| blob | f472e821a2ce870119e86c527bbbf09f7bec0239 |
2 <head>
9 <!--
10 This manual is for the Nettle library (version 2.7), a
11 low-level cryptographic library.
13 Originally written 2001 by Niels Möller, updated 2013.
15 This manual is placed in the public domain. You may freely copy
16 it, in whole or in part, with or without modification. Attribution
17 is appreciated, but not required.
18 -->
31 </head>
32 <body>
36 <ul>
44 <ul>
46 <ul>
48 <ul>
57 </li></ul>
59 <ul>
66 </li></ul>
68 </li></ul>
70 <ul>
83 </li></ul>
85 <ul>
89 <ul>
93 </li></ul>
94 </li></ul>
96 <ul>
99 <ul>
105 </li></ul>
107 </li></ul>
109 <ul>
112 <ul>
115 </li></ul>
116 </li></ul>
118 <ul>
124 <ul>
126 </li></ul>
128 </li></ul>
130 <ul>
132 </li></ul>
136 </li></ul>
140 </li></ul>
141 </div>
147 <p><hr>
152 </div>
154 <!-- node-name, next, previous, up -->
157 <p>This document describes the Nettle low-level cryptographic library. You
158 can use the library directly from your C programs, or write or use an
159 object-oriented wrapper for your favorite language or application.
162 low-level cryptographic library.
166 <blockquote>
167 This manual is placed in the public domain. You may freely copy it, in
168 whole or in part, with or without modification. Attribution is
169 appreciated, but not required.
170 </blockquote>
183 </li></ul>
184 <p>--- The Detailed Node Listing ---
186 <p>Reference
188 </p>
201 </li></ul>
202 <p>Cipher modes
204 </p>
210 </li></ul>
211 <p>Public-key algorithms
213 </p>
219 </ul>
223 <p><hr>
228 </div>
230 <!-- node-name, next, previous, up -->
233 <p>Nettle is a cryptographic library that is designed to fit easily in more
234 or less any context: In crypto toolkits for object-oriented languages
235 (C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in
236 kernel space. In most contexts, you need more than the basic
237 cryptographic algorithms, you also need some way to keep track of available
238 algorithms, their properties and variants. You often have some algorithm
239 selection process, often dictated by a protocol you want to implement.
241 <p>And as the requirements of applications differ in subtle and not so
242 subtle ways, an API that fits one application well can be a pain to use
243 in a different context. And that is why there are so many different
244 cryptographic libraries around.
246 <p>Nettle tries to avoid this problem by doing one thing, the low-level
248 In particular, Nettle doesn't do algorithm selection. It doesn't do
249 memory allocation. It doesn't do any I/O.
251 <p>The idea is that one can build several application and context specific
252 interfaces on top of Nettle, and share the code, test cases, benchmarks,
253 documentation, etc. Examples are the Nettle module for the Pike
254 language, and LSH, which both use an object-oriented abstraction on top
255 of the library.
257 <p>This manual explains how to use the Nettle library. It also tries to
258 provide some background on the cryptography, and advice on how to best
259 put it to use.
263 <p><hr>
268 </div>
270 <!-- node-name, next, previous, up -->
273 <p>Nettle is distributed under the GNU Lesser General Public License
274 (LGPL), see the file COPYING.LIB for details. A few of the individual
275 files are in the public domain. To find the current status of particular
276 files, you have to read the copyright notices at the top of the files.
278 <p>This manual is in the public domain. You may freely copy it in whole or
279 in part, e.g., into documentation of programs that build on Nettle.
280 Attribution, as well as contribution of improvements to the text, is of
281 course appreciated, but it is not required.
283 <p>A list of the supported algorithms, their origins and licenses:
285 <dl>
287 by Rafael Sevilla. Assembler for x86 by Rafael Sevilla and
288 Niels Möller, Sparc assembler by Niels Möller. Released under the
289 LGPL.
291 <br><dt><em>ARCFOUR</em><dd>The implementation of the ARCFOUR (also known as RC4) cipher is written
292 by Niels Möller. Released under the LGPL.
294 <br><dt><em>ARCTWO</em><dd>The implementation of the ARCTWO (also known as RC2) cipher is written
295 by Nikos Mavroyanopoulos and modified by Werner Koch and Simon
296 Josefsson. Released under the LGPL.
298 <br><dt><em>BLOWFISH</em><dd>The implementation of the BLOWFISH cipher is written by Werner Koch,
299 copyright owned by the Free Software Foundation. Also hacked by Simon
300 Josefsson and Niels Möller. Released under the LGPL.
302 <br><dt><em>CAMELLIA</em><dd>The C implementation is by Nippon Telegraph and Telephone Corporation
303 (NTT), heavily modified by Niels Möller. Assembler for x86 and x86_64
304 by Niels Möller. Released under the LGPL.
307 Released into the public domain.
310 released under the LGPL.
313 Aleksey Kravchenko and was ported from the rhash library by Nikos
314 Mavrogiannopoulos. It is released under the MIT license.
317 some by Andreas Sigfridsson and Niels Möller. Python Cryptography
318 Toolkit license (essentially public domain).
321 Marcus Comstedt. Released into the public domain.
324 It has been hacked some more by Andrew Kuchling and Niels Möller.
325 Released into the public domain.
327 <br><dt><em>PBKDF2</em><dd>The C implementation of PBKDF2 is based on earlier work for Shishi and
328 GnuTLS by Simon Josefsson. Released under the LGPL.
330 <br><dt><em>RIPEMD160</em><dd>The implementation of RIPEMD160 message digest is based on the code in
331 libgcrypt, copyright owned by the Free Software Foundation. Ported to
332 Nettle by Andres Mejia. Released under the LGPL.
334 <br><dt><em>SALSA20</em><dd>The C implementation of SALSA20 is based on D. J. Bernstein's reference
335 implementation (in the public domain), adapted to Nettle by Simon
336 Josefsson, and heavily modified by Niels Möller. Assembly for x86_64 and
337 ARM by Niels Möller. Released under the LGPL.
339 <br><dt><em>SERPENT</em><dd>The implementation of the SERPENT cipher is based on the code in libgcrypt,
340 copyright owned by the Free Software Foundation. Adapted to Nettle by
341 Simon Josefsson and heavily modified by Niels Möller. Assembly for
342 x86_64 by Niels Möller. Released under the LGPL.
