Squashed 'src/crypto/ctaes/' content from commit cd3c3ac

git-subtree-dir: src/crypto/ctaes
git-subtree-split: cd3c3ac31fac41cc253bf5780b55ecd8d7368545

Author: sipa

COPYING

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Pieter Wuille
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -0,0 +1,41 @@
+ctaes
+=====
+
+Simple C module for constant-time AES encryption and decryption.
+
+Features:
+* Simple, pure C code without any dependencies.
+* No tables or data-dependent branches whatsoever, but using bit sliced approach from https://eprint.iacr.org/2009/129.pdf.
+* Very small object code: slightly over 4k of executable code when compiled with -Os.
+* Slower than implementations based on precomputed tables or specialized instructions, but can do ~15 MB/s on modern CPUs.
+
+Performance
+-----------
+
+Compiled with GCC 5.3.1 with -O3, on an Intel(R) Core(TM) i7-4800MQ CPU, numbers in CPU cycles:
+
+| Algorithm | Key schedule | Encryption per byte | Decryption per byte |
+| --------- | ------------:| -------------------:| -------------------:|
+| AES-128   |         2.8k |                 154 |                 161 |
+| AES-192   |         3.1k |                 169 |                 181 |
+| AES-256   |         4.0k |                 191 |                 203 |
+
+Build steps
+-----------
+
+Object code:
+
+    $ gcc -O3 ctaes.c -c -o ctaes.o
+
+Tests:
+
+    $ gcc -O3 ctaes.c test.c -o test
+
+Benchmark:
+
+    $ gcc -O3 ctaes.c bench.c -o bench
+
+Review
+------
+
+Results of a formal review of the code can be found in http://bitcoin.sipa.be/ctaes/review.zip

