aes.go

Documentation: github.com/cloudflare/circl/sign/dilithium/internal/common

     1  package common
     2  
     3  import (
     4  	"crypto/aes"
     5  	"crypto/cipher"
     6  	"encoding/binary"
     7  )
     8  
     9  // AES CTR stream used as a replacement for SHAKE in Dilithium[1234]-AES.
    10  type AesStream struct {
    11  	c       cipher.Block
    12  	counter uint64
    13  	nonce   uint16
    14  }
    15  
    16  // Create a new AesStream as a replacement of SHAKE128.  (Note that
    17  // not all occurrences of SHAKE are replaced by AES in the AES-variants).
    18  func NewAesStream128(key *[32]byte, nonce uint16) AesStream {
    19  	c, _ := aes.NewCipher(key[:])
    20  	return AesStream{c: c, nonce: nonce}
    21  }
    22  
    23  // Create a new AesStream as a replacement of SHAKE256.  (Note that
    24  // not all occurrences of SHAKE are replaced by AES in the AES-variants.)
    25  //
    26  // Yes, in an AES mode, Dilithium throws away the last 32 bytes of a seed ...
    27  // See the remark at the end of the caption of Figure 4 in the Round 2 spec.
    28  func NewAesStream256(key *[64]byte, nonce uint16) AesStream {
    29  	c, _ := aes.NewCipher(key[:32])
    30  	return AesStream{c: c, nonce: nonce}
    31  }
    32  
    33  // Squeeze some more blocks from the AES CTR stream into buf.
    34  //
    35  // Assumes length of buf is a multiple of 16.
    36  func (s *AesStream) SqueezeInto(buf []byte) {
    37  	var tmp [16]byte
    38  	binary.LittleEndian.PutUint16(tmp[:], s.nonce)
    39  
    40  	for len(buf) != 0 {
    41  		binary.BigEndian.PutUint64(tmp[8:], s.counter)
    42  		s.counter++
    43  		s.c.Encrypt(buf, tmp[:])
    44  		buf = buf[16:]
    45  	}
    46  }
    47
View as plain text