public void Reset(byte[] key)
{
if (key.Length != 32)
{
throw new ArgumentException("Poly1305 key must be 256 bits.");
}
bufferLength = 0;
h0 = h1 = h2 = h3 = h4 = 0;
// Extract r portion of key (and "clamp" the values)
uint t0 = Lend.Pack32(key, 0);
uint t1 = Lend.Pack32(key, 4);
uint t2 = Lend.Pack32(key, 8);
uint t3 = Lend.Pack32(key, 12);
// NOTE: The masks perform the key "clamping" implicitly
r0 = t0 & 0x03FFFFFFU;
r1 = ((t0 >> 26) | (t1 << 6)) & 0x03FFFF03U;
r2 = ((t1 >> 20) | (t2 << 12)) & 0x03FFC0FFU;
r3 = ((t2 >> 14) | (t3 << 18)) & 0x03F03FFFU;
r4 = (t3 >> 8) & 0x000FFFFFU;
// Precompute multipliers
s1 = r1 * 5;
s2 = r2 * 5;
s3 = r3 * 5;
s4 = r4 * 5;
k0 = Lend.Pack32(key, BLOCK_SIZE + 0);
k1 = Lend.Pack32(key, BLOCK_SIZE + 4);
k2 = Lend.Pack32(key, BLOCK_SIZE + 8);
k3 = Lend.Pack32(key, BLOCK_SIZE + 12);
}
private static void StateInit(uint[] state, byte[] key, byte[] nonce)
{
Array.Clear(state, 0, SIZE);
state[0] = SIGMA[0];
state[1] = SIGMA[1];
state[2] = SIGMA[2];
state[3] = SIGMA[3];
Lend.Pack32(key, 0, state, 4, 8);
Lend.Pack32(nonce, 0, state, 13, 3);
}
public int Build(byte[] output, int outputOffset)
{
if (bufferLength > 0)
{
ProcessBuffer();
}
h1 += (h0 >> 26); h0 &= 0x3ffffff;
h2 += (h1 >> 26); h1 &= 0x3ffffff;
h3 += (h2 >> 26); h2 &= 0x3ffffff;
h4 += (h3 >> 26); h3 &= 0x3ffffff;
h0 += (h4 >> 26) * 5; h4 &= 0x3ffffff;
h1 += (h0 >> 26); h0 &= 0x3ffffff;
uint g0, g1, g2, g3, g4, b;
g0 = h0 + 5; b = g0 >> 26; g0 &= 0x3ffffff;
g1 = h1 + b; b = g1 >> 26; g1 &= 0x3ffffff;
g2 = h2 + b; b = g2 >> 26; g2 &= 0x3ffffff;
g3 = h3 + b; b = g3 >> 26; g3 &= 0x3ffffff;
g4 = h4 + b - (1 << 26);
b = (g4 >> 31) - 1;
uint nb = ~b;
h0 = (h0 & nb) | (g0 & b);
h1 = (h1 & nb) | (g1 & b);
h2 = (h2 & nb) | (g2 & b);
h3 = (h3 & nb) | (g3 & b);
h4 = (h4 & nb) | (g4 & b);
ulong f0, f1, f2, f3;
f0 = ((h0) | (h1 << 26)) + (ulong)k0;
f1 = ((h1 >> 6) | (h2 << 20)) + (ulong)k1;
f2 = ((h2 >> 12) | (h3 << 14)) + (ulong)k2;
f3 = ((h3 >> 18) | (h4 << 8)) + (ulong)k3;
Lend.Unpack32((uint)f0, output, outputOffset);
f1 += (f0 >> 32);
Lend.Unpack32((uint)f1, output, outputOffset + 4);
f2 += (f1 >> 32);
Lend.Unpack32((uint)f2, output, outputOffset + 8);
f3 += (f2 >> 32);
Lend.Unpack32((uint)f3, output, outputOffset + 12);
return(BLOCK_SIZE);
}
private void ProcessBuffer()
{
if (bufferLength == 0)
{
return;
}
if (bufferLength < BLOCK_SIZE)
{
buffer[bufferLength] = 1;
