miscreant 0.0.0 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c3b2740135b6e13589326c9b8f2c926edff86516
-  data.tar.gz: b4327cc7c72ce38aaec0208f967c67fdceb2508f
+  metadata.gz: 23230bd423fada7ae6bfceeafeb1bff7133e8e75
+  data.tar.gz: 3dc5b9db54803f64f9e58a87a4ac89370e785b2e
 SHA512:
-  metadata.gz: b24730c57fd7ef67a4e7699a63c05454875ffec00366212a31445111525b7fbd953d122f8ff88e1871e0f7caee792780394382b7b9021fb9a83772fbf8d2ad6f
-  data.tar.gz: ceafedfa57c9b6d6ca7a72d8d50e31041af4d9c5113ea7e2d6482ef49a456914411138d6a75f43f5f67340f8aed5fe71bac0a5bbe7581734c2379681e3e1cf15
+  metadata.gz: c53969bd291002daf380591ee6547c49fa24e86e7b3e9c3fdb5c4575cbfa049a1db141af95f447dc8e4bf5a35a9acd053138a4cea1ee940c635cb44e2b0d50a9
+  data.tar.gz: 45871b8499fbf30d1090a4f45a31eaf6d54583f7e458013c701597a7ec28c2d7df8aac80b94adf717baf1b2b64a9233dc77fd7294595e744b948ae08df7c92c7

data/README.md

@@ -1,4 +1,4 @@
-# miscreant.rb [![Latest Version][gem-shield]][gem-link] [![Build Status][build-image]][build-link] [![Code Climate][codeclimate-image]][codeclimate-link] [![MIT licensed][license-image]][license-link]
+# miscreant.rb [![Latest Version][gem-shield]][gem-link] [![Build Status][build-image]][build-link] [![Code Climate][codeclimate-image]][codeclimate-link] [![MIT licensed][license-image]][license-link] [![Gitter Chat][gitter-image]][gitter-link]
 
 [gem-shield]: https://badge.fury.io/rb/miscreant.svg
 [gem-link]: https://rubygems.org/gems/miscreant
@@ -8,11 +8,13 @@
 [codeclimate-link]: https://codeclimate.com/github/miscreant/miscreant
 [license-image]: https://img.shields.io/badge/license-MIT-blue.svg
 [license-link]: https://github.com/miscreant/miscreant/blob/master/LICENSE.txt
+[gitter-image]: https://badges.gitter.im/badge.svg
+[gitter-link]: https://gitter.im/miscreant/Lobby
 
 > The best crypto you've never heard of, brought to you by [Phil Rogaway]
 
 Ruby implementation of **Miscreant**: Advanced symmetric encryption using the
-AES-SIV ([RFC 5297]) and [CHAIN] constructions, providing easy-to-use (or
+AES-SIV ([RFC 5297]) and [CHAIN/STREAM] constructions, providing easy-to-use (or
 rather, hard-to-misuse) encryption of individual messages or message streams.
 
 **AES-SIV** provides [nonce-reuse misuse-resistance] (NRMR): accidentally
@@ -28,7 +30,7 @@ For more information, see the [toplevel README.md].
 [Phil Rogaway]: https://en.wikipedia.org/wiki/Phillip_Rogaway
 [AES-SIV]: https://www.iacr.org/archive/eurocrypt2006/40040377/40040377.pdf
 [RFC 5297]: https://tools.ietf.org/html/rfc5297
-[CHAIN]: http://web.cs.ucdavis.edu/~rogaway/papers/oae.pdf
+[CHAIN/STREAM]: http://web.cs.ucdavis.edu/~rogaway/papers/oae.pdf
 [nonce-reuse misuse-resistance]: https://www.lvh.io/posts/nonce-misuse-resistance-101.html
 [AES-GCM]: https://en.wikipedia.org/wiki/Galois/Counter_Mode
 [chosen ciphertext attacks]: https://en.wikipedia.org/wiki/Chosen-ciphertext_attack
@@ -39,11 +41,11 @@ For more information, see the [toplevel README.md].
 Have questions? Want to suggest a feature or change?
 
