(0); } let blocks_count = (message_buffer_len / 16) - 1; - let mut plaintext_message = Vec::with_capacity(blocks_count * 16); - for i in 0..blocks_count { - self.encryption_nonce = inc_32(self.encryption_nonce); - let mut ctr = self.encryption_nonce.to_be_bytes(); - let block = Block::<$aesn>::from_mut_slice(&mut ctr); - self.crypto.encrypt_block(block); - let chunk = &message_buffer_slice[i * 16..(i + 1) * 16]; - let y = u8to128(chunk) ^ u8to128(&block.as_slice()); - plaintext_message.extend_from_slice(&y.to_be_bytes()); - } - self.integrality_buffer.extend_from_slice(&message_buffer_slice[0..blocks_count * 16]); - self.message_buffer = message_buffer_slice[blocks_count * 16..].to_vec(); - self.message_len += plaintext_message.len(); - self.update_integrality_buffer(); + let mut blocks = Vec::with_capacity(blocks_count); + for _ in 0..blocks_count { + self.encryption_nonce = inc_32(self.encryption_nonce); + let ctr = self.encryption_nonce.to_be_bytes(); + blocks.push(Block::::clone_from_slice(&ctr)); + } + self.cipher.encrypt_blocks(&mut blocks); + + let encrypted_message = &message_buffer_slice[0..blocks_count * BLOCK_SIZE]; + self.ghash.update_padded(encrypted_message); + let mut plaintext_message = encrypted_message.to_vec(); + for i in 0..blocks_count { + let chunk = &mut plaintext_message[i * BLOCK_SIZE..(i + 1) * BLOCK_SIZE]; + let block = blocks[i].as_slice(); + for k in 0..BLOCK_SIZE { + chunk[k] ^= block[k]; + } + } + self.message_buffer = message_buffer_slice[blocks_count * BLOCK_SIZE..].to_vec(); + self.message_len += plaintext_message.len(); plaintext_message } @@ -91,25 +95,22 @@ impl $module { // last block and this block len is less than 128 bits self.encryption_nonce = inc_32(self.encryption_nonce); let mut ctr = self.encryption_nonce.to_be_bytes(); - let block = Block::<$aesn>::from_mut_slice(&mut ctr); - self.crypto.encrypt_block(block); + let block = Block::::from_mut_slice(&mut ctr); + self.cipher.encrypt_block(block); let chunk = &self.message_buffer[0..message_buffer_len - 16]; let msb = msb_s(chunk.len() * 8, block.as_slice()); let y = u8to128(chunk) ^ u8to128(&msb); plaintext_message.extend_from_slice(&y.to_be_bytes()[16 - chunk.len()..16]); - self.integrality_buffer.extend_from_slice(&self.message_buffer[0..message_buffer_len - 16]); + self.ghash.update_padded(&self.message_buffer[0..message_buffer_len - 16]); self.message_len += plaintext_message.len(); } let adata_bit_len = self.adata_len * 8; let message_bit_len = self.message_len * 8; - let u = 128 * ((message_bit_len + 128 - 1) / 128) - message_bit_len; - self.integrality_buffer.extend_from_slice(&vec![0x00; u / 8]); - self.integrality_buffer.extend_from_slice(&(adata_bit_len as u64).to_be_bytes()); - self.integrality_buffer.extend_from_slice(&(message_bit_len as u64).to_be_bytes()); - - self.update_integrality_buffer(); - assert!(self.integrality_buffer.is_empty()); + let mut adata_and_message_len = Vec::with_capacity(BLOCK_SIZE); + adata_and_message_len.extend_from_slice(&(adata_bit_len as u64).to_be_bytes()); + adata_and_message_len.extend_from_slice(&(message_bit_len as u64).to_be_bytes()); + self.ghash.update_padded(&adata_and_message_len); let tag = self.calculate_tag(); let message_tag = &self.message_buffer[message_buffer_len - 16..]; @@ -124,30 +125,18 @@ impl $module { fn calculate_tag(&mut self) -> Vec { let mut bs = self.init_nonce.to_be_bytes().clone(); - let block = Block::<$aesn>::from_mut_slice(&mut