Array.Clear(buffer, bufferLength + 1, BLOCK_SIZE - bufferLength - 1);
}
ulong t0 = Lend.Pack32(buffer, 0);
ulong t1 = Lend.Pack32(buffer, 4);
ulong t2 = Lend.Pack32(buffer, 8);
ulong t3 = Lend.Pack32(buffer, 12);
h0 += (uint)(t0 & 0x3ffffffU);
h1 += (uint)((((t1 << 32) | t0) >> 26) & 0x3ffffff);
h2 += (uint)((((t2 << 32) | t1) >> 20) & 0x3ffffff);
h3 += (uint)((((t3 << 32) | t2) >> 14) & 0x3ffffff);
h4 += (uint)(t3 >> 8);
if (bufferLength == BLOCK_SIZE)
{
h4 += (1 << 24);
}
ulong tp0 = mul32x32_64(h0, r0) + mul32x32_64(h1, s4) + mul32x32_64(h2, s3) + mul32x32_64(h3, s2) + mul32x32_64(h4, s1);
ulong tp1 = mul32x32_64(h0, r1) + mul32x32_64(h1, r0) + mul32x32_64(h2, s4) + mul32x32_64(h3, s3) + mul32x32_64(h4, s2);
ulong tp2 = mul32x32_64(h0, r2) + mul32x32_64(h1, r1) + mul32x32_64(h2, r0) + mul32x32_64(h3, s4) + mul32x32_64(h4, s3);
ulong tp3 = mul32x32_64(h0, r3) + mul32x32_64(h1, r2) + mul32x32_64(h2, r1) + mul32x32_64(h3, r0) + mul32x32_64(h4, s4);
ulong tp4 = mul32x32_64(h0, r4) + mul32x32_64(h1, r3) + mul32x32_64(h2, r2) + mul32x32_64(h3, r1) + mul32x32_64(h4, r0);
h0 = (uint)tp0 & 0x3ffffff; tp1 += (tp0 >> 26);
h1 = (uint)tp1 & 0x3ffffff; tp2 += (tp1 >> 26);
h2 = (uint)tp2 & 0x3ffffff; tp3 += (tp2 >> 26);
h3 = (uint)tp3 & 0x3ffffff; tp4 += (tp3 >> 26);
h4 = (uint)tp4 & 0x3ffffff;
h0 += (uint)(tp4 >> 26) * 5;
h1 += (h0 >> 26); h0 &= 0x3ffffff;
bufferLength = 0;
}
private static void GetMAC(byte[] key, byte[] bytes, int byteOffset, int bytesCount, byte[] adata, int adataOffset, int adataCount, byte[] output)
{
var buf8 = BufferPool.GetBuffer(8);
var zeroBytes = BufferPool.GetBuffer(16);
var zeroCount = 0;
mac.Reset(key);
// Addition data
mac.Process(adata, 0, adataCount);
zeroCount = adataCount % Poly1305.BLOCK_SIZE;
if (zeroCount != 0)
{
mac.Process(zeroBytes, 0, Poly1305.BLOCK_SIZE - zeroCount);
}
// Encrypted data
mac.Process(bytes, byteOffset, bytesCount);
zeroCount = bytesCount % Poly1305.BLOCK_SIZE;
if (zeroCount != 0)
{
mac.Process(zeroBytes, 0, Poly1305.BLOCK_SIZE - zeroCount);
}
// Addition data length
Lend.Unpack64((ulong)adataCount, buf8);
mac.Process(buf8, 0, 8);
// Encrypted data length
Lend.Unpack64((ulong)bytesCount, buf8);
mac.Process(buf8, 0, 8);
mac.Build(output, 0);
BufferPool.ReturnBuffer(buf8);
BufferPool.ReturnBuffer(zeroBytes);
}
private static void StateGamma(uint[] state, uint[] buffer, byte[] gamma)
{
RotateChaCha(state, buffer, 20);
Lend.Unpack32(buffer, gamma, 0);
}