 * [Gitter]: web-based chat about miscreant projects including **miscreant.rb**
-* [Google Group]: join via web or email ([miscreant+subscribe@googlegroups.com])
+* [Google Group]: join via web or email ([miscreant-crypto+subscribe@googlegroups.com])
 
 [Gitter]: https://gitter.im/miscreant/Lobby
-[Google Group]: https://groups.google.com/forum/#!forum/miscreant
-[miscreant+subscribe@googlegroups.com]: mailto:miscreant+subscribe@googlegroups.com
+[Google Group]: https://groups.google.com/forum/#!forum/miscreant-crypto
+[miscreant-crypto+subscribe@googlegroups.com]: mailto:miscreant-crypto+subscribe@googlegroups.com?subject=subscribe
 
 ## Security Notice
 
@@ -135,8 +137,8 @@ Bug reports and pull requests are welcome on GitHub at https://github.com/miscre
 
 ## Copyright
 
-Copyright (c) 2013-2017 John Downey, [The Miscreant Developers][AUTHORS].
+Copyright (c) 2017 [The Miscreant Developers][AUTHORS].
 See [LICENSE.txt] for further details.
 
 [AUTHORS]: https://github.com/miscreant/miscreant/blob/master/AUTHORS.md
-[LICENSE.txt]: https://github.com/miscreant/miscreant/blob/master/ruby/LICENSE.txt
+[LICENSE.txt]: https://github.com/miscreant/miscreant/blob/master/LICENSE.txt

data/lib/miscreant.rb

@@ -4,13 +4,9 @@ require "openssl"
 require "securerandom"
 
 require "miscreant/version"
+require "miscreant/internals"
 
-require "miscreant/aes"
-require "miscreant/aes/siv"
-require "miscreant/aes/cmac"
-require "miscreant/util"
-
-# Misuse-resistant symmetric encryption using the AES-SIV (RFC 5297) and CHAIN constructions
+# Miscreant: A misuse-resistant symmetric encryption library
 module Miscreant
   # Parent of all cryptography-related errors
   CryptoError = Class.new(StandardError)

data/lib/miscreant/internals.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require "miscreant/internals/aes"
+require "miscreant/internals/aes/siv"
+require "miscreant/internals/aes/cmac"
+require "miscreant/internals/util"
+
+module Miscreant
+  # Internal functionality not intended for direct consumption
+  module Internals # :nodoc:
+  end
+end

data/lib/miscreant/internals/aes.rb

@@ -0,0 +1,15 @@
+# encoding: binary
+# frozen_string_literal: true
+
+module Miscreant
+  module Internals
+    # The Advanced Encryption Standard Block Cipher
+    module AES # :nodoc:
+      # Size of an AES block (i.e. input/output from the AES function)
+      BLOCK_SIZE = 16
+
+      # A bytestring of all zeroes, the same length as an AES block
+      ZERO_BLOCK = ("\0" * BLOCK_SIZE).freeze
+    end
+  end
+end

data/lib/miscreant/internals/aes/cmac.rb

@@ -0,0 +1,79 @@
+# encoding: binary
+# frozen_string_literal: true
+
+module Miscreant
+  module Internals
+    module AES
+      # The AES-CMAC message authentication code
+      class CMAC # :nodoc:
+        # Create a new AES-CMAC instance
+        #
+        # @param key [String] 16-byte or 32-byte Encoding::BINARY cryptographic key
+        #
+        # @return [Miscreant::AES::CMAC] new AES-CMAC instance
+        def initialize(key)
+          raise TypeError, "expected String, got #{key.class}" unless key.is_a?(String)
+          raise ArgumentError, "key must be Encoding::BINARY" unless key.encoding == Encoding::BINARY
+          raise ArgumentError, "key must be 32 or 64 bytes" unless [16, 32].include?(key.length)
+
+          # The only valid use of ECB mode: constructing higher-level cryptographic primitives
+          @cipher = OpenSSL::Cipher.new("AES-#{key.length * 8}-ECB")
+          @cipher.encrypt
+          @cipher.padding = 0
+          @cipher.key = key
+          @key1, @key2 = _generate_subkeys
+        end
+
+        # Inspect this AES-CMAC instance
+        #
+        # @return [String] description of this instance
+        def inspect
+          to_s
+        end
+
+        # Compute the AES-CMAC of the given input message in a single shot,
+        # outputting the MAC tag.
+        #
+        # Unlike other AES-CMAC implementations, this one does not support
+        # incremental processing/IUF operation. (Though that would enable
+        # slightly more efficient decryption for AES-SIV)
+        #
+        # @param message [String] an Encoding::BINARY string to authenticate
+        #
+        # @return [String] CMAC tag
+        def digest(message)
+          raise TypeError, "expected String, got #{message.class}" unless message.is_a?(String)
+          raise ArgumentError, "message must be Encoding::BINARY" unless message.encoding == Encoding::BINARY
+
+          if message.empty? || message.length % AES::BLOCK_SIZE != 0
+            message = Util.pad(message, AES::BLOCK_SIZE)
+            final_block = @key2
+          else
+            final_block = @key1
+          end
+
+          count = message.length / AES::BLOCK_SIZE
+          result = AES::ZERO_BLOCK
+
+          count.times do |i|
+            block = message.slice(AES::BLOCK_SIZE * i, AES::BLOCK_SIZE)
+            block = Util.xor(final_block, block) if i == count - 1
+            block = Util.xor(block, result)
+            result = @cipher.update(block) + @cipher.final
+          end
+
+          result
+        end
+
+        private
+
+        def _generate_subkeys
+          key0 = @cipher.update(AES::ZERO_BLOCK) + @cipher.final
+          key1 = Util.dbl(key0)
+          key2 = Util.dbl(key1)
+          [key1, key2]
+        end
+      end
+    end
+  end
+end