bs); - self.crypto.encrypt_block(block); - let tag_trunk = self.ghash_val.to_be_bytes(); + let block = Block::::from_mut_slice(&mut bs); + self.cipher.encrypt_block(block); + let ghash = self.ghash.clone().finalize(); + let tag_trunk = ghash.as_slice(); let y = u8to128(&tag_trunk) ^ u8to128(&block.as_slice()); y.to_be_bytes().to_vec() } - fn update_integrality_buffer(&mut self) { - let integrality_buffer_slice = self.integrality_buffer.as_slice(); - let integrality_buffer_slice_len = integrality_buffer_slice.len(); - if integrality_buffer_slice_len >= 16 { - let blocks_count = integrality_buffer_slice_len / 16; - for i in 0..blocks_count { - let buf = &integrality_buffer_slice[i * 16..(i + 1) * 16]; - self.ghash_val = gmul_128(self.ghash_val ^ u8to128(buf), self.ghash_key) - } - self.integrality_buffer = integrality_buffer_slice[blocks_count * 16..].to_vec(); - } - } - fn ghash_key(&mut self) -> u128 { - let mut block = [0u8; 16]; - let block = Block::<$aesn>::from_mut_slice(&mut block); - self.crypto.encrypt_block(block); + let mut block = [0u8; BLOCK_SIZE]; + let block = Block::::from_mut_slice(&mut block); + self.cipher.encrypt_block(block); u8to128(&block.as_slice()) } diff --git a/src/encryptor2.rs b/src/encryptor2.rs deleted file mode 100644 index 37822d2..0000000 --- a/src/encryptor2.rs +++ /dev/null @@ -1,132 +0,0 @@ -use aes::Aes256; -use aes::cipher::{Block, BlockEncrypt, KeyInit}; -use aes::cipher::generic_array::GenericArray; -use ghash::GHash; -use ghash::universal_hash::UniversalHash; -use zeroize::Zeroize; - -use crate::util::{AesBlock, BLOCK_SIZE, inc_32, msb_s, normalize_nonce, u8to128}; - -pub struct Aes256GcmStreamEncryptor2 { - cipher: Aes256, - message_buffer: Vec, - ghash: GHash, - init_nonce: u128, - encryption_nonce: u128, - adata_len: usize, - message_len: usize, -} - -impl Aes256GcmStreamEncryptor2 { - pub fn new(key: [u8; 32], nonce: &[u8]) -> Self { - let key = GenericArray::from(key); - let aes = Aes256::new(&key); - - let mut ghash_key = ghash::Key::default(); - aes.encrypt_block(&mut ghash_key); - let ghash = GHash::new(&ghash_key); - ghash_key.zeroize(); - - let mut s = Self { - cipher: aes, - message_buffer: vec![], - ghash, - init_nonce: 0, - encryption_nonce: 0, - adata_len: 0, - message_len: 0, - }; - let (_, normalized_nonce) = s.normalize_nonce(nonce); - s.init_nonce = normalized_nonce; - s.encryption_nonce = normalized_nonce; - s - } - - pub fn init_adata(&mut self, adata: &[u8]) { - if adata.len() > 0 { - self.adata_len += adata.len(); - self.ghash.update_padded(adata); - } - } - - pub fn update(&mut self, message: &[u8]) -> Vec { - self.message_buffer.extend_from_slice(message); - let message_buffer_slice = self.message_buffer.as_slice(); - if message_buffer_slice.len() < BLOCK_SIZE { - return Vec::with_capacity(0); - } - let blocks_count = message_buffer_slice.len() / BLOCK_SIZE; - let mut blocks = Vec::with_capacity(blocks_count); - for _ in 0..blocks_count { - self.encryption_nonce = inc_32(self.encryption_nonce); - let ctr = self.encryption_nonce.to_be_bytes(); - blocks.push(Block::::clone_from_slice(&ctr)); - } - self.cipher.encrypt_blocks(&mut blocks); - - let mut encrypted_message = message_buffer_slice[0..blocks_count * BLOCK_SIZE].to_vec(); - for i in 0..blocks_count { - let chunk = &mut encrypted_message[i * BLOCK_SIZE..