Add AES256-GCM.

evoskuil · evoskuil · commit 4a16adaba635 · 2026-01-13T02:26:51.000-05:00
diff --git a/include/bitcoin/system/crypto/aes256.hpp b/include/bitcoin/system/crypto/aes256.hpp
@@ -38,10 +38,26 @@ typedef data_array<block_size> block;
 constexpr size_t secret_size = bytes<256>;
 typedef data_array<secret_size> secret;
 
-/// Perform aes256 encryption/decryption on a data block.
+constexpr size_t tag_size = bytes<128>;
+typedef data_array<tag_size> tag;
+
+constexpr size_t nonce_size = bytes<96>;
+typedef data_array<nonce_size> nonce;
+
+/// Perform AES256 encryption/decryption on a data block.
 void encrypt(block& bytes, const secret& key) NOEXCEPT;
 void decrypt(block& bytes, const secret& key) NOEXCEPT;
 
+/// Perform AES256-GCM encryption/decryption on a data block.
+/// Returns false if authentication fails on decrypt.
+/// Tag is always populated on encrypt and verified on decrypt.
+/// Nonce must be unique for each encryption with the same key.
+/// AAD is optional authenticated additional data (not encrypted).
+bool gcm_encrypt(data_chunk& out, tag& out_tag, const data_slice& in,
+    const secret& key, const nonce& nonce, const data_slice& aad) NOEXCEPT;
+bool gcm_decrypt(data_chunk& out, const tag& tag, const data_slice& in,
+    const secret& key, const nonce& nonce, const data_slice& aad) NOEXCEPT;
+
 } // namespace aes256
 } // namespace system
 } // namespace libbitcoin
diff --git a/src/crypto/aes256.cpp b/src/crypto/aes256.cpp
@@ -21,6 +21,7 @@
 
 #include <bitcoin/system/define.hpp>
 #include <bitcoin/system/data/data.hpp>
+#include <bitcoin/system/endian/endian.hpp>
 #include <bitcoin/system/math/math.hpp>
 
 namespace libbitcoin {
@@ -409,6 +410,256 @@ void decrypt(block& bytes, const secret& key) NOEXCEPT
     ////zeroize(context);
 }
 
