Add support for MAC with key commitment everywhere

src/aegis128l/aegis128l.c

@@ -199,14 +199,14 @@ aegis128l_mac_init_with_commitment(aegis128l_state *st_, uint8_t *kc, const uint
 int
 aegis128l_mac_init_verify_commitment(aegis128l_state *st_, const uint8_t *kc, const uint8_t *k)
 {
-    uint8_t expeted_kc[aegis128l_COMMITBYTES];
+    uint8_t expected_kc[aegis128l_COMMITBYTES];
 
-    if (aegis128l_mac_init_with_commitment(st_, expeted_kc, k) != 0) {
+    if (aegis128l_mac_init_with_commitment(st_, expected_kc, k) != 0) {
         return -1;
     }
 
     COMPILER_ASSERT(aegis128l_COMMITBYTES == 16);
-    return aegis_verify_16(expeted_kc, kc);
+    return aegis_verify_16(expected_kc, kc);
 }
 
 int

src/aegis128x2/aegis128x2.c

@@ -181,6 +181,35 @@ aegis128x2_mac_init(aegis128x2_state *st_, const uint8_t *k)
     implementation->state_init(st_, NULL, 0, npub, k);
 }
 
+int
+aegis128x2_mac_init_with_commitment(aegis128x2_state *st_, uint8_t *kc, const uint8_t *k)
+{
+    uint8_t out[32] = { 0 };
+    size_t  written;
+
+    aegis128x2_mac_init(st_, k);
+    aegis128x2_state_encrypt_update(st_, out, sizeof out, &written, out, sizeof out);
+    if (written != sizeof out) {
+        return -1;
+    }
+    memcpy(kc, out, aegis128x2_COMMITBYTES);
+
+    return 0;
+}
+
+int
+aegis128x2_mac_init_verify_commitment(aegis128x2_state *st_, const uint8_t *kc, const uint8_t *k)
+{
+    uint8_t expected_kc[aegis128x2_COMMITBYTES];
+
+    if (aegis128x2_mac_init_with_commitment(st_, expected_kc, k) != 0) {
+        return -1;
+    }
+
+    COMPILER_ASSERT(aegis128x2_COMMITBYTES == 16);
+    return aegis_verify_16(expected_kc, kc);
+}
+
 int
 aegis128x2_mac_update(aegis128x2_state *st_, const uint8_t *m, size_t mlen)
 {

src/aegis128x4/aegis128x4.c

@@ -182,6 +182,35 @@ aegis128x4_mac_init(aegis128x4_state *st_, const uint8_t *k)
     implementation->state_init(st_, NULL, 0, npub, k);
 }
 
+int
+aegis128x4_mac_init_with_commitment(aegis128x4_state *st_, uint8_t *kc, const uint8_t *k)
+{
+    uint8_t out[32] = { 0 };
+    size_t  written;
+
+    aegis128x4_mac_init(st_, k);
+    aegis128x4_state_encrypt_update(st_, out, sizeof out, &written, out, sizeof out);
+    if (written != sizeof out) {
+        return -1;
+    }
+    memcpy(kc, out, aegis128x4_COMMITBYTES);
+
+    return 0;
+}
+
+int
+aegis128x4_mac_init_verify_commitment(aegis128x4_state *st_, const uint8_t *kc, const uint8_t *k)
+{
+    uint8_t expected_kc[aegis128x4_COMMITBYTES];
+
+    if (aegis128x4_mac_init_with_commitment(st_, expected_kc, k) != 0) {
+        return -1;
+    }
+
+    COMPILER_ASSERT(aegis128x4_COMMITBYTES == 16);
+    return aegis_verify_16(expected_kc, kc);
+}
+
 int
 aegis128x4_mac_update(aegis128x4_state *st_, const uint8_t *m, size_t mlen)
 {

src/aegis256/aegis256.c

@@ -180,6 +180,34 @@ aegis256_mac_init(aegis256_state *st_, const uint8_t *k)
     implementation->state_init(st_, NULL, 0, npub, k);
 }
 
+int
+aegis256_mac_init_with_commitment(aegis256_state *st_, uint8_t *kc, const uint8_t *k)
+{
+    size_t written;
+
+    memset(kc, 0, aegis256_COMMITBYTES);
+    aegis256_mac_init(st_, k);
+    aegis256_state_encrypt_update(st_, kc, aegis256_COMMITBYTES, &written, kc,
+                                  aegis256_COMMITBYTES);
+    if (written != aegis256_COMMITBYTES) {
+        return -1;
+    }
+    return 0;
+}
+
+int
+aegis256_mac_init_verify_commitment(aegis256_state *st_, const uint8_t *kc, const uint8_t *k)
+{
+    uint8_t expected_kc[aegis256_COMMITBYTES];
+
+    if (aegis256_mac_init_with_commitment(st_, expected_kc, k) != 0) {
+        return -1;
+    }
+
+    COMPILER_ASSERT(aegis256_COMMITBYTES == 32);
+    return aegis_verify_32(expected_kc, kc);
+}
+
 int
 aegis256_mac_update(aegis256_state *st_, const uint8_t *m, size_t mlen)
 {

src/aegis256x2/aegis256x2.c

@@ -181,6 +181,34 @@ aegis256x2_mac_init(aegis256x2_state *st_, const uint8_t *k)
     implementation->state_init(st_, NULL, 0, npub, k);
 }
 