345 Gutmann, and hacked some more by Andrew Kuchling and Niels Möller.
346 Released into the public domain. Assembler for x86, x86_64 and ARM by
347 Niels Möller, released under the LGPL.
350 Released under the LGPL.
354 <br><dt><em>TWOFISH</em><dd>The implementation of the TWOFISH cipher is written by Ruud de Rooij.
355 Released under the LGPL.
360 for bignum operations.
363 for bignum operations.
365 <br><dt><em>ECDSA</em><dd>Written by Niels Möller, released under the LGPL. Uses the GMP library
366 for bignum operations. Development of Nettle's ECC support was funded by
367 the .SE Internet Fund.
368 </dl>
372 <p><hr>
377 </div>
379 <!-- node-name, next, previous, up -->
382 <p>For each supported algorithm, there is an include file that defines a
384 operating on the context. The context struct encapsulates all information
385 needed by the algorithm, and it can be copied or moved in memory with no
386 unexpected effects.
388 <p>For consistency, functions for different algorithms are very similar,
389 but there are some differences, for instance reflecting if the key setup
390 or encryption function differ for encryption and decryption, and whether
391 or not key setup can fail. There are also differences between algorithms
392 that don't show in function prototypes, but which the application must
393 nevertheless be aware of. There is no big difference between the
394 functions for stream ciphers and for block ciphers, although they should
395 be used quite differently by the application.
397 <p>If your application uses more than one algorithm of the same type, you
398 should probably create an interface that is tailor-made for your needs,
399 and then write a few lines of glue code on top of Nettle.
404 function).
406 <p>In all functions, strings are represented with an explicit length, of
409 another, the argument order is length, destination pointer and source
410 pointer. Source and destination areas are of the same length. Source and
411 destination may be the same, so that you can process strings in place,
414 <p>Many of the functions lack return value and can never fail. Those
415 functions which can fail, return one on success and zero on failure.
417 <!-- FIXME: Say something about the name mangling. -->
420 <p><hr>
425 </div>
427 <!-- node-name, next, previous, up -->
430 <p>A simple example program that reads a file from standard input and
431 writes its SHA1 check-sum on standard output should give the flavor of
432 Nettle.
439 #define BUF_SIZE 1000
441 static void
442 display_hex(unsigned length, uint8_t *data)
443 {
444 unsigned i;
447 printf("%02x ", data[i]);
449 printf("\n");
450 }
452 int
453 main(int argc, char **argv)
454 {
455 struct sha1_ctx ctx;
456 uint8_t buffer[BUF_SIZE];
457 uint8_t digest[SHA1_DIGEST_SIZE];
459 sha1_init(&ctx);
460 for (;;)
461 {
462 int done = fread(buffer, 1, sizeof(buffer), stdin);
463 sha1_update(&ctx, done, buffer);
464 if (done < sizeof(buffer))
465 break;
466 }
467 if (ferror(stdin))
468 return EXIT_FAILURE;
470 sha1_digest(&ctx, SHA1_DIGEST_SIZE, digest);
472 display_hex(SHA1_DIGEST_SIZE, digest);
473 return EXIT_SUCCESS;
474 }
475 </pre></pre>
476 <p>On a typical Unix system, this program can be compiled and linked with
477 the command line
479 </pre>
482 <p><hr>
487 </div>
489 <!-- node-name, next, previous, up -->
492 <p>Nettle actually consists of two libraries, <samp><span class="file">libnettle</span></samp> and
493 <samp><span class="file">libhogweed</span></samp>. The <samp><span class="file">libhogweed</span></samp> library contains those
494 functions of Nettle that uses bignum operations, and depends on the GMP
495 library. With this division, linking works the same for both static and
496 dynamic libraries.
498 <p>If an application uses only the symmetric crypto algorithms of Nettle
499 (i.e., block ciphers, hash functions, and the like), it's sufficient to
501 algorithms, the recommended linker flags are <code>-lhogweed -lnettle
502 -lgmp</code>. If the involved libraries are installed as dynamic libraries, it
504 will resolve the dependencies automatically.
508 <p><hr>
513 </div>
515 <!-- node-name, next, previous, up -->
518 <p>This chapter describes all the Nettle functions, grouped by family.
531 </ul>
535 <p><hr>
540 </div>
542 <!-- node-name, next, previous, up -->
545 <p><a name="index-Hash-function-1"></a>A cryptographic <dfn>hash function</dfn> is a function that takes variable
546 size strings, and maps them to strings of fixed, short, length. There
547 are naturally lots of collisions, as there are more possible 1MB files
548 than 20 byte strings. But the function is constructed such that is hard
549 to find the collisions. More precisely, a cryptographic hash function
552 <dl>
553 <dt><em>One-way</em><dd><a name="index-One_002dway-2"></a>Given a hash value <code>H(x)</code> it is hard to find a string <code>x</code>
554 that hashes to that value.
556 <br><dt><em>Collision-resistant</em><dd><a name="index-Collision_002dresistant-3"></a>It is hard to find two different strings, <code>x</code> and <code>y</code>, such
559 </dl>
561 <p>Hash functions are useful as building blocks for digital signatures,
562 message authentication codes, pseudo random generators, association of
563 unique ids to documents, and many other things.
565 <p>The most commonly used hash functions are MD5 and SHA1. Unfortunately,
566 both these fail the collision-resistance requirement; cryptologists have
567 found ways to construct colliding inputs. The recommended hash functions
568 for new applications are SHA2 (with main variants SHA256 and SHA512). At
569 the time of this writing (December 2012), the winner of the NIST SHA3
570 competition has recently been announced, and the new SHA3 (earlier known
571 as Keccak) and other top SHA3 candidates may also be reasonable
572 alternatives.
