A rudimentary order-preserving encryption scheme. More...

#include "orconfig.h"
#include "lib/crypt_ops/crypto_ope.h"
#include "lib/crypt_ops/crypto_util.h"
#include "lib/crypt_ops/crypto_cipher.h"
#include "lib/log/util_bug.h"
#include "lib/malloc/malloc.h"
#include "lib/arch/bytes.h"
#include <string.h>

Data Structures
struct	crypto_ope_t

Macros
#define	CRYPTO_OPE_PRIVATE

#define	SAMPLE_INTERVAL 1024

#define	N_SAMPLES (OPE_INPUT_MAX / SAMPLE_INTERVAL)

#define	ope_val_from_le(x) (x)

#define	BUFSZ 256

Typedefs
typedef uint16_t	ope_val_t

Functions
STATIC crypto_cipher_t *	ope_get_cipher (const crypto_ope_t *ope, uint32_t initial_idx)

STATIC uint64_t	sum_values_from_cipher (crypto_cipher_t *c, size_t n)

crypto_ope_t *	crypto_ope_new (const uint8_t *key)

void	crypto_ope_free_ (crypto_ope_t *ope)

uint64_t	crypto_ope_encrypt (const crypto_ope_t *ope, int plaintext)

Detailed Description

A rudimentary order-preserving encryption scheme.

To compute the encryption of N, this scheme uses an AES-CTR stream to generate M-byte values, and adds the first N of them together. (+1 each to insure that the ciphertexts are strictly decreasing.)

We use this for generating onion service revision counters based on the current time, without leaking the amount of skew in our view of the current time. MUCH more analysis would be needed before using it for anything else!

Definition in file crypto_ope.c.

Macro Definition Documentation

◆ CRYPTO_OPE_PRIVATE

#define CRYPTO_OPE_PRIVATE

Definition at line 20 of file crypto_ope.c.

◆ N_SAMPLES

#define N_SAMPLES (OPE_INPUT_MAX / SAMPLE_INTERVAL)

Number of precomputed samples to make for each OPE key.

Definition at line 39 of file crypto_ope.c.

◆ ope_val_from_le

#define ope_val_from_le ( x ) (x)

Definition at line 62 of file crypto_ope.c.

◆ SAMPLE_INTERVAL

#define SAMPLE_INTERVAL 1024

How infrequent should the precomputed values be for this encryption? The choice of this value creates a space/time tradeoff.

Note that this value must be a multiple of 16; see ope_get_cipher()

Definition at line 37 of file crypto_ope.c.

Typedef Documentation

◆ ope_val_t

typedef uint16_t ope_val_t

The type to add up in order to produce our OPE ciphertexts

Definition at line 50 of file crypto_ope.c.

Function Documentation

◆ crypto_ope_encrypt()

uint64_t crypto_ope_encrypt	(	const crypto_ope_t *	ope,
		int	plaintext
	)

Return the encrypted value corresponding to input. The input value must be in range 1..OPE_INPUT_MAX. Returns CRYPTO_OPE_ERROR on an invalid input.

NOTE: this function is not constant-time.

Definition at line 165 of file crypto_ope.c.

◆ crypto_ope_free_()

void crypto_ope_free_ ( crypto_ope_t * ope )

Free all storage held in ope.

Definition at line 149 of file crypto_ope.c.

◆ crypto_ope_new()

crypto_ope_t * crypto_ope_new ( const uint8_t * key )

Return a new crypto_ope_t object, using the provided 256-bit key.

Definition at line 129 of file crypto_ope.c.

◆ ope_get_cipher()

STATIC crypto_cipher_t * ope_get_cipher	(	const crypto_ope_t *	ope,
		uint32_t	initial_idx
	)

Return a new AES256-CTR stream cipher object for ope, ready to yield bytes from the stream at position initial_idx.

Note that because the index is converted directly to an IV, it must be a multiple of the AES block size (16).

Definition at line 73 of file crypto_ope.c.

◆ sum_values_from_cipher()

STATIC uint64_t sum_values_from_cipher	(	crypto_cipher_t *	c,
		size_t	n
	)

Retrieve and add the next n values from the stream cipher c, and return their sum.

Note that values are taken in little-endian order (for performance on prevalent hardware), and are mapped from range 0..2^n-1 to range 1..2^n (so that each input encrypts to a different output).