+int
+aegis256x2_mac_init_with_commitment(aegis256x2_state *st_, uint8_t *kc, const uint8_t *k)
+{
+    size_t written;
+
+    memset(kc, 0, aegis256x2_COMMITBYTES);
+    aegis256x2_mac_init(st_, k);
+    aegis256x2_state_encrypt_update(st_, kc, aegis256x2_COMMITBYTES, &written, kc,
+                                    aegis256x2_COMMITBYTES);
+    if (written != aegis256x2_COMMITBYTES) {
+        return -1;
+    }
+    return 0;
+}
+
+int
+aegis256x2_mac_init_verify_commitment(aegis256x2_state *st_, const uint8_t *kc, const uint8_t *k)
+{
+    uint8_t expected_kc[aegis256x2_COMMITBYTES];
+
+    if (aegis256x2_mac_init_with_commitment(st_, expected_kc, k) != 0) {
+        return -1;
+    }
+
+    COMPILER_ASSERT(aegis256x2_COMMITBYTES == 32);
+    return aegis_verify_32(expected_kc, kc);
+}
+
 int
 aegis256x2_mac_update(aegis256x2_state *st_, const uint8_t *m, size_t mlen)
 {

src/aegis256x4/aegis256x4.c

@@ -182,6 +182,34 @@ aegis256x4_mac_init(aegis256x4_state *st_, const uint8_t *k)
     implementation->state_init(st_, NULL, 0, npub, k);
 }
 
+int
+aegis256x4_mac_init_with_commitment(aegis256x4_state *st_, uint8_t *kc, const uint8_t *k)
+{
+    size_t written;
+
+    memset(kc, 0, aegis256x4_COMMITBYTES);
+    aegis256x4_mac_init(st_, k);
+    aegis256x4_state_encrypt_update(st_, kc, aegis256x4_COMMITBYTES, &written, kc,
+                                    aegis256x4_COMMITBYTES);
+    if (written != aegis256x4_COMMITBYTES) {
+        return -1;
+    }
+    return 0;
+}
+
+int
+aegis256x4_mac_init_verify_commitment(aegis256x4_state *st_, const uint8_t *kc, const uint8_t *k)
+{
+    uint8_t expected_kc[aegis256x4_COMMITBYTES];
+
+    if (aegis256x4_mac_init_with_commitment(st_, expected_kc, k) != 0) {
+        return -1;
+    }
+
+    COMPILER_ASSERT(aegis256x4_COMMITBYTES == 32);
+    return aegis_verify_32(expected_kc, kc);
+}
+
 int
 aegis256x4_mac_update(aegis256x4_state *st_, const uint8_t *m, size_t mlen)
 {

src/include/aegis128l.h

@@ -272,46 +272,6 @@ void aegis128l_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t clen
  */
 void aegis128l_mac_init(aegis128l_state *st_, const uint8_t *k);
 
-/*
- * Initialize a state for generating a MAC, with key commitment.
- *
- * st_: state to initialize
- * kc: key commitment output buffer (16 bytes)
- * k: key input buffer (16 bytes)
- *
- * - The same key MUST NOT be used both for MAC and encryption.
- * - The nonce is not used in the MAC mode (fixed to zero).
- * - If the key is secret, the MAC is secure against forgery.
- * - However, if the key is known, arbitrary inputs matching a tag can be efficiently computed.
- *
- * The recommended way to use the MAC mode is to generate a random key and keep it secret.
- *
- * After initialization, the state can be reused to generate multiple MACs by cloning it
- * with `aegis128l_mac_state_clone()`.
- */
-int aegis128l_mac_init_with_commitment(aegis128l_state *st_, uint8_t *kc, const uint8_t *k);
-
-/*
- * Initialize a state for verifying a MAC with key commitment.
- *
- * st_: state to initialize
- * kc: key commitment input buffer (16 bytes)
- * k: key input buffer (16 bytes)
- *
- * - The same key MUST NOT be used both for MAC and encryption.
- * - The nonce is not used in the MAC mode (fixed to zero).
- * - If the key is secret, the MAC is secure against forgery.
- * - However, if the key is known, arbitrary inputs matching a tag can be efficiently computed.
- *
- * The recommended way to use the MAC mode is to generate a random key and keep it secret.
- *
- * After initialization, the state can be reused to verify multiple MACs by cloning it
- * with `aegis128l_mac_state_clone()`.
- *
- * Returns 0 if the key commitment matches, -1 otherwise.
- */
-int aegis128l_mac_init_verify_commitment(aegis128l_state *st_, const uint8_t *kc, const uint8_t *k);
-
 /*
  * Update the MAC state with input data.
  *
@@ -355,6 +315,46 @@ int aegis128l_mac_verify(aegis128l_state *st_, const uint8_t *mac, size_t maclen
  */
 void aegis128l_mac_state_clone(aegis128l_state *dst, const aegis128l_state *src);
 
