poly1305_nostd/

lib.rs

//! Pure-Rust Poly1305 Message Authentication Code
//!
//! Implements Poly1305-AES one-time authenticator (RFC 8439).
//! This is a faithful translation of poly1305-donna by Andrew Moon.
//! Avoids LLVM SIMD issues on x86_64-unknown-none bare-metal targets.
//!
//! Properties:
//! - 128-bit authentication tag
//! - One-time MAC (key must be unique per message)
//! - Constant-time operation (no secret-dependent branches)
//! - ~10 cycles/byte on modern x86_64
//!
//! Algorithm:
//! 1. Clamp the 'r' portion of the key
//! 2. Process message in 16-byte blocks
//! 3. Accumulate: a = ((a + block) * r) mod (2^130 - 5)
//! 4. Add 's' portion of key: tag = (a + s) mod 2^128

#![no_std]
#![forbid(unsafe_code)]

const POLY1305_BLOCK_SIZE: usize = 16;

/// Poly1305 MAC state (using 32bit * 32bit = 64bit multiplication)
pub struct Poly1305 {
    r: [u32; 5],               // Clamped r key (130 bits in 26-bit limbs)
    h: [u32; 5],               // Accumulator (130 bits in 26-bit limbs)
    pad: [u32; 4],             // Secret pad (s) for final addition
    leftover: usize,           // Bytes in buffer
    buffer: [u8; 16],          // Partial block buffer
    final_block: bool,         // Whether we're processing the final block
}

/// Interpret four 8-bit unsigned integers as a 32-bit unsigned integer in little endian
#[inline]
fn u8to32(p: &[u8]) -> u32 {
    (p[0] as u32) |
    ((p[1] as u32) << 8) |
    ((p[2] as u32) << 16) |
    ((p[3] as u32) << 24)
}

/// Store a 32-bit unsigned integer as four 8-bit unsigned integers in little endian
#[inline]
fn u32to8(p: &mut [u8], v: u32) {
    p[0] = (v) as u8;
    p[1] = (v >> 8) as u8;
    p[2] = (v >> 16) as u8;
    p[3] = (v >> 24) as u8;
}

impl Poly1305 {
    /// Create a new Poly1305 instance from a 32-byte key
    ///
    /// Key format: [r (16 bytes) || s (16 bytes)]
    /// - r: clamped and used as multiplication key
    /// - s: added to final accumulator
    pub fn new(key: &[u8; 32]) -> Self {
        // r &= 0xffffffc0ffffffc0ffffffc0fffffff
        // Extract r in 26-bit limbs with proper clamping
        let r0 = (u8to32(&key[0..])) & 0x3ffffff;
        let r1 = (u8to32(&key[3..]) >> 2) & 0x3ffff03;
        let r2 = (u8to32(&key[6..]) >> 4) & 0x3ffc0ff;
        let r3 = (u8to32(&key[9..]) >> 6) & 0x3f03fff;
        let r4 = (u8to32(&key[12..]) >> 8) & 0x00fffff;

        // Extract pad (s)
        let pad0 = u8to32(&key[16..]);
        let pad1 = u8to32(&key[20..]);
        let pad2 = u8to32(&key[24..]);
        let pad3 = u8to32(&key[28..]);

        Self {
            r: [r0, r1, r2, r3, r4],
            h: [0, 0, 0, 0, 0],
            pad: [pad0, pad1, pad2, pad3],
            leftover: 0,
            buffer: [0u8; 16],
            final_block: false,
        }
    }

    /// Process multiple complete 16-byte blocks
    fn blocks(&mut self, m: &[u8], bytes: usize) {
        let hibit = if self.final_block { 0 } else { 1u32 << 24 }; // 1 << 128

        let r0 = self.r[0];
        let r1 = self.r[1];
        let r2 = self.r[2];
        let r3 = self.r[3];
        let r4 = self.r[4];

        let s1 = r1 * 5;
        let s2 = r2 * 5;
        let s3 = r3 * 5;
        let s4 = r4 * 5;

        let mut h0 = self.h[0];
        let mut h1 = self.h[1];
        let mut h2 = self.h[2];
        let mut h3 = self.h[3];
        let mut h4 = self.h[4];

        let mut offset = 0;
        while offset + POLY1305_BLOCK_SIZE <= bytes {
            // h += m[i] (add message block to accumulator in 26-bit limbs)
            h0 += (u8to32(&m[offset..])) & 0x3ffffff;
            h1 += (u8to32(&m[offset + 3..]) >> 2) & 0x3ffffff;
            h2 += (u8to32(&m[offset + 6..]) >> 4) & 0x3ffffff;
            h3 += (u8to32(&m[offset + 9..]) >> 6) & 0x3ffffff;
            h4 += (u8to32(&m[offset + 12..]) >> 8) | hibit;