578 </ul>
582 <p><hr>
586 </div>
588 <!-- node-name, next, previous, up -->
591 <p>The following hash functions have no known weaknesses, and are suitable
592 for new applications. The SHA2 family of hash functions were specified
598 bits, or 32 octets. Nettle defines SHA256 in <samp><span class="file"><nettle/sha2.h></span></samp>.
601 — Context struct: <b>struct sha256_ctx</b><var><a name="index-struct-sha256_005fctx-4"></a></var><br>
602 </div>
605 — Constant: <b>SHA256_DIGEST_SIZE</b><var><a name="index-SHA256_005fDIGEST_005fSIZE-5"></a></var><br>
607 </p></blockquote></div>
610 — Constant: <b>SHA256_DATA_SIZE</b><var><a name="index-SHA256_005fDATA_005fSIZE-6"></a></var><br>
611 <blockquote><p>The internal block size of SHA256. Useful for some special constructions,
612 in particular HMAC-SHA256.
613 </p></blockquote></div>
616 — Function: void <b>sha256_init</b> (<var>struct sha256_ctx *ctx</var>)<var><a name="index-sha256_005finit-7"></a></var><br>
617 <blockquote><p>Initialize the SHA256 state.
618 </p></blockquote></div>
621 — Function: void <b>sha256_update</b> (<var>struct sha256_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-sha256_005fupdate-8"></a></var><br>
622 <blockquote><p>Hash some more data.
623 </p></blockquote></div>
626 — Function: void <b>sha256_digest</b> (<var>struct sha256_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-sha256_005fdigest-9"></a></var><br>
627 <blockquote><p>Performs final processing and extracts the message digest, writing it
630 octets of the digest are written.
632 <p>This function also resets the context in the same way as
634 </p></blockquote></div>
636 <p>Earlier versions of nettle defined SHA256 in the header file
637 <samp><span class="file"><nettle/sha.h></span></samp>, which is now deprecated, but kept for
638 compatibility.
642 <p>SHA224 is a variant of SHA256, with a different initial state, and with
644 <samp><span class="file"><nettle/sha2.h></span></samp> (and in <samp><span class="file"><nettle/sha.h></span></samp>, for backwards
645 compatibility).
648 — Context struct: <b>struct sha224_ctx</b><var><a name="index-struct-sha224_005fctx-10"></a></var><br>
649 </div>
652 — Constant: <b>SHA224_DIGEST_SIZE</b><var><a name="index-SHA224_005fDIGEST_005fSIZE-11"></a></var><br>
654 </p></blockquote></div>
657 — Constant: <b>SHA224_DATA_SIZE</b><var><a name="index-SHA224_005fDATA_005fSIZE-12"></a></var><br>
658 <blockquote><p>The internal block size of SHA224. Useful for some special constructions,
659 in particular HMAC-SHA224.
660 </p></blockquote></div>
663 — Function: void <b>sha224_init</b> (<var>struct sha224_ctx *ctx</var>)<var><a name="index-sha224_005finit-13"></a></var><br>
664 <blockquote><p>Initialize the SHA224 state.
665 </p></blockquote></div>
668 — Function: void <b>sha224_update</b> (<var>struct sha224_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-sha224_005fupdate-14"></a></var><br>
669 <blockquote><p>Hash some more data.
670 </p></blockquote></div>
673 — Function: void <b>sha224_digest</b> (<var>struct sha224_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-sha224_005fdigest-15"></a></var><br>
674 <blockquote><p>Performs final processing and extracts the message digest, writing it
677 octets of the digest are written.
679 <p>This function also resets the context in the same way as
681 </p></blockquote></div>
685 <p>SHA512 is a larger sibling to SHA256, with a very similar structure but
686 with both the output and the internal variables of twice the size. The
689 octets. Nettle defines SHA512 in <samp><span class="file"><nettle/sha2.h></span></samp> (and in
693 — Context struct: <b>struct sha512_ctx</b><var><a name="index-struct-sha512_005fctx-16"></a></var><br>
694 </div>
697 — Constant: <b>SHA512_DIGEST_SIZE</b><var><a name="index-SHA512_005fDIGEST_005fSIZE-17"></a></var><br>
699 </p></blockquote></div>
702 — Constant: <b>SHA512_DATA_SIZE</b><var><a name="index-SHA512_005fDATA_005fSIZE-18"></a></var><br>
703 <blockquote><p>The internal block size of SHA512. Useful for some special constructions,
704 in particular HMAC-SHA512.
705 </p></blockquote></div>
708 — Function: void <b>sha512_init</b> (<var>struct sha512_ctx *ctx</var>)<var><a name="index-sha512_005finit-19"></a></var><br>
709 <blockquote><p>Initialize the SHA512 state.
710 </p></blockquote></div>
713 — Function: void <b>sha512_update</b> (<var>struct sha512_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-sha512_005fupdate-20"></a></var><br>
714 <blockquote><p>Hash some more data.
715 </p></blockquote></div>
718 — Function: void <b>sha512_digest</b> (<var>struct sha512_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-sha512_005fdigest-21"></a></var><br>
719 <blockquote><p>Performs final processing and extracts the message digest, writing it
722 octets of the digest are written.
724 <p>This function also resets the context in the same way as
726 </p></blockquote></div>
730 <p>SHA384 is a variant of SHA512, with a different initial state, and with
732 <samp><span class="file"><nettle/sha2.h></span></samp> (and in <samp><span class="file"><nettle/sha.h></span></samp>, for backwards
733 compatibility).
736 — Context struct: <b>struct sha384_ctx</b><var><a name="index-struct-sha384_005fctx-22"></a></var><br>
737 </div>
740 — Constant: <b>SHA384_DIGEST_SIZE</b><var><a name="index-SHA384_005fDIGEST_005fSIZE-23"></a></var><br>
742 </p></blockquote></div>
745 — Constant: <b>SHA384_DATA_SIZE</b><var><a name="index-SHA384_005fDATA_005fSIZE-24"></a></var><br>
746 <blockquote><p>The internal block size of SHA384. Useful for some special constructions,
747 in particular HMAC-SHA384.