data/lib/miscreant/internals/aes/siv.rb

@@ -0,0 +1,120 @@
+# encoding: binary
+# frozen_string_literal: true
+
+module Miscreant
+  module Internals
+    module AES
+      # The AES-SIV misuse resistant authenticated encryption cipher
+      class SIV # :nodoc:
+        # Generate a new random AES-SIV key of the given size
+        #
+        # @param size [Integer] size of key in bytes (32 or 64)
+        #
+        # @return [String] newly generated AES-SIV key
+        def self.generate_key(size = 32)
+          raise ArgumentError, "key size must be 32 or 64 bytes" unless [32, 64].include?(size)
+          SecureRandom.random_bytes(size)
+        end
+
+        # Create a new AES-SIV instance
+        #
+        # @param key [String] 32-byte or 64-byte Encoding::BINARY cryptographic key
+        #
+        # @return [Miscreant::AES::SIV] new AES-SIV instance
+        def initialize(key)
+          raise TypeError, "expected String, got #{key.class}" unless key.is_a?(String)
+          raise ArgumentError, "key must be Encoding::BINARY" unless key.encoding == Encoding::BINARY
+          raise ArgumentError, "key must be 32 or 64 bytes" unless [32, 64].include?(key.length)
+
+          length = key.length / 2
+
+          @mac_key = key.slice(0, length)
+          @enc_key = key.slice(length..-1)
+        end
+
+        # Inspect this AES-SIV instance
+        #
+        # @return [String] description of this instance
+        def inspect
+          to_s
+        end
+
+        # Encrypt a message using AES-SIV, authenticating it along with the associated data
+        #
+        # @param plaintext [String] an Encoding::BINARY string to encrypt
+        # @param associated_data [Array<String>] optional array of message headers to authenticate
+        #
+        # @return [String] encrypted ciphertext
+        def seal(plaintext, associated_data = [])
+          raise TypeError, "expected String, got #{plaintext.class}" unless plaintext.is_a?(String)
+          raise ArgumentError, "plaintext must be Encoding::BINARY" unless plaintext.encoding == Encoding::BINARY
+
+          v = _s2v(associated_data, plaintext)
+          ciphertext = _transform(v, plaintext)
+          v + ciphertext
+        end
+
+        # Verify and decrypt an AES-SIV ciphertext, authenticating it along with the associated data
+        #
+        # @param ciphertext [String] an Encoding::BINARY string to decrypt
+        # @param associated_data [Array<String>] optional array of message headers to authenticate
+        #
+        # @raise [Miscreant::IntegrityError] ciphertext and/or associated data are corrupt or tampered with
+        # @return [String] decrypted plaintext
+        def open(ciphertext, associated_data = [])
+          raise TypeError, "expected String, got #{ciphertext.class}" unless ciphertext.is_a?(String)
+          raise ArgumentError, "ciphertext must be Encoding::BINARY" unless ciphertext.encoding == Encoding::BINARY
+
+          v = ciphertext.slice(0, AES::BLOCK_SIZE)
+          ciphertext = ciphertext.slice(AES::BLOCK_SIZE..-1)
+          plaintext = _transform(v, ciphertext)
+
+          t = _s2v(associated_data, plaintext)
+          raise IntegrityError, "ciphertext verification failure!" unless Util.ct_equal(t, v)
+
+          plaintext
+        end
+
+        private
+
+        # Performs raw unauthenticted encryption or decryption of the message
+        def _transform(v, data)
+          return "".b if data.empty?
+
+          cipher = OpenSSL::Cipher::AES.new(@mac_key.length * 8, :CTR)
+          cipher.encrypt
+          cipher.iv = Util.zero_iv_bits(v)
+          cipher.key = @enc_key
+          cipher.update(data) + cipher.final
+        end
+
+        # The S2V operation consists of the doubling and XORing of the outputs
+        # of the pseudo-random function CMAC.
+        #
+        # See Section 2.4 of RFC 5297 for more information
+        def _s2v(associated_data, plaintext)
+          # Note: the standalone S2V returns CMAC(1) if the number of passed
+          # vectors is zero, however in SIV construction this case is never
+          # triggered, since we always pass plaintext as the last vector (even
+          # if it's zero-length), so we omit this case.
+          cmac = CMAC.new(@mac_key)
+          d = cmac.digest(AES::ZERO_BLOCK)
+
+          associated_data.each do |ad|
+            d = Util.dbl(d)
+            d = Util.xor(d, cmac.digest(ad))
+          end
+
+          if plaintext.bytesize >= AES::BLOCK_SIZE
+            d = Util.xorend(plaintext, d)
+          else
+            d = Util.dbl(d)
+            d = Util.xor(d, Util.pad(plaintext, AES::BLOCK_SIZE))
+          end
+
+          cmac.digest(d)
+        end
+      end
+    end
+  end
+end