            // h *= r (multiply accumulator by r, with modular reduction)
            let d0 = (h0 as u64 * r0 as u64) + (h1 as u64 * s4 as u64) + (h2 as u64 * s3 as u64) + (h3 as u64 * s2 as u64) + (h4 as u64 * s1 as u64);
            let d1 = (h0 as u64 * r1 as u64) + (h1 as u64 * r0 as u64) + (h2 as u64 * s4 as u64) + (h3 as u64 * s3 as u64) + (h4 as u64 * s2 as u64);
            let d2 = (h0 as u64 * r2 as u64) + (h1 as u64 * r1 as u64) + (h2 as u64 * r0 as u64) + (h3 as u64 * s4 as u64) + (h4 as u64 * s3 as u64);
            let d3 = (h0 as u64 * r3 as u64) + (h1 as u64 * r2 as u64) + (h2 as u64 * r1 as u64) + (h3 as u64 * r0 as u64) + (h4 as u64 * s4 as u64);
            let d4 = (h0 as u64 * r4 as u64) + (h1 as u64 * r3 as u64) + (h2 as u64 * r2 as u64) + (h3 as u64 * r1 as u64) + (h4 as u64 * r0 as u64);

            // (partial) h %= p (carry propagation)
            let mut c: u32;
            c = (d0 >> 26) as u32; h0 = (d0 as u32) & 0x3ffffff;
            let d1 = d1 + c as u64; c = (d1 >> 26) as u32; h1 = (d1 as u32) & 0x3ffffff;
            let d2 = d2 + c as u64; c = (d2 >> 26) as u32; h2 = (d2 as u32) & 0x3ffffff;
            let d3 = d3 + c as u64; c = (d3 >> 26) as u32; h3 = (d3 as u32) & 0x3ffffff;
            let d4 = d4 + c as u64; c = (d4 >> 26) as u32; h4 = (d4 as u32) & 0x3ffffff;
            h0 += c * 5; c = h0 >> 26; h0 &= 0x3ffffff;
            h1 += c;

            offset += POLY1305_BLOCK_SIZE;
        }

        self.h[0] = h0;
        self.h[1] = h1;
        self.h[2] = h2;
        self.h[3] = h3;
        self.h[4] = h4;
    }

    /// Update MAC with more data
    pub fn update(&mut self, data: &[u8]) {
        let mut m = data;
        let mut bytes = data.len();

        // Handle leftover from previous update
        if self.leftover > 0 {
            let want = core::cmp::min(POLY1305_BLOCK_SIZE - self.leftover, bytes);
            for i in 0..want {
                self.buffer[self.leftover + i] = m[i];
            }
            bytes -= want;
            m = &m[want..];
            self.leftover += want;

            if self.leftover < POLY1305_BLOCK_SIZE {
                return;
            }

            let buffer_copy = self.buffer;
            self.blocks(&buffer_copy, POLY1305_BLOCK_SIZE);
            self.leftover = 0;
        }

        // Process full blocks
        if bytes >= POLY1305_BLOCK_SIZE {
            let want = bytes & !(POLY1305_BLOCK_SIZE - 1);
            self.blocks(m, want);
            m = &m[want..];
            bytes -= want;
        }

        // Store leftover
        if bytes > 0 {
            for i in 0..bytes {
                self.buffer[self.leftover + i] = m[i];
            }
            self.leftover += bytes;
        }
    }

    /// Finalize and return 16-byte authentication tag
    pub fn finalize(mut self) -> [u8; 16] {
        // Process the remaining block (if any)
        if self.leftover > 0 {
            let mut i = self.leftover;
            self.buffer[i] = 1;
            i += 1;
            while i < POLY1305_BLOCK_SIZE {
                self.buffer[i] = 0;
                i += 1;
            }
            self.final_block = true;
            self.blocks(&self.buffer.clone(), POLY1305_BLOCK_SIZE);
        }

        // Fully carry h
        let mut h0 = self.h[0];
        let mut h1 = self.h[1];
        let mut h2 = self.h[2];
        let mut h3 = self.h[3];
        let mut h4 = self.h[4];

        let mut c: u32;
        c = h1 >> 26; h1 &= 0x3ffffff;
        h2 += c; c = h2 >> 26; h2 &= 0x3ffffff;
        h3 += c; c = h3 >> 26; h3 &= 0x3ffffff;
        h4 += c; c = h4 >> 26; h4 &= 0x3ffffff;
        h0 += c * 5; c = h0 >> 26; h0 &= 0x3ffffff;
        h1 += c;