+// GCM implementation
+// ----------------------------------------------------------------------------
+
+template <typename Value, if_integer<Value> = true>
+constexpr void bit_xor_into(Value& out, Value other) NOEXCEPT
+{
+    out = bit_xor(out, other);
+}
+
+template <size_t Size>
+constexpr void array_xor_into(data_array<Size>& out,
+    const data_array<Size>& other) NOEXCEPT
+{
+    for (size_t index{}; index < Size; ++index)
+        bit_xor_into(out[index], other[index]);
+}
+
+template <size_t Size>
+constexpr block array_xor(const data_array<Size>& left,
+    const data_array<Size>& right) NOEXCEPT
+{
+    block out{ left };
+    array_xor_into(out, right);
+    return out;
+}
+
+template <size_t Size>
+constexpr void array_shift_right_into(data_array<Size>& value) NOEXCEPT
+{
+    bool carry{};
+    for (auto index = Size; is_nonzero(index); --index)
+    {
+        const auto offset = sub1(index);
+        const bool next = get_right(value[offset]);
+        shift_right_into(value[offset]);
+        if (carry) set_left_into(value[offset]);
+        carry = next;
+    }
+}
+
+// GHASH multiplication in GF(2^128) with reduction polynomial 0xe1 << 120.
+static block ghash_multiply(const block& left, block right) NOEXCEPT
+{
+    constexpr auto mask = 0b1110'0001_u8;
+
+    block out{};
+    for (size_t byte{}; byte < block_size; ++byte)
+    {
+        for (auto bit = bits<uint8_t>; is_nonzero(bit); --bit)
+        {
+            if (get_right(left[byte], sub1(bit)))
+            {
+                array_xor_into(out, right);
+            }
+
+            const bool carry = get_right(right[sub1(block_size)]);
+            array_shift_right_into(right);
+
+            if (carry)
+            {
+                bit_xor_into(right.front(), mask);
+            }
+        }
+    }
+
+    return out;
+}
+
+static void ghash_update(block& hash, const data_slice& data,
+    const block& h_key) NOEXCEPT
+{
+    block block{};
+    const auto size = data.size();
+    const auto blocks = floored_divide(size, block_size);
+
+    for (size_t index{}; index < blocks; ++index)
+    {
+        const auto begin = std::next(data.begin(), index * block_size);
+        std::copy(begin, std::next(begin, block_size), block.begin());
+        array_xor_into(hash, block);
+        hash = ghash_multiply(hash, h_key);
+    }
+
+    if (is_nonzero(floored_modulo(size, block_size)))
+    {
+        block = {};
+        const auto begin = std::next(data.begin(), blocks * block_size);
+        std::copy(begin, data.end(), block.begin());
+        array_xor_into(hash, block);
+        hash = ghash_multiply(hash, h_key);
+    }
+}
+
+static void increment_counter(block& counter) NOEXCEPT
+{
+    constexpr auto size = sizeof(uint32_t);
+    constexpr auto offest = block_size - size;
+    auto& slice = array_cast<uint8_t, size, offest>(counter);
+    slice = to_big_endian(add1(from_big_endian(slice)));
+}
+
+static void ctr_encrypt(aes256::context& context, data_chunk& out,
+    const data_slice& in, block counter) NOEXCEPT
+{
+    block stream{};
+    const auto size = in.size();
+    const auto blocks = floored_divide(size, block_size);
+    out.resize(size);
+
+    for (size_t block{}; block < blocks; ++block)
+    {
+        stream = counter;
+        encrypt_block(context, stream);
+        increment_counter(counter);
+
+        for (size_t index{}; index < block_size; ++index)
+        {
+            const auto at = block * block_size + index;
+            out[at] = bit_xor(in[at], stream[index]);
+        }
+    }
+
+    if (const auto remain = floored_modulo(size, block_size);
+        is_nonzero(remain))
+    {
+        stream = counter;
+        encrypt_block(context, stream);
+
+        for (size_t index{}; index < remain; ++index)
+        {
+            const auto at = blocks * block_size + index;
+            out[at] = bit_xor(in[at], stream[index]);
+        }
+    }
+}
+
+constexpr size_t pad_size(size_t value_size) NOEXCEPT
+{
+    return (block_size - (value_size % block_size)) % block_size;
+}
+
+// GCM encrypt/decrypt
+// ----------------------------------------------------------------------------
+
+constexpr auto one32 = to_big_endian<uint32_t>(1);
+
+bool gcm_encrypt(data_chunk& out, tag& out_tag, const data_slice& in,
+    const secret& key, const nonce& nonce, const data_slice& aad) NOEXCEPT
+{
+    if (is_multiply_overflow<uint64_t>(aad.size(), byte_bits) ||
+        is_multiply_overflow<uint64_t>(in.size(), byte_bits))
+        return false;
+
+    aes256::context context{};
+    initialize(context, key);
+
+    // Compute H = AES(0).
+    block h_key{};
+    encrypt_block(context, h_key);
+
+    // Initialize counter: nonce || 0x00000001 (BE).
+    block counter{};
+    array_cast<uint8_t, 12, 0>(counter) = nonce;
+    array_cast<uint8_t, 4, 12>(counter) = one32;
+
+    // Encrypt plaintext to ciphertext (CTR mode).
+    ctr_encrypt(context, out, in, counter);
+
+    // Compute GHASH over aad || pad || out || pad || len(aad) || len(out).
+    data_chunk pad{};
+    block hash{};
+
+    ghash_update(hash, aad, h_key);
+    pad.resize(pad_size(aad.size()));
+    if (!pad.empty())
+        ghash_update(hash, pad, h_key);
+
+    ghash_update(hash, out, h_key);
+    pad.resize(pad_size(out.size()));
+    if (!pad.empty())
+        ghash_update(hash, pad, h_key);
+
+    // Append lengths (out.size() is same as in.size() - overflow guarded).
+    block lengths{};
+    const auto aad_length = aad.size() * byte_bits;
+    const auto out_length = out.size() * byte_bits;
+    array_cast<uint8_t, 8, 0>(lengths) = to_big_endian<uint64_t>(aad_length);
+    array_cast<uint8_t, 8, 8>(lengths) = to_big_endian<uint64_t>(out_length);
+    ghash_update(hash, lengths, h_key);
+
+    // Initialize counter: nonce || 0x00000001 (BE) (and encrypt).
+    array_cast<uint8_t, 12, 0>(counter) = nonce;
+    array_cast<uint8_t, 4, 12>(counter) = one32;
+    encrypt_block(context, counter);
+
+    // Tag = GHASH ^ E(counter0).
+    out_tag = array_xor(hash, counter);
+    return true;
+}
+
+bool gcm_decrypt(data_chunk& out, const tag& tag, const data_slice& in,
+    const secret& key, const nonce& nonce, const data_slice& aad) NOEXCEPT
+{
+    if (is_multiply_overflow<uint64_t>(aad.size(), byte_bits) ||
+        is_multiply_overflow<uint64_t>(in.size(), byte_bits))
+        return false;
+
+    aes256::context context{};
+    initialize(context, key);
+
+    // Compute H = AES(0).
+    block h_key{};
+    encrypt_block(context, h_key);
+
+    // Compute GHASH over aad || pad || in || pad || len(aad) || len(in).
+    data_chunk pad{};
+    block hash{};
+
+    ghash_update(hash, aad, h_key);
+    pad.resize(pad_size(aad.size()));
+    if (!pad.empty())
+        ghash_update(hash, pad, h_key);
+
+    ghash_update(hash, in, h_key);
+    pad.resize(pad_size(in.size()));
+    if (!pad.empty())
+        ghash_update(hash, pad, h_key);
+
+    block lengths{};
+    const auto aad_length = aad.size() * byte_bits;
+    const auto in_length = in.size() * byte_bits;
+    array_cast<uint8_t, 8, 0>(lengths) = to_big_endian<uint64_t>(aad_length);
+    array_cast<uint8_t, 8, 8>(lengths) = to_big_endian<uint64_t>(in_length);
+    ghash_update(hash, lengths, h_key);
+
+    // Initialize counter: nonce || 0x00000001 (BE) (and encrypt).
+    block counter{};
+    array_cast<uint8_t, 12, 0>(counter) = nonce;
+    array_cast<uint8_t, 4, 12>(counter) = one32;
+    encrypt_block(context, counter);
+
+    // Verify tag = GHASH ^ E(counter0)
+    if (array_xor(hash, counter) != tag)
+        return false;
+
+    // Decrypt ciphertext to plaintext (CTR mode, same as encrypt).
+    ctr_encrypt(context, out, in, counter);
+    return true;
+}
+
 } // namespace aes256
 } // namespace system
 } // namespace libbitcoin