data/lib/miscreant/internals/util.rb

@@ -0,0 +1,83 @@
+# encoding: binary
+# frozen_string_literal: true
+
+module Miscreant
+  module Internals
+    # Internal utility functions
+    module Util # :nodoc:
+      module_function
+
+      # Perform a doubling operation as described in the CMAC and SIV papers
+      def dbl(value)
+        overflow = 0
+        words = value.unpack("N4").reverse
+
+        words.map! do |word|
+          new_word = (word << 1) & 0xFFFFFFFF
+          new_word |= overflow
+          overflow = (word & 0x80000000) >= 0x80000000 ? 1 : 0
+          new_word
+        end
+
+        result = words.reverse.pack("N4")
+        result[-1] = (result[-1].ord ^ select(overflow, 0x87, 0)).chr
+        result
+      end
+
+      # Pad value with a 0x80 value and zeroes up to the given length
+      def pad(message, length)
+        padded_length = message.length + length - (message.length % length)
+        message += "\x80"
+        message.ljust(padded_length, "\0")
+      end
+
+      # Perform a constant time(-ish) branch operation
+      def select(subject, result_if_one, result_if_zero)
+        (~(subject - 1) & result_if_one) | ((subject - 1) & result_if_zero)
+      end
+
+      # Perform an xor on arbitrary bytestrings
+      def xor(a, b)
+        length = [a.length, b.length].min
+        output = "\0" * length
+        length.times do |i|
+          output[i] = (a[i].ord ^ b[i].ord).chr
+        end
+        output
+      end
+
+      # XOR the second value into the end of the first
+      def xorend(a, b)
+        difference = a.length - b.length
+
+        left  = a.slice(0, difference)
+        right = a.slice(difference..-1)
+
+        left + xor(right, b)
+      end
+
+      # Zero out the top bits in the last 32-bit words of the IV
+      def zero_iv_bits(iv)
+        # "We zero-out the top bit in each of the last two 32-bit words
+        # of the IV before assigning it to Ctr"
+        # -- http://web.cs.ucdavis.edu/~rogaway/papers/siv.pdf
+        iv = iv.dup
+        iv[8] = (iv[8].ord & 0x7f).chr
+        iv[12] = (iv[12].ord & 0x7f).chr
+        iv
+      end
+
+      # Perform a constant time-ish comparison of two bytestrings
+      def ct_equal(a, b)
+        return false unless a.bytesize == b.bytesize
+
+        l = a.unpack("C*")
+        r = 0
+        i = -1
+
+        b.each_byte { |v| r |= v ^ l[i += 1] }
+        r.zero?
+      end
+    end
+  end
+end

data/lib/miscreant/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Miscreant
-  VERSION = "0.0.0"
+  VERSION = "0.1.0"
 end

data/miscreant.gemspec

@@ -7,13 +7,18 @@ require "miscreant/version"
 