748 </p></blockquote></div>
751 — Function: void <b>sha384_init</b> (<var>struct sha384_ctx *ctx</var>)<var><a name="index-sha384_005finit-25"></a></var><br>
752 <blockquote><p>Initialize the SHA384 state.
753 </p></blockquote></div>
756 — Function: void <b>sha384_update</b> (<var>struct sha384_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-sha384_005fupdate-26"></a></var><br>
757 <blockquote><p>Hash some more data.
758 </p></blockquote></div>
761 — Function: void <b>sha384_digest</b> (<var>struct sha384_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-sha384_005fdigest-27"></a></var><br>
762 <blockquote><p>Performs final processing and extracts the message digest, writing it
765 octets of the digest are written.
767 <p>This function also resets the context in the same way as
769 </p></blockquote></div>
773 <p>The SHA3 hash functions were specified by NIST in response to weaknesses
774 in SHA1, and doubts about SHA2 hash functions which structurally are
775 very similar to SHA1. The standard is a result of a competition, where
776 the winner, also known as Keccak, was designed by Guido Bertoni, Joan
777 Daemen, Michaël Peeters and Gilles Van Assche. It is structurally very
778 different from all widely used earlier hash functions. Like SHA2, there
785 — Context struct: <b>struct sha3_224_ctx</b><var><a name="index-struct-sha3_005f224_005fctx-28"></a></var><br>
786 </div>
789 — Constant: <b>SHA3_224_DIGEST_SIZE</b><var><a name="index-SHA3_005f224_005fDIGEST_005fSIZE-29"></a></var><br>
791 </p></blockquote></div>
794 — Constant: <b>SHA3_224_DATA_SIZE</b><var><a name="index-SHA3_005f224_005fDATA_005fSIZE-30"></a></var><br>
795 <blockquote><p>The internal block size of SHA3_224.
796 </p></blockquote></div>
799 — Function: void <b>sha3_224_init</b> (<var>struct sha3_224_ctx *ctx</var>)<var><a name="index-sha3_005f224_005finit-31"></a></var><br>
801 </p></blockquote></div>
804 — Function: void <b>sha3_224_update</b> (<var>struct sha3_224_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-sha3_005f224_005fupdate-32"></a></var><br>
805 <blockquote><p>Hash some more data.
806 </p></blockquote></div>
809 — Function: void <b>sha3_224_digest</b> (<var>struct sha3_224_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-sha3_005f224_005fdigest-33"></a></var><br>
810 <blockquote><p>Performs final processing and extracts the message digest, writing it
813 octets of the digest are written.
815 <p>This function also resets the context.
816 </p></blockquote></div>
821 of the SHA3 hash functions.
826 — Context struct: <b>struct sha3_256_ctx</b><var><a name="index-struct-sha3_005f256_005fctx-34"></a></var><br>
827 </div>
830 — Constant: <b>SHA3_256_DIGEST_SIZE</b><var><a name="index-SHA3_005f256_005fDIGEST_005fSIZE-35"></a></var><br>
832 </p></blockquote></div>
835 — Constant: <b>SHA3_256_DATA_SIZE</b><var><a name="index-SHA3_005f256_005fDATA_005fSIZE-36"></a></var><br>
836 <blockquote><p>The internal block size of SHA3_256.
837 </p></blockquote></div>
840 — Function: void <b>sha3_256_init</b> (<var>struct sha3_256_ctx *ctx</var>)<var><a name="index-sha3_005f256_005finit-37"></a></var><br>
842 </p></blockquote></div>
845 — Function: void <b>sha3_256_update</b> (<var>struct sha3_256_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-sha3_005f256_005fupdate-38"></a></var><br>
846 <blockquote><p>Hash some more data.
847 </p></blockquote></div>
850 — Function: void <b>sha3_256_digest</b> (<var>struct sha3_256_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-sha3_005f256_005fdigest-39"></a></var><br>
851 <blockquote><p>Performs final processing and extracts the message digest, writing it
854 octets of the digest are written.
856 <p>This function also resets the context.
857 </p></blockquote></div>
866 — Context struct: <b>struct sha3_384_ctx</b><var><a name="index-struct-sha3_005f384_005fctx-40"></a></var><br>
867 </div>
870 — Constant: <b>SHA3_384_DIGEST_SIZE</b><var><a name="index-SHA3_005f384_005fDIGEST_005fSIZE-41"></a></var><br>
872 </p></blockquote></div>
875 — Constant: <b>SHA3_384_DATA_SIZE</b><var><a name="index-SHA3_005f384_005fDATA_005fSIZE-42"></a></var><br>
876 <blockquote><p>The internal block size of SHA3_384.
877 </p></blockquote></div>
880 — Function: void <b>sha3_384_init</b> (<var>struct sha3_384_ctx *ctx</var>)<var><a name="index-sha3_005f384_005finit-43"></a></var><br>
882 </p></blockquote></div>
885 — Function: void <b>sha3_384_update</b> (<var>struct sha3_384_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-sha3_005f384_005fupdate-44"></a></var><br>
886 <blockquote><p>Hash some more data.
887 </p></blockquote></div>
890 — Function: void <b>sha3_384_digest</b> (<var>struct sha3_384_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-sha3_005f384_005fdigest-45"></a></var><br>
891 <blockquote><p>Performs final processing and extracts the message digest, writing it
894 octets of the digest are written.
896 <p>This function also resets the context.
897 </p></blockquote></div>
906 — Context struct: <b>struct sha3_512_ctx</b><var><a name="index-struct-sha3_005f512_005fctx-46"></a></var><br>
907 </div>
910 — Constant: <b>SHA3_512_DIGEST_SIZE</b><var><a name="index-SHA3_005f512_005fDIGEST_005fSIZE-47"></a></var><br>
912 </p></blockquote></div>
915 — Constant: <b>SHA3_512_DATA_SIZE</b><var><a name="index-SHA3_005f512_005fDATA_005fSIZE-48"></a></var><br>
916 <blockquote><p>The internal block size of SHA3_512.