(i + 1) * BLOCK_SIZE]; - let block = blocks[i].as_slice(); - for k in 0..BLOCK_SIZE { - chunk[k] ^= block[k]; - } - } - self.ghash.update_padded(&encrypted_message); - self.message_buffer = message_buffer_slice[blocks_count * BLOCK_SIZE..].to_vec(); - self.message_len += encrypted_message.len(); - - encrypted_message - } - - pub fn finalize(&mut self) -> (Vec, Vec) { - let mut final_encrypted_message = Vec::with_capacity(BLOCK_SIZE); - if !self.message_buffer.is_empty() { - // last block and this block len may less than 128 bits (16 bytes) - self.encryption_nonce = inc_32(self.encryption_nonce); - let mut ctr = self.encryption_nonce.to_be_bytes(); - let block = Block::::from_mut_slice(&mut ctr); - self.cipher.encrypt_block(block); - - let chunk = self.message_buffer.as_slice(); - let msb = msb_s(chunk.len() * 8, block.as_slice()); - let y = u8to128(chunk) ^ u8to128(&msb); - final_encrypted_message.extend_from_slice(&y.to_be_bytes()[16 - chunk.len()..16]); - self.ghash.update_padded(&final_encrypted_message); - self.message_len += final_encrypted_message.len(); - } - let adata_bit_len = self.adata_len * 8; - let message_bit_len = self.message_len * 8; - let mut adata_and_message_len = Vec::with_capacity(BLOCK_SIZE); - adata_and_message_len.extend_from_slice(&(adata_bit_len as u64).to_be_bytes()); - adata_and_message_len.extend_from_slice(&(message_bit_len as u64).to_be_bytes()); - self.ghash.update_padded(&adata_and_message_len); - - - let tag = self.compute_tag(); - - (final_encrypted_message, tag) - } - - fn compute_tag(&mut self) -> Vec { - let mut bs = self.init_nonce.to_be_bytes().clone(); - let block = Block::::from_mut_slice(&mut bs); - self.cipher.encrypt_block(block); - let ghash = self.ghash.clone().finalize(); - let tag_trunk = ghash.as_slice(); - let y = u8to128(&tag_trunk) ^ u8to128(&block.as_slice()); - y.to_be_bytes().to_vec() - } - - fn ghash_key(&mut self) -> u128 { - let mut block = [0u8; BLOCK_SIZE]; - let block = Block::::from_mut_slice(&mut block); - self.cipher.encrypt_block(block); - u8to128(&block.as_slice()) - } - - fn normalize_nonce(&mut self, nonce_bytes: &[u8]) -> (u128, u128) { - let ghash_key = self.ghash_key(); - normalize_nonce(ghash_key, nonce_bytes) - } -} diff --git a/src/lib.rs b/src/lib.rs index 2ed20c1..e19c641 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -22,8 +22,6 @@ mod util; mod encryptor; mod decryptor; -mod encryptor2; - #[test] fn test128() { use aes_gcm::{aead::{Aead, Nonce, Payload}, Aes128Gcm, KeyInit}; @@ -251,7 +249,7 @@ fn test256_stream() { // encrypt let mut ciphertext = vec![]; let mut encryptor = Aes256GcmStreamEncryptor::new(key.clone(), &nonce); - for i in 0..1024 { + for i in 0..1025 { plaintext.extend_from_slice(&[(i % 128) as u8]); ciphertext.extend_from_slice(&encryptor.update(&[(i % 128) as u8])); } From 943575fabf074695fe2984d4bf67fb22e00457aa Mon Sep 17 00:00:00 2001 From: Hatter Jiang Date: Sat, 2 Sep 2023 00:13:24 +0800 Subject: [PATCH 5/5] feat: clean dependency --- Cargo.toml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 0adbbd9..96108a9 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -12,15 +12,12 @@ categories = ["cryptography"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] -aead = "0.5.2" aes = { version = "0.8.3", features = ["zeroize"] } -aes-gcm = { version = "0.10.2", features = ["zeroize"] } cipher = "0.4.4" -ctr = "0.9.2" ghash = "0.5.0" -subtle = "2.5.0" zeroize = { version = "1.6.0", features = ["zeroize_derive"] } [dev-dependencies] hex = "0.4.3" benchmark-simple = "0.1.8" +aes-gcm = { version = "0.10.2", features = ["zeroize"] }