 Gem::Specification.new do |spec|
   spec.name          = "miscreant"
-  spec.version       = Miscreant::VERSION
   spec.authors       = ["Tony Arcieri"]
   spec.email         = ["bascule@gmail.com"]
+  spec.summary       = "Misuse-resistant authenticated symmetric encryption"
+  spec.description   = <<-DESCRIPTION.strip.gsub(/\s+/, " ")
+    Misuse-resistant symmetric encryption using the AES-SIV (RFC 5297)
+    and CHAIN/STREAM constructions.
+  DESCRIPTION
+
+  spec.version       = Miscreant::VERSION
   spec.licenses      = ["MIT"]
   spec.homepage      = "https://github.com/miscreant/miscreant/tree/master/ruby/"
-  spec.summary       = "Misuse-resistant authenticated symmetric encryption"
-  spec.description   = "Misuse-resistant symmetric encryption using the AES-SIV (RFC 5297) and CHAIN constructions"
+  spec.description   = ""
   spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   spec.bindir        = "exe"
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: miscreant
 version: !ruby/object:Gem::Version
-  version: 0.0.0
+  version: 0.1.0
 platform: ruby
 authors:
 - Tony Arcieri
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-07-24 00:00:00.000000000 Z
+date: 2017-07-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -24,8 +24,7 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.14'
-description: Misuse-resistant symmetric encryption using the AES-SIV (RFC 5297) and
-  CHAIN constructions
+description: ''
 email:
 - bascule@gmail.com
 executables: []
@@ -37,14 +36,14 @@ files:
 - ".rubocop.yml"
 - ".ruby-version"
 - Gemfile
-- LICENSE.txt
 - README.md
 - Rakefile
 - lib/miscreant.rb
-- lib/miscreant/aes.rb
-- lib/miscreant/aes/cmac.rb
-- lib/miscreant/aes/siv.rb
-- lib/miscreant/util.rb
+- lib/miscreant/internals.rb
+- lib/miscreant/internals/aes.rb
+- lib/miscreant/internals/aes/cmac.rb
+- lib/miscreant/internals/aes/siv.rb
+- lib/miscreant/internals/util.rb
 - lib/miscreant/version.rb
 - miscreant.gemspec
 homepage: https://github.com/miscreant/miscreant/tree/master/ruby/

data/LICENSE.txt

@@ -1,19 +0,0 @@
-Copyright (c) 2013-2017 John Downey, The Miscreant Developers
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.

data/lib/miscreant/aes.rb

@@ -1,13 +0,0 @@
-# encoding: binary
-# frozen_string_literal: true
-
-module Miscreant
-  # The Advanced Encryption Standard Block Cipher
-  module AES
-    # Size of an AES block (i.e. input/output from the AES function)
-    BLOCK_SIZE = 16
-
-    # A bytestring of all zeroes, the same length as an AES block
-    ZERO_BLOCK = ("\0" * BLOCK_SIZE).freeze
-  end
-end