917 </p></blockquote></div>
920 — Function: void <b>sha3_512_init</b> (<var>struct sha3_512_ctx *ctx</var>)<var><a name="index-sha3_005f512_005finit-49"></a></var><br>
922 </p></blockquote></div>
925 — Function: void <b>sha3_512_update</b> (<var>struct sha3_512_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-sha3_005f512_005fupdate-50"></a></var><br>
926 <blockquote><p>Hash some more data.
927 </p></blockquote></div>
930 — Function: void <b>sha3_512_digest</b> (<var>struct sha3_512_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-sha3_005f512_005fdigest-51"></a></var><br>
931 <blockquote><p>Performs final processing and extracts the message digest, writing it
934 octets of the digest are written.
936 <p>This function also resets the context.
937 </p></blockquote></div>
941 <p><hr>
942 Next: <a rel="next" accesskey="n" href="#nettle_005fhash-abstraction">nettle_hash abstraction</a>,
943 Previous: <a rel="previous" accesskey="p" href="#Recommended-hash-functions">Recommended hash functions</a>,
946 </div>
948 <!-- node-name, next, previous, up -->
951 <p>The hash functions in this section all have some known weaknesses, and
952 should be avoided for new applications. These hash functions are mainly
953 useful for compatibility with old applications and protocols. Some are
954 still considered safe as building blocks for particular constructions,
955 e.g., there seems to be no known attacks against HMAC-SHA1 or even
957 does not in itself make the application insecure; if a known weakness is
958 relevant depends on how the hash function is used, and on the threat
959 model.
963 <p>MD5 is a message digest function constructed by Ronald Rivest, and
968 — Context struct: <b>struct md5_ctx</b><var><a name="index-struct-md5_005fctx-52"></a></var><br>
969 </div>
972 — Constant: <b>MD5_DIGEST_SIZE</b><var><a name="index-MD5_005fDIGEST_005fSIZE-53"></a></var><br>
974 </p></blockquote></div>
977 — Constant: <b>MD5_DATA_SIZE</b><var><a name="index-MD5_005fDATA_005fSIZE-54"></a></var><br>
978 <blockquote><p>The internal block size of MD5. Useful for some special constructions,
979 in particular HMAC-MD5.
980 </p></blockquote></div>
983 — Function: void <b>md5_init</b> (<var>struct md5_ctx *ctx</var>)<var><a name="index-md5_005finit-55"></a></var><br>
984 <blockquote><p>Initialize the MD5 state.
985 </p></blockquote></div>
988 — Function: void <b>md5_update</b> (<var>struct md5_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-md5_005fupdate-56"></a></var><br>
989 <blockquote><p>Hash some more data.
990 </p></blockquote></div>
993 — Function: void <b>md5_digest</b> (<var>struct md5_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-md5_005fdigest-57"></a></var><br>
994 <blockquote><p>Performs final processing and extracts the message digest, writing it
997 octets of the digest are written.
999 <p>This function also resets the context in the same way as
1001 </p></blockquote></div>
1003 <p>The normal way to use MD5 is to call the functions in order: First
1007 hash new data.
1013 <p>MD2 is another hash function of Ronald Rivest's, described in
1018 — Context struct: <b>struct md2_ctx</b><var><a name="index-struct-md2_005fctx-58"></a></var><br>
1019 </div>
1022 — Constant: <b>MD2_DIGEST_SIZE</b><var><a name="index-MD2_005fDIGEST_005fSIZE-59"></a></var><br>
1024 </p></blockquote></div>
1027 — Constant: <b>MD2_DATA_SIZE</b><var><a name="index-MD2_005fDATA_005fSIZE-60"></a></var><br>
1028 <blockquote><p>The internal block size of MD2.
1029 </p></blockquote></div>
1032 — Function: void <b>md2_init</b> (<var>struct md2_ctx *ctx</var>)<var><a name="index-md2_005finit-61"></a></var><br>
1033 <blockquote><p>Initialize the MD2 state.
1034 </p></blockquote></div>
1037 — Function: void <b>md2_update</b> (<var>struct md2_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-md2_005fupdate-62"></a></var><br>
1038 <blockquote><p>Hash some more data.
1039 </p></blockquote></div>
1042 — Function: void <b>md2_digest</b> (<var>struct md2_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-md2_005fdigest-63"></a></var><br>
1043 <blockquote><p>Performs final processing and extracts the message digest, writing it
1046 octets of the digest are written.
1048 <p>This function also resets the context in the same way as
1050 </p></blockquote></div>
1055 is constructed by Ronald Rivest. It outputs message digests of 128 bits,
1056 or 16 octets. Nettle defines MD4 in <samp><span class="file"><nettle/md4.h></span></samp>. Use of MD4 is
1057 not recommended, but it is sometimes needed for compatibility with
1058 existing applications and protocols.
1061 — Context struct: <b>struct md4_ctx</b><var><a name="index-struct-md4_005fctx-64"></a></var><br>
1062 </div>
1065 — Constant: <b>MD4_DIGEST_SIZE</b><var><a name="index-MD4_005fDIGEST_005fSIZE-65"></a></var><br>
1067 </p></blockquote></div>
1070 — Constant: <b>MD4_DATA_SIZE</b><var><a name="index-MD4_005fDATA_005fSIZE-66"></a></var><br>
1071 <blockquote><p>The internal block size of MD4.
1072 </p></blockquote></div>
1075 — Function: void <b>md4_init</b> (<var>struct md4_ctx *ctx</var>)<var><a name="index-md4_005finit-67"></a></var><br>
1076 <blockquote><p>Initialize the MD4 state.
1077 </p></blockquote></div>
1080 — Function: void <b>md4_update</b> (<var>struct md4_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-md4_005fupdate-68"></a></var><br>
1081 <blockquote><p>Hash some more data.