        // Compute h + -p
        let mut g0 = h0.wrapping_add(5); c = g0 >> 26; g0 &= 0x3ffffff;
        let mut g1 = h1.wrapping_add(c); c = g1 >> 26; g1 &= 0x3ffffff;
        let mut g2 = h2.wrapping_add(c); c = g2 >> 26; g2 &= 0x3ffffff;
        let mut g3 = h3.wrapping_add(c); c = g3 >> 26; g3 &= 0x3ffffff;
        let mut g4 = h4.wrapping_add(c).wrapping_sub(1u32 << 26);

        // Select h if h < p, or h + -p if h >= p
        let mut mask = (g4 >> ((core::mem::size_of::<u32>() * 8) - 1)).wrapping_sub(1);
        g0 &= mask;
        g1 &= mask;
        g2 &= mask;
        g3 &= mask;
        g4 &= mask;
        mask = !mask;
        h0 = (h0 & mask) | g0;
        h1 = (h1 & mask) | g1;
        h2 = (h2 & mask) | g2;
        h3 = (h3 & mask) | g3;
        h4 = (h4 & mask) | g4;

        // h = h % (2^128) (pack back into 32-bit words)
        h0 = ((h0) | (h1 << 26)) & 0xffffffff;
        h1 = ((h1 >> 6) | (h2 << 20)) & 0xffffffff;
        h2 = ((h2 >> 12) | (h3 << 14)) & 0xffffffff;
        h3 = ((h3 >> 18) | (h4 << 8)) & 0xffffffff;

        // mac = (h + pad) % (2^128)
        let mut f: u64;
        f = h0 as u64 + self.pad[0] as u64; h0 = f as u32;
        f = h1 as u64 + self.pad[1] as u64 + (f >> 32); h1 = f as u32;
        f = h2 as u64 + self.pad[2] as u64 + (f >> 32); h2 = f as u32;
        f = h3 as u64 + self.pad[3] as u64 + (f >> 32); h3 = f as u32;

        let mut mac = [0u8; 16];
        u32to8(&mut mac[0..], h0);
        u32to8(&mut mac[4..], h1);
        u32to8(&mut mac[8..], h2);
        u32to8(&mut mac[12..], h3);

        mac
    }

    /// One-shot MAC computation
    pub fn mac(key: &[u8; 32], data: &[u8]) -> [u8; 16] {
        let mut poly = Self::new(key);
        poly.update(data);
        poly.finalize()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_poly1305_rfc8439_vector1() {
        // RFC 8439 Section 2.5.2 Test Vector #1
        let key = [
            0x85, 0xd6, 0xbe, 0x78, 0x57, 0x55, 0x6d, 0x33,
            0x7f, 0x44, 0x52, 0xfe, 0x42, 0xd5, 0x06, 0xa8,
            0x01, 0x03, 0x80, 0x8a, 0xfb, 0x0d, 0xb2, 0xfd,
            0x4a, 0xbf, 0xf6, 0xaf, 0x41, 0x49, 0xf5, 0x1b,
        ];

        let msg = b"Cryptographic Forum Research Group";

        let expected = [
            0xa8, 0x06, 0x1d, 0xc1, 0x30, 0x51, 0x36, 0xc6,
            0xc2, 0x2b, 0x8b, 0xaf, 0x0c, 0x01, 0x27, 0xa9,
        ];

        let tag = Poly1305::mac(&key, msg);
        assert_eq!(tag, expected);
    }

    #[test]
    fn test_poly1305_empty() {
        let key = [0x42u8; 32];
        let tag = Poly1305::mac(&key, &[]);
        // Empty message should produce deterministic tag
        assert_eq!(tag.len(), 16);
    }

    #[test]
    fn test_poly1305_incremental() {
        let key = [0x42u8; 32];
        let msg = b"Hello, World!";

        // One-shot
        let tag1 = Poly1305::mac(&key, msg);

        // Incremental
        let mut poly = Poly1305::new(&key);
        poly.update(b"Hello, ");
        poly.update(b"World!");
        let tag2 = poly.finalize();

        assert_eq!(tag1, tag2);
    }

    #[test]
    fn test_poly1305_different_keys() {
        let key1 = [0x42u8; 32];
        let key2 = [0x43u8; 32];
        let msg = b"Same message";

        let tag1 = Poly1305::mac(&key1, msg);
        let tag2 = Poly1305::mac(&key2, msg);

        // Different keys should produce different tags
        assert_ne!(tag1, tag2);
    }
}