bench.c

@@ -0,0 +1,170 @@
+#include <stdio.h>
+#include <math.h>
+#include "sys/time.h"
+
+#include "ctaes.h"
+
+static double gettimedouble(void) {
+    struct timeval tv;
+    gettimeofday(&tv, NULL);
+    return tv.tv_usec * 0.000001 + tv.tv_sec;
+}
+
+static void print_number(double x) {
+    double y = x;
+    int c = 0;
+    if (y < 0.0) {
+        y = -y;
+    }
+    while (y < 100.0) {
+        y *= 10.0;
+        c++;
+    }
+    printf("%.*f", c, x);
+}
+
+static void run_benchmark(char *name, void (*benchmark)(void*), void (*setup)(void*), void (*teardown)(void*), void* data, int count, int iter) {
+    int i;
+    double min = HUGE_VAL;
+    double sum = 0.0;
+    double max = 0.0;
+    for (i = 0; i < count; i++) {
+        double begin, total;
+        if (setup != NULL) {
+            setup(data);
+        }
+        begin = gettimedouble();
+        benchmark(data);
+        total = gettimedouble() - begin;
+        if (teardown != NULL) {
+            teardown(data);
+        }
+        if (total < min) {
+            min = total;
+        }
+        if (total > max) {
+            max = total;
+        }
+        sum += total;
+    }
+    printf("%s: min ", name);
+    print_number(min * 1000000000.0 / iter);
+    printf("ns / avg ");
+    print_number((sum / count) * 1000000000.0 / iter);
+    printf("ns / max ");
+    print_number(max * 1000000000.0 / iter);
+    printf("ns\n");
+}
+
+static void bench_AES128_init(void* data) {
+    AES128_ctx* ctx = (AES128_ctx*)data;
+    int i;
+    for (i = 0; i < 50000; i++) {
+        AES128_init(ctx, (unsigned char*)ctx);
+    }
+}
+
+static void bench_AES128_encrypt_setup(void* data) {
+    AES128_ctx* ctx = (AES128_ctx*)data;
+    static const unsigned char key[16] = {0};
+    AES128_init(ctx, key);
+}
+
+static void bench_AES128_encrypt(void* data) {
+    const AES128_ctx* ctx = (const AES128_ctx*)data;
+    unsigned char scratch[16] = {0};
+    int i;
+    for (i = 0; i < 4000000 / 16; i++) {
+        AES128_encrypt(ctx, 1, scratch, scratch);
+    }
+}
+
+static void bench_AES128_decrypt(void* data) {
+    const AES128_ctx* ctx = (const AES128_ctx*)data;
+    unsigned char scratch[16] = {0};
+    int i;
+    for (i = 0; i < 4000000 / 16; i++) {
+        AES128_decrypt(ctx, 1, scratch, scratch);
+    }
+}
+
+static void bench_AES192_init(void* data) {
+    AES192_ctx* ctx = (AES192_ctx*)data;
+    int i;
+    for (i = 0; i < 50000; i++) {
+        AES192_init(ctx, (unsigned char*)ctx);
+    }
+}
+
+static void bench_AES192_encrypt_setup(void* data) {
+    AES192_ctx* ctx = (AES192_ctx*)data;
+    static const unsigned char key[16] = {0};
+    AES192_init(ctx, key);
+}
+
+static void bench_AES192_encrypt(void* data) {
+    const AES192_ctx* ctx = (const AES192_ctx*)data;
+    unsigned char scratch[16] = {0};
+    int i;
+    for (i = 0; i < 4000000 / 16; i++) {
+        AES192_encrypt(ctx, 1, scratch, scratch);
+    }
+}
+
+static void bench_AES192_decrypt(void* data) {
+    const AES192_ctx* ctx = (const AES192_ctx*)data;
+    unsigned char scratch[16] = {0};
+    int i;
+    for (i = 0; i < 4000000 / 16; i++) {
+        AES192_decrypt(ctx, 1, scratch, scratch);
+    }
+}
+
+static void bench_AES256_init(void* data) {
+    AES256_ctx* ctx = (AES256_ctx*)data;
+    int i;
+    for (i = 0; i < 50000; i++) {
+        AES256_init(ctx, (unsigned char*)ctx);
+    }
+}
+
+
+static void bench_AES256_encrypt_setup(void* data) {
+    AES256_ctx* ctx = (AES256_ctx*)data;
+    static const unsigned char key[16] = {0};
+    AES256_init(ctx, key);
+}
+
+static void bench_AES256_encrypt(void* data) {
+    const AES256_ctx* ctx = (const AES256_ctx*)data;
+    unsigned char scratch[16] = {0};
+    int i;
+    for (i = 0; i < 4000000 / 16; i++) {
+        AES256_encrypt(ctx, 1, scratch, scratch);
+    }
+}
+
+static void bench_AES256_decrypt(void* data) {
+    const AES256_ctx* ctx = (const AES256_ctx*)data;
+    unsigned char scratch[16] = {0};
+    int i;
+    for (i = 0; i < 4000000 / 16; i++) {
+        AES256_decrypt(ctx, 1, scratch, scratch);
+    }
+}
+
+int main(void) {
+    AES128_ctx ctx128;
+    AES192_ctx ctx192;
+    AES256_ctx ctx256;
+    run_benchmark("aes128_init", bench_AES128_init, NULL, NULL, &ctx128, 20, 50000);
+    run_benchmark("aes128_encrypt_byte", bench_AES128_encrypt, bench_AES128_encrypt_setup, NULL, &ctx128, 20, 4000000);
+    run_benchmark("aes128_decrypt_byte", bench_AES128_decrypt, bench_AES128_encrypt_setup, NULL, &ctx128, 20, 4000000);
+    run_benchmark("aes192_init", bench_AES192_init, NULL, NULL, &ctx192, 20, 50000);
+    run_benchmark("aes192_encrypt_byte", bench_AES192_encrypt, bench_AES192_encrypt_setup, NULL, &ctx192, 20, 4000000);
+    run_benchmark("aes192_decrypt_byte", bench_AES192_decrypt, bench_AES192_encrypt_setup, NULL, &ctx192, 20, 4000000);
+    run_benchmark("aes256_init", bench_AES256_init, NULL, NULL, &ctx256, 20, 50000);
+    run_benchmark("aes256_encrypt_byte", bench_AES256_encrypt, bench_AES256_encrypt_setup, NULL, &ctx256, 20, 4000000);
+    run_benchmark("aes256_decrypt_byte", bench_AES256_decrypt, bench_AES256_encrypt_setup, NULL, &ctx256, 20, 4000000);
+    return 0;
+}