1082 </p></blockquote></div>
1085 — Function: void <b>md4_digest</b> (<var>struct md4_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-md4_005fdigest-69"></a></var><br>
1086 <blockquote><p>Performs final processing and extracts the message digest, writing it
1089 octets of the digest are written.
1091 <p>This function also resets the context in the same way as
1093 </p></blockquote></div>
1097 <p>RIPEMD160 is a hash function designed by Hans Dobbertin, Antoon
1098 Bosselaers, and Bart Preneel, as a strengthened version of RIPEMD
1099 (which, like MD4 and MD5, fails the collision-resistance requirement).
1104 — Context struct: <b>struct ripemd160_ctx</b><var><a name="index-struct-ripemd160_005fctx-70"></a></var><br>
1105 </div>
1108 — Constant: <b>RIPEMD160_DIGEST_SIZE</b><var><a name="index-RIPEMD160_005fDIGEST_005fSIZE-71"></a></var><br>
1110 </p></blockquote></div>
1113 — Constant: <b>RIPEMD160_DATA_SIZE</b><var><a name="index-RIPEMD160_005fDATA_005fSIZE-72"></a></var><br>
1114 <blockquote><p>The internal block size of RIPEMD160.
1115 </p></blockquote></div>
1118 — Function: void <b>ripemd160_init</b> (<var>struct ripemd160_ctx *ctx</var>)<var><a name="index-ripemd160_005finit-73"></a></var><br>
1119 <blockquote><p>Initialize the RIPEMD160 state.
1120 </p></blockquote></div>
1123 — Function: void <b>ripemd160_update</b> (<var>struct ripemd160_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-ripemd160_005fupdate-74"></a></var><br>
1124 <blockquote><p>Hash some more data.
1125 </p></blockquote></div>
1128 — Function: void <b>ripemd160_digest</b> (<var>struct ripemd160_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-ripemd160_005fdigest-75"></a></var><br>
1129 <blockquote><p>Performs final processing and extracts the message digest, writing it
1132 octets of the digest are written.
1134 <p>This function also resets the context in the same way as
1136 </p></blockquote></div>
1141 Institute for Standards and Technology). It outputs hash values of 160
1142 bits, or 20 octets. Nettle defines SHA1 in <samp><span class="file"><nettle/sha1.h></span></samp> (and
1146 — Context struct: <b>struct sha1_ctx</b><var><a name="index-struct-sha1_005fctx-76"></a></var><br>
1147 </div>
1150 — Constant: <b>SHA1_DIGEST_SIZE</b><var><a name="index-SHA1_005fDIGEST_005fSIZE-77"></a></var><br>
1152 </p></blockquote></div>
1155 — Constant: <b>SHA1_DATA_SIZE</b><var><a name="index-SHA1_005fDATA_005fSIZE-78"></a></var><br>
1156 <blockquote><p>The internal block size of SHA1. Useful for some special constructions,
1157 in particular HMAC-SHA1.
1158 </p></blockquote></div>
1161 — Function: void <b>sha1_init</b> (<var>struct sha1_ctx *ctx</var>)<var><a name="index-sha1_005finit-79"></a></var><br>
1162 <blockquote><p>Initialize the SHA1 state.
1163 </p></blockquote></div>
1166 — Function: void <b>sha1_update</b> (<var>struct sha1_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-sha1_005fupdate-80"></a></var><br>
1167 <blockquote><p>Hash some more data.
1168 </p></blockquote></div>
1171 — Function: void <b>sha1_digest</b> (<var>struct sha1_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-sha1_005fdigest-81"></a></var><br>
1172 <blockquote><p>Performs final processing and extracts the message digest, writing it
1175 octets of the digest are written.
1177 <p>This function also resets the context in the same way as
1179 </p></blockquote></div>
1186 Nettle defines GOSTHASH94 in <samp><span class="file"><nettle/gosthash94.h></span></samp>.
1189 — Context struct: <b>struct gosthash94_ctx</b><var><a name="index-struct-gosthash94_005fctx-82"></a></var><br>
1190 </div>
1193 — Constant: <b>GOSTHASH94_DIGEST_SIZE</b><var><a name="index-GOSTHASH94_005fDIGEST_005fSIZE-83"></a></var><br>
1195 </p></blockquote></div>
1198 — Constant: <b>GOSTHASH94_DATA_SIZE</b><var><a name="index-GOSTHASH94_005fDATA_005fSIZE-84"></a></var><br>
1200 </p></blockquote></div>
1203 — Function: void <b>gosthash94_init</b> (<var>struct gosthash94_ctx *ctx</var>)<var><a name="index-gosthash94_005finit-85"></a></var><br>
1204 <blockquote><p>Initialize the GOSTHASH94 state.
1205 </p></blockquote></div>
1208 — Function: void <b>gosthash94_update</b> (<var>struct gosthash94_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-gosthash94_005fupdate-86"></a></var><br>
1209 <blockquote><p>Hash some more data.
1210 </p></blockquote></div>
1213 — Function: void <b>gosthash94_digest</b> (<var>struct gosthash94_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-gosthash94_005fdigest-87"></a></var><br>
1214 <blockquote><p>Performs final processing and extracts the message digest, writing it
1217 octets of the digest are written.
1219 <p>This function also resets the context in the same way as
1221 </p></blockquote></div>
1226 <p><hr>
1227 Previous: <a rel="previous" accesskey="p" href="#Legacy-hash-functions">Legacy hash functions</a>,
1230 </div>
1232 <!-- node-name, next, previous, up -->
1235 <p>Nettle includes a struct including information about the supported hash
1236 functions. It is defined in <samp><span class="file"><nettle/nettle-meta.h></span></samp>, and is used
1237 by Nettle's implementation of <acronym>HMAC</acronym> (see <a href="#Keyed-hash-functions">Keyed hash functions</a>).
