Serpent-256-GCM.h (3839B)
1 /* 2 * Serpent-256-GCM.h - Serpent-256-GCM Interface 3 * 4 * Compliant with: 5 * - Serpent specification (AES finalist) 6 * - NIST SP 800-38D (GCM mode) 7 * 8 * Security Features: 9 * - 32 rounds for maximum security margin 10 * - 256-bit key size 11 * - Authenticated encryption (GCM) 12 * - PCLMULQDQ acceleration for GHASH 13 * - Conservative design (no known attacks) 14 */ 15 16 #ifndef SERPENT_256_GCM_H 17 #define SERPENT_256_GCM_H 18 19 #include <stdint.h> 20 #include <stdlib.h> 21 #include <immintrin.h> 22 23 #ifdef __cplusplus 24 extern "C" { 25 #endif 26 27 /* Serpent constants */ 28 #define SERPENT_ROUNDS 32 29 #define SERPENT_KEY_SIZE 32 30 #define SERPENT_BLOCK_SIZE 16 31 #define SERPENT_GCM_IV_SIZE 12 32 #define SERPENT_GCM_TAG_SIZE 16 33 34 /* Serpent key schedule structure */ 35 typedef struct { 36 uint32_t subkeys[SERPENT_ROUNDS + 1][4]; /* 33 subkeys of 128 bits */ 37 } serpent_key_schedule; 38 39 /* Serpent-GCM context */ 40 typedef struct { 41 serpent_key_schedule key_schedule; 42 __m128i H; /* Hash subkey */ 43 __m128i H_powers[8]; /* Precomputed powers for GHASH */ 44 } serpent_gcm_context; 45 46 /** 47 * Initialize Serpent-256-GCM context 48 * 49 * @param ctx Pointer to context structure 50 * @param key 256-bit (32 byte) encryption key 51 * @return 0 on success, -1 on error 52 * 53 * Security: Requires PCLMULQDQ for GHASH acceleration 54 */ 55 int serpent_gcm_init(serpent_gcm_context *ctx, const uint8_t *key); 56 57 /** 58 * Serpent-256-GCM Encryption 59 * 60 * @param ctx Initialized context 61 * @param iv Initialization vector (recommended 12 bytes) 62 * @param iv_len IV length in bytes 63 * @param aad Additional authenticated data (can be NULL) 64 * @param aad_len AAD length in bytes 65 * @param plaintext Input plaintext 66 * @param pt_len Plaintext length in bytes 67 * @param ciphertext Output ciphertext buffer (must be pt_len bytes) 68 * @param tag Output authentication tag (must be tag_len bytes) 69 * @param tag_len Tag length in bytes (recommend 16) 70 * @return 0 on success, -1 on error 71 * 72 * Security Notes: 73 * - NEVER reuse IV with the same key 74 * - Use random 96-bit IV for each encryption 75 * - Serpent provides high security margin (32 rounds) 76 * - Slower than AES but more conservative design 77 */ 78 int serpent_gcm_encrypt(serpent_gcm_context *ctx, 79 const uint8_t *iv, size_t iv_len, 80 const uint8_t *aad, size_t aad_len, 81 const uint8_t *plaintext, size_t pt_len, 82 uint8_t *ciphertext, 83 uint8_t *tag, size_t tag_len); 84 85 /** 86 * Serpent-256-GCM Decryption 87 * 88 * @param ctx Initialized context 89 * @param iv Initialization vector 90 * @param iv_len IV length in bytes 91 * @param aad Additional authenticated data (must match encryption) 92 * @param aad_len AAD length in bytes 93 * @param ciphertext Input ciphertext 94 * @param ct_len Ciphertext length in bytes 95 * @param tag Authentication tag from encryption 96 * @param tag_len Tag length in bytes 97 * @param plaintext Output plaintext buffer (must be ct_len bytes) 98 * @return 0 on success, -1 on authentication failure 99 * 100 * Security Notes: 101 * - Returns -1 if authentication tag doesn't match 102 * - Plaintext is NOT valid if function returns -1 103 * - Constant-time tag comparison 104 * - MUST verify return value before using plaintext 105 */ 106 int serpent_gcm_decrypt(serpent_gcm_context *ctx, 107 const uint8_t *iv, size_t iv_len, 108 const uint8_t *aad, size_t aad_len, 109 const uint8_t *ciphertext, size_t ct_len, 110 const uint8_t *tag, size_t tag_len, 111 uint8_t *plaintext); 112 113 /** 114 * Clean up context (zeros sensitive data) 115 * 116 * @param ctx Context to clean 117 * 118 * Security: Call this to ensure key material is zeroed from memory 119 */ 120 void serpent_gcm_cleanup(serpent_gcm_context *ctx); 121 122 #ifdef __cplusplus 123 } 124 #endif 125 126 #endif /* SERPENT_256_GCM_H */