+/*
+ * Initialize a state for generating a MAC, with key commitment.
+ *
+ * st_: state to initialize
+ * kc: key commitment output buffer (16 bytes)
+ * k: key input buffer (16 bytes)
+ *
+ * - The same key MUST NOT be used both for MAC and encryption.
+ * - The nonce is not used in the MAC mode (fixed to zero).
+ * - If the key is secret, the MAC is secure against forgery.
+ * - However, if the key is known, arbitrary inputs matching a tag can be efficiently computed.
+ *
+ * The recommended way to use the MAC mode is to generate a random key and keep it secret.
+ *
+ * After initialization, the state can be reused to generate multiple MACs by cloning it
+ * with `aegis128l_mac_state_clone()`.
+ */
+int aegis128l_mac_init_with_commitment(aegis128l_state *st_, uint8_t *kc, const uint8_t *k);
+
+/*
+ * Initialize a state for verifying a MAC with key commitment.
+ *
+ * st_: state to initialize
+ * kc: key commitment input buffer (16 bytes)
+ * k: key input buffer (16 bytes)
+ *
+ * - The same key MUST NOT be used both for MAC and encryption.
+ * - The nonce is not used in the MAC mode (fixed to zero).
+ * - If the key is secret, the MAC is secure against forgery.
+ * - However, if the key is known, arbitrary inputs matching a tag can be efficiently computed.
+ *
+ * The recommended way to use the MAC mode is to generate a random key and keep it secret.
+ *
+ * After initialization, the state can be reused to verify multiple MACs by cloning it
+ * with `aegis128l_mac_state_clone()`.
+ *
+ * Returns 0 if the key commitment matches, -1 otherwise.
+ */
+int aegis128l_mac_init_verify_commitment(aegis128l_state *st_, const uint8_t *kc, const uint8_t *k);
+
 #ifdef __cplusplus
 }
 #endif

src/include/aegis128x2.h

@@ -20,6 +20,9 @@ extern "C" {
 /* The maximum length of an AEGIS authentication tag, in bytes */
 #define aegis128x2_ABYTES_MAX 32
 
+/* The AEGIS commitment size, in bytes */
+#define aegis128x2_COMMITBYTES aegis128x2_KEYBYTES
+
 /*
  * When using AEGIS in incremental mode, this is the maximum number
  * of leftover ciphertext bytes that can be returned at finalization.
@@ -312,6 +315,47 @@ int aegis128x2_mac_verify(aegis128x2_state *st_, const uint8_t *mac, size_t macl
  */
 void aegis128x2_mac_state_clone(aegis128x2_state *dst, const aegis128x2_state *src);
 
+/*
+ * Initialize a state for generating a MAC, with key commitment.
+ *
+ * st_: state to initialize
+ * kc: key commitment output buffer (16 bytes)
+ * k: key input buffer (16 bytes)
+ *
+ * - The same key MUST NOT be used both for MAC and encryption.
+ * - The nonce is not used in the MAC mode (fixed to zero).
+ * - If the key is secret, the MAC is secure against forgery.
+ * - However, if the key is known, arbitrary inputs matching a tag can be efficiently computed.
+ *
+ * The recommended way to use the MAC mode is to generate a random key and keep it secret.
+ *
+ * After initialization, the state can be reused to generate multiple MACs by cloning it
+ * with `aegis128x2_mac_state_clone()`.
+ */
+int aegis128x2_mac_init_with_commitment(aegis128x2_state *st_, uint8_t *kc, const uint8_t *k);
+
+/*
+ * Initialize a state for verifying a MAC with key commitment.
+ *
+ * st_: state to initialize
+ * kc: key commitment input buffer (16 bytes)
+ * k: key input buffer (16 bytes)
+ *
+ * - The same key MUST NOT be used both for MAC and encryption.
+ * - The nonce is not used in the MAC mode (fixed to zero).
+ * - If the key is secret, the MAC is secure against forgery.
+ * - However, if the key is known, arbitrary inputs matching a tag can be efficiently computed.
+ *
+ * The recommended way to use the MAC mode is to generate a random key and keep it secret.
+ *
+ * After initialization, the state can be reused to verify multiple MACs by cloning it
+ * with `aegis128x2_mac_state_clone()`.
+ *
+ * Returns 0 if the key commitment matches, -1 otherwise.
+ */
+int aegis128x2_mac_init_verify_commitment(aegis128x2_state *st_, const uint8_t *kc,
+                                          const uint8_t *k);
+
 #ifdef __cplusplus
 }
 #endif