1240 — Meta struct: <code>struct nettle_hash</code><var> name context_size digest_size block_size init update digest<a name="index-g_t_0040code_007bstruct-nettle_005fhash_007d-88"></a></var><br>
1241 <blockquote><p>The last three attributes are function pointers, of types
1246 </p></blockquote></div>
1249 — Constant Struct: struct nettle_hash <b>nettle_md2</b><var><a name="index-nettle_005fmd2-89"></a></var><br>
1250 — Constant Struct: struct nettle_hash <b>nettle_md4</b><var><a name="index-nettle_005fmd4-90"></a></var><br>
1251 — Constant Struct: struct nettle_hash <b>nettle_md5</b><var><a name="index-nettle_005fmd5-91"></a></var><br>
1252 — Constant Struct: struct nettle_hash <b>nettle_ripemd160</b><var><a name="index-nettle_005fripemd160-92"></a></var><br>
1253 — Constant Struct: struct nettle_hash <b>nettle_sha1</b><var><a name="index-nettle_005fsha1-93"></a></var><br>
1254 — Constant Struct: struct nettle_hash <b>nettle_sha224</b><var><a name="index-nettle_005fsha224-94"></a></var><br>
1255 — Constant Struct: struct nettle_hash <b>nettle_sha256</b><var><a name="index-nettle_005fsha256-95"></a></var><br>
1256 — Constant Struct: struct nettle_hash <b>nettle_sha384</b><var><a name="index-nettle_005fsha384-96"></a></var><br>
1257 — Constant Struct: struct nettle_hash <b>nettle_sha512</b><var><a name="index-nettle_005fsha512-97"></a></var><br>
1258 — Constant Struct: struct nettle_hash <b>nettle_sha3_256</b><var><a name="index-nettle_005fsha3_005f256-98"></a></var><br>
1259 — Constant Struct: struct nettle_hash <b>nettle_gosthash94</b><var><a name="index-nettle_005fgosthash94-99"></a></var><br>
1260 <blockquote><p>These are all the hash functions that Nettle implements.
1261 </p></blockquote></div>
1263 <p>Nettle also exports a list of all these hashes.
1266 — Constant Array: struct nettle_hash ** <b>nettle_hashes</b><var><a name="index-nettle_005fhashes-100"></a></var><br>
1267 <blockquote><p>This list can be used to dynamically enumerate or search the supported
1268 algorithms. NULL-terminated.
1269 </p></blockquote></div>
1273 <p><hr>
1278 </div>
1280 <!-- node-name, next, previous, up -->
1286 only the ciphertext, but not the key, it should be hard to find the
1287 plaintext. Given matching pairs of plaintext and ciphertext, it should
1288 be hard to find the key.
1291 There are two main classes of ciphers: Block ciphers and stream ciphers.
1293 <p>A block cipher can process data only in fixed size chunks, called
1295 arbitrary messages, you usually have to pad it to an integral number of
1296 blocks, split it into blocks, and then process each block. The simplest
1297 way is to process one block at a time, independent of each other. That
1300 that are equal are transformed to ciphertext blocks that are equal; that
1301 leaks information about the plaintext. Usually you should apply the
1307 <p>A stream cipher can be used for messages of arbitrary length. A typical
1308 stream cipher is a keyed pseudo-random generator. To encrypt a plaintext
1310 octets of pseudo-random data, and XOR it with the plaintext. To decrypt,
1311 regenerate the same stream using the key, XOR it to the ciphertext, and
1312 the plaintext is recovered.
1317 <p>A common misconception is that encryption, by itself, implies
1318 authentication. Say that you and a friend share a secret key, and you
1319 receive an encrypted message. You apply the key, and get a plaintext
1320 message that makes sense to you. Can you then be sure that it really was
1321 your friend that wrote the message you're reading? The answer is no. For
1322 example, if you were using a block cipher in ECB mode, an attacker may
1323 pick up the message on its way, and reorder, delete or repeat some of
1324 the blocks. Even if the attacker can't decrypt the message, he can
1325 change it so that you are not reading the same message as your friend
1327 ECB, or are using a stream cipher, the possibilities for this sort of
1328 attack are different, but the attacker can still make predictable
1329 changes to the message.
1332 addition to encrypting the messages. Popular choices are Message
1333 Authentication Codes like <acronym>HMAC-SHA1</acronym> (see <a href="#Keyed-hash-functions">Keyed hash functions</a>), or digital signatures like <acronym>RSA</acronym>.
1336 undesirable structure after the key setup processing, and should be
1337 avoided. In Nettle, most key setup functions have no return value, but
1338 for ciphers with weak keys, the return value indicates whether or not
1339 the given key is weak. For good keys, key setup returns 1, and for weak
1340 keys, it returns 0. When possible, avoid algorithms that
1341 have weak keys. There are several good ciphers that don't have any weak
1342 keys.
1344 <p>To encrypt a message, you first initialize a cipher context for
1345 encryption or decryption with a particular key. You then use the context
1346 to process plaintext or ciphertext messages. The initialization is known
1348 context struct for only one direction, even if some of the ciphers use a
1349 single key setup function that can be used for both encryption and
1350 decryption.
1354 <p>AES is a block cipher, specified by NIST as a replacement for
1355 the older DES standard. The standard is the result of a competition
1356 between cipher designers. The winning design, also known as RIJNDAEL,
1357 was constructed by Joan Daemen and Vincent Rijnmen.
