xts.go 4.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137
  1. // Copyright 2012 The Go Authors. All rights reserved.
  2. // Use of this source code is governed by a BSD-style
  3. // license that can be found in the LICENSE file.
  4. // Package xts implements the XTS cipher mode as specified in IEEE P1619/D16.
  5. //
  6. // XTS mode is typically used for disk encryption, which presents a number of
  7. // novel problems that make more common modes inapplicable. The disk is
  8. // conceptually an array of sectors and we must be able to encrypt and decrypt
  9. // a sector in isolation. However, an attacker must not be able to transpose
  10. // two sectors of plaintext by transposing their ciphertext.
  11. //
  12. // XTS wraps a block cipher with Rogaway's XEX mode in order to build a
  13. // tweakable block cipher. This allows each sector to have a unique tweak and
  14. // effectively create a unique key for each sector.
  15. //
  16. // XTS does not provide any authentication. An attacker can manipulate the
  17. // ciphertext and randomise a block (16 bytes) of the plaintext.
  18. //
  19. // (Note: this package does not implement ciphertext-stealing so sectors must
  20. // be a multiple of 16 bytes.)
  21. package xts // import "golang.org/x/crypto/xts"
  22. import (
  23. "crypto/cipher"
  24. "encoding/binary"
  25. "errors"
  26. )
  27. // Cipher contains an expanded key structure. It doesn't contain mutable state
  28. // and therefore can be used concurrently.
  29. type Cipher struct {
  30. k1, k2 cipher.Block
  31. }
  32. // blockSize is the block size that the underlying cipher must have. XTS is
  33. // only defined for 16-byte ciphers.
  34. const blockSize = 16
  35. // NewCipher creates a Cipher given a function for creating the underlying
  36. // block cipher (which must have a block size of 16 bytes). The key must be
  37. // twice the length of the underlying cipher's key.
  38. func NewCipher(cipherFunc func([]byte) (cipher.Block, error), key []byte) (c *Cipher, err error) {
  39. c = new(Cipher)
  40. if c.k1, err = cipherFunc(key[:len(key)/2]); err != nil {
  41. return
  42. }
  43. c.k2, err = cipherFunc(key[len(key)/2:])
  44. if c.k1.BlockSize() != blockSize {
  45. err = errors.New("xts: cipher does not have a block size of 16")
  46. }
  47. return
  48. }
  49. // Encrypt encrypts a sector of plaintext and puts the result into ciphertext.
  50. // Plaintext and ciphertext may be the same slice but should not overlap.
  51. // Sectors must be a multiple of 16 bytes and less than 2²⁴ bytes.
  52. func (c *Cipher) Encrypt(ciphertext, plaintext []byte, sectorNum uint64) {
  53. if len(ciphertext) < len(plaintext) {
  54. panic("xts: ciphertext is smaller than plaintext")
  55. }
  56. if len(plaintext)%blockSize != 0 {
  57. panic("xts: plaintext is not a multiple of the block size")
  58. }
  59. var tweak [blockSize]byte
  60. binary.LittleEndian.PutUint64(tweak[:8], sectorNum)
  61. c.k2.Encrypt(tweak[:], tweak[:])
  62. for len(plaintext) > 0 {
  63. for j := range tweak {
  64. ciphertext[j] = plaintext[j] ^ tweak[j]
  65. }
  66. c.k1.Encrypt(ciphertext, ciphertext)
  67. for j := range tweak {
  68. ciphertext[j] ^= tweak[j]
  69. }
  70. plaintext = plaintext[blockSize:]
  71. ciphertext = ciphertext[blockSize:]
  72. mul2(&tweak)
  73. }
  74. }
  75. // Decrypt decrypts a sector of ciphertext and puts the result into plaintext.
  76. // Plaintext and ciphertext may be the same slice but should not overlap.
  77. // Sectors must be a multiple of 16 bytes and less than 2²⁴ bytes.
  78. func (c *Cipher) Decrypt(plaintext, ciphertext []byte, sectorNum uint64) {
  79. if len(plaintext) < len(ciphertext) {
  80. panic("xts: plaintext is smaller than ciphertext")
  81. }
  82. if len(ciphertext)%blockSize != 0 {
  83. panic("xts: ciphertext is not a multiple of the block size")
  84. }
  85. var tweak [blockSize]byte
  86. binary.LittleEndian.PutUint64(tweak[:8], sectorNum)
  87. c.k2.Encrypt(tweak[:], tweak[:])
  88. for len(ciphertext) > 0 {
  89. for j := range tweak {
  90. plaintext[j] = ciphertext[j] ^ tweak[j]
  91. }
  92. c.k1.Decrypt(plaintext, plaintext)
  93. for j := range tweak {
  94. plaintext[j] ^= tweak[j]
  95. }
  96. plaintext = plaintext[blockSize:]
  97. ciphertext = ciphertext[blockSize:]
  98. mul2(&tweak)
  99. }
  100. }
  101. // mul2 multiplies tweak by 2 in GF(2¹²⁸) with an irreducible polynomial of
  102. // x¹²⁸ + x⁷ + x² + x + 1.
  103. func mul2(tweak *[blockSize]byte) {
  104. var carryIn byte
  105. for j := range tweak {
  106. carryOut := tweak[j] >> 7
  107. tweak[j] = (tweak[j] << 1) + carryIn
  108. carryIn = carryOut
  109. }
  110. if carryIn != 0 {
  111. // If we have a carry bit then we need to subtract a multiple
  112. // of the irreducible polynomial (x¹²⁸ + x⁷ + x² + x + 1).
  113. // By dropping the carry bit, we're subtracting the x^128 term
  114. // so all that remains is to subtract x⁷ + x² + x + 1.
  115. // Subtraction (and addition) in this representation is just
  116. // XOR.
  117. tweak[0] ^= 1<<7 | 1<<2 | 1<<1 | 1
  118. }
  119. }