data/lib/miscreant/aes/cmac.rb

@@ -1,77 +0,0 @@
-# encoding: binary
-# frozen_string_literal: true
-
-module Miscreant
-  module AES
-    # The AES-CMAC message authentication code
-    class CMAC
-      # Create a new AES-CMAC instance
-      #
-      # @param key [String] 16-byte or 32-byte Encoding::BINARY cryptographic key
-      #
-      # @return [Miscreant::AES::CMAC] new AES-CMAC instance
-      def initialize(key)
-        raise TypeError, "expected String, got #{key.class}" unless key.is_a?(String)
-        raise ArgumentError, "key must be Encoding::BINARY" unless key.encoding == Encoding::BINARY
-        raise ArgumentError, "key must be 32 or 64 bytes" unless [16, 32].include?(key.length)
-
-        # The only valid use of ECB mode: constructing higher-level cryptographic primitives
-        @cipher = OpenSSL::Cipher.new("AES-#{key.length * 8}-ECB")
-        @cipher.encrypt
-        @cipher.padding = 0
-        @cipher.key = key
-        @key1, @key2 = _generate_subkeys
-      end
-
-      # Inspect this AES-CMAC instance
-      #
-      # @return [String] description of this instance
-      def inspect
-        to_s
-      end
-
-      # Compute the AES-CMAC of the given input message in a single shot,
-      # outputting the MAC tag.
-      #
-      # Unlike other AES-CMAC implementations, this one does not support
-      # incremental processing/IUF operation. (Though that would enable
-      # slightly more efficient decryption for AES-SIV)
-      #
-      # @param message [String] an Encoding::BINARY string to authenticate
-      #
-      # @return [String] CMAC tag
-      def digest(message)
-        raise TypeError, "expected String, got #{message.class}" unless message.is_a?(String)
-        raise ArgumentError, "message must be Encoding::BINARY" unless message.encoding == Encoding::BINARY
-
-        if message.empty? || message.length % AES::BLOCK_SIZE != 0
-          message = Util.pad(message, AES::BLOCK_SIZE)
-          final_block = @key2
-        else
-          final_block = @key1
-        end
-
-        count = message.length / AES::BLOCK_SIZE
-        result = AES::ZERO_BLOCK
-
-        count.times do |i|
-          block = message.slice(AES::BLOCK_SIZE * i, AES::BLOCK_SIZE)
-          block = Util.xor(final_block, block) if i == count - 1
-          block = Util.xor(block, result)
-          result = @cipher.update(block) + @cipher.final
-        end
-
-        result
-      end
-
-      private
-
-      def _generate_subkeys
-        key0 = @cipher.update(AES::ZERO_BLOCK) + @cipher.final
-        key1 = Util.dbl(key0)
-        key2 = Util.dbl(key1)
-        [key1, key2]
-      end
-    end
-  end
-end

data/lib/miscreant/aes/siv.rb

@@ -1,118 +0,0 @@
-# encoding: binary
-# frozen_string_literal: true
-
-module Miscreant
-  module AES
-    # The AES-SIV misuse resistant authenticated encryption cipher
-    class SIV
-      # Generate a new random AES-SIV key of the given size
-      #
-      # @param size [Integer] size of key in bytes (32 or 64)
-      #
-      # @return [String] newly generated AES-SIV key
-      def self.generate_key(size = 32)
-        raise ArgumentError, "key size must be 32 or 64 bytes" unless [32, 64].include?(size)
-        SecureRandom.random_bytes(size)
-      end
-
-      # Create a new AES-SIV instance
-      #
-      # @param key [String] 32-byte or 64-byte Encoding::BINARY cryptographic key
-      #
-      # @return [Miscreant::AES::SIV] new AES-SIV instance
-      def initialize(key)
-        raise TypeError, "expected String, got #{key.class}" unless key.is_a?(String)
-        raise ArgumentError, "key must be Encoding::BINARY" unless key.encoding == Encoding::BINARY
-        raise ArgumentError, "key must be 32 or 64 bytes" unless [32, 64].include?(key.length)
-
-        length = key.length / 2
-
-        @mac_key = key.slice(0, length)
-        @enc_key = key.slice(length..-1)
-      end
-
-      # Inspect this AES-SIV instance
-      #
-      # @return [String] description of this instance
-      def inspect
-        to_s
-      end
-
-      # Encrypt a message using AES-SIV, authenticating it along with the associated data
-      #
-      # @param plaintext [String] an Encoding::BINARY string to encrypt
-      # @param associated_data [Array<String>] optional array of message headers to authenticate
-      #
-      # @return [String] encrypted ciphertext
-      def seal(plaintext, associated_data = [])
-        raise TypeError, "expected String, got #{plaintext.class}" unless plaintext.is_a?(String)
-        raise ArgumentError, "plaintext must be Encoding::BINARY" unless plaintext.encoding == Encoding::BINARY
-
-        v = _s2v(associated_data, plaintext)
-        ciphertext = _transform(v, plaintext)
-        v + ciphertext
-      end
-
-      # Verify and decrypt an AES-SIV ciphertext, authenticating it along with the associated data
-      #
-      # @param ciphertext [String] an Encoding::BINARY string to decrypt
-      # @param associated_data [Array<String>] optional array of message headers to authenticate
-      #
-      # @raise [Miscreant::IntegrityError] ciphertext and/or associated data are corrupt or tampered with
-      # @return [String] decrypted plaintext
-      def open(ciphertext, associated_data = [])
-        raise TypeError, "expected String, got #{ciphertext.class}" unless ciphertext.is_a?(String)
-        raise ArgumentError, "ciphertext must be Encoding::BINARY" unless ciphertext.encoding == Encoding::BINARY
-
-        v = ciphertext.slice(0, AES::BLOCK_SIZE)
-        ciphertext = ciphertext.slice(AES::BLOCK_SIZE..-1)
-        plaintext = _transform(v, ciphertext)
-
-        t = _s2v(associated_data, plaintext)
-        raise IntegrityError, "ciphertext verification failure!" unless Util.ct_equal(t, v)
-
-        plaintext
-      end
-
-      private
-
-      # Performs raw unauthenticted encryption or decryption of the message
-      def _transform(v, data)
-        return "".b if data.empty?
-
-        cipher = OpenSSL::Cipher::AES.new(@mac_key.length * 8, :CTR)
-        cipher.encrypt
-        cipher.iv = Util.zero_iv_bits(v)
-        cipher.key = @enc_key
-        cipher.update(data) + cipher.final
-      end
-
-      # The S2V operation consists of the doubling and XORing of the outputs
-      # of the pseudo-random function CMAC.
-      #
-      # See Section 2.4 of RFC 5297 for more information
-      def _s2v(associated_data, plaintext)
-        # Note: the standalone S2V returns CMAC(1) if the number of passed
-        # vectors is zero, however in SIV construction this case is never
-        # triggered, since we always pass plaintext as the last vector (even
-        # if it's zero-length), so we omit this case.
-        cmac = CMAC.new(@mac_key)
-        d = cmac.digest(AES::ZERO_BLOCK)
-
-        associated_data.each do |ad|
-          d = Util.dbl(d)
-          d = Util.xor(d, cmac.digest(ad))
-        end
-
-        if plaintext.bytesize >= AES::BLOCK_SIZE
-          d = Util.xorend(plaintext, d)
-        else
-          d = Util.dbl(d)
-          d = Util.xor(d, Util.pad(plaintext, AES::BLOCK_SIZE))
-        end
-
-        cmac.digest(d)
-      end
-    end
-  end
-end

data/lib/miscreant/util.rb

@@ -1,81 +0,0 @@
-# encoding: binary
-# frozen_string_literal: true
-
-module Miscreant
-  # Internal utility functions
-  module Util
-    module_function
-
-    # Perform a doubling operation as described in the CMAC and SIV papers
-    def dbl(value)
-      overflow = 0
-      words = value.unpack("N4").reverse
-
-      words.map! do |word|
-        new_word = (word << 1) & 0xFFFFFFFF
-        new_word |= overflow
-        overflow = (word & 0x80000000) >= 0x80000000 ? 1 : 0
-        new_word
-      end
-
-      result = words.reverse.pack("N4")
-      result[-1] = (result[-1].ord ^ select(overflow, 0x87, 0)).chr
-      result
-    end
-
-    # Pad value with a 0x80 value and zeroes up to the given length
-    def pad(message, length)
-      padded_length = message.length + length - (message.length % length)
-      message += "\x80"
-      message.ljust(padded_length, "\0")
-    end
-
-    # Perform a constant time(-ish) branch operation
-    def select(subject, result_if_one, result_if_zero)
-      (~(subject - 1) & result_if_one) | ((subject - 1) & result_if_zero)
-    end
-
-    # Perform an xor on arbitrary bytestrings
-    def xor(a, b)
-      length = [a.length, b.length].min
-      output = "\0" * length
-      length.times do |i|
-        output[i] = (a[i].ord ^ b[i].ord).chr
-      end
-      output
-    end
-
-    # XOR the second value into the end of the first
-    def xorend(a, b)
-      difference = a.length - b.length
-
-      left  = a.slice(0, difference)
-      right = a.slice(difference..-1)
-
-      left + xor(right, b)
-    end
-
-    # Zero out the top bits in the last 32-bit words of the IV
-    def zero_iv_bits(iv)
-      # "We zero-out the top bit in each of the last two 32-bit words
-      # of the IV before assigning it to Ctr"
-      # -- http://web.cs.ucdavis.edu/~rogaway/papers/siv.pdf
-      iv = iv.dup
-      iv[8] = (iv[8].ord & 0x7f).chr
-      iv[12] = (iv[12].ord & 0x7f).chr
-      iv
-    end
-
-    # Perform a constant time-ish comparison of two bytestrings
-    def ct_equal(a, b)
-      return false unless a.bytesize == b.bytesize
-
-      l = a.unpack("C*")
-      r = 0
-      i = -1
-
-      b.each_byte { |v| r |= v ^ l[i += 1] }
-      r.zero?
-    end
-  end
-end