1361 and 32 octets) being the allowed key sizes. It does not have any weak
1365 — Context struct: <b>struct aes_ctx</b><var><a name="index-struct-aes_005fctx-104"></a></var><br>
1366 </div>
1369 — Constant: <b>AES_BLOCK_SIZE</b><var><a name="index-AES_005fBLOCK_005fSIZE-105"></a></var><br>
1371 </p></blockquote></div>
1374 — Constant: <b>AES_MIN_KEY_SIZE</b><var><a name="index-AES_005fMIN_005fKEY_005fSIZE-106"></a></var><br>
1375 </div>
1378 — Constant: <b>AES_MAX_KEY_SIZE</b><var><a name="index-AES_005fMAX_005fKEY_005fSIZE-107"></a></var><br>
1379 </div>
1382 — Constant: <b>AES_KEY_SIZE</b><var><a name="index-AES_005fKEY_005fSIZE-108"></a></var><br>
1384 </p></blockquote></div>
1387 — Function: void <b>aes_set_encrypt_key</b> (<var>struct aes_ctx *ctx, unsigned length, const uint8_t *key</var>)<var><a name="index-aes_005fset_005fencrypt_005fkey-109"></a></var><br>
1388 — Function: void <b>aes_set_decrypt_key</b> (<var>struct aes_ctx *ctx, unsigned length, const uint8_t *key</var>)<var><a name="index-aes_005fset_005fdecrypt_005fkey-110"></a></var><br>
1389 <blockquote><p>Initialize the cipher, for encryption or decryption, respectively.
1390 </p></blockquote></div>
1393 — Function: void <b>aes_invert_key</b> (<var>struct aes_ctx *dst, const struct aes_ctx *src</var>)<var><a name="index-aes_005finvert_005fkey-111"></a></var><br>
1400 is mainly useful for applications which needs to both encrypt and
1402 </p></blockquote></div>
1405 — Function: void <b>aes_encrypt</b> (<var>struct aes_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-aes_005fencrypt-112"></a></var><br>
1407 block size. If it is more than one block, the data is processed in ECB
1409 in any other way.
1410 </p></blockquote></div>
1413 — Function: void <b>aes_decrypt</b> (<var>struct aes_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-aes_005fdecrypt-113"></a></var><br>
1415 </p></blockquote></div>
1419 <p>ARCFOUR is a stream cipher, also known under the trade marked name RC4,
1420 and it is one of the fastest ciphers around. A problem is that the key
1421 setup of ARCFOUR is quite weak, you should never use keys with
1422 structure, keys that are ordinary passwords, or sequences of keys like
1423 “secret:1”, “secret:2”, <small class="enddots">...</small>. If you have keys that don't look
1424 like random bit strings, and you want to use ARCFOUR, always hash the
1425 key before feeding it to ARCFOUR. Furthermore, the initial bytes of the
1426 generated key stream leak information about the key; for this reason, it
1427 is recommended to discard the first 512 bytes of the key stream.
1430 void
1431 arcfour_set_key_hashed(struct arcfour_ctx *ctx,
1432 unsigned length, const uint8_t *key)
1433 {
1434 struct sha256_ctx hash;
1435 uint8_t digest[SHA256_DIGEST_SIZE];
1436 uint8_t buffer[0x200];
1438 sha256_init(&hash);
1439 sha256_update(&hash, length, key);
1440 sha256_digest(&hash, SHA256_DIGEST_SIZE, digest);
1442 arcfour_set_key(ctx, SHA256_DIGEST_SIZE, digest);
1443 arcfour_crypt(ctx, sizeof(buffer), buffer, buffer);
1444 }
1445 </pre>
1449 — Context struct: <b>struct arcfour_ctx</b><var><a name="index-struct-arcfour_005fctx-114"></a></var><br>
1450 </div>
1453 — Constant: <b>ARCFOUR_MIN_KEY_SIZE</b><var><a name="index-ARCFOUR_005fMIN_005fKEY_005fSIZE-115"></a></var><br>
1455 </p></blockquote></div>
1458 — Constant: <b>ARCFOUR_MAX_KEY_SIZE</b><var><a name="index-ARCFOUR_005fMAX_005fKEY_005fSIZE-116"></a></var><br>
1460 </p></blockquote></div>
1463 — Constant: <b>ARCFOUR_KEY_SIZE</b><var><a name="index-ARCFOUR_005fKEY_005fSIZE-117"></a></var><br>
1465 </p></blockquote></div>
1468 — Function: void <b>arcfour_set_key</b> (<var>struct arcfour_ctx *ctx, unsigned length, const uint8_t *key</var>)<var><a name="index-arcfour_005fset_005fkey-118"></a></var><br>
1469 <blockquote><p>Initialize the cipher. The same function is used for both encryption and
1470 decryption.
1471 </p></blockquote></div>
1474 — Function: void <b>arcfour_crypt</b> (<var>struct arcfour_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-arcfour_005fcrypt-119"></a></var><br>
1475 <blockquote><p>Encrypt some data. The same function is used for both encryption and
1476 decryption. Unlike the block ciphers, this function modifies the
1477 context, so you can split the data into arbitrary chunks and encrypt
1478 them one after another. The result is the same as if you had called
1480 </p></blockquote></div>
1484 <p>ARCTWO (also known as the trade marked name RC2) is a block cipher
1485 specified in RFC 2268. Nettle also include a variation of the ARCTWO
1486 set key operation that lack one step, to be compatible with the
1487 reverse engineered RC2 cipher description, as described in a Usenet
1493 This parameter can be used to artificially reduce the key size. In
1497 <p>We do not recommend the use of ARCTWO; the Nettle implementation is
1498 provided primarily for interoperability with existing applications and
1499 standards.
1502 — Context struct: <b>struct arctwo_ctx</b><var><a name="index-struct-arctwo_005fctx-120"></a></var><br>
1503 </div>
1506 — Constant: <b>ARCTWO_BLOCK_SIZE</b><var><a name="index-ARCTWO_005fBLOCK_005fSIZE-121"></a></var><br>
1508 </p></blockquote></div>
1511 — Constant: <b>ARCTWO_MIN_KEY_SIZE</b><var><a name="index-ARCTWO_005fMIN_005fKEY_005fSIZE-122"></a></var><br>
1512 </div>
1515 — Constant: <b>ARCTWO_MAX_KEY_SIZE</b><var><a name="index-ARCTWO_005fMAX_005fKEY_005fSIZE-123"></a></var><br>
1516 </div>
1519 — Constant: <b>ARCTWO_KEY_SIZE</b><var><a name="index-ARCTWO_005fKEY_005fSIZE-124"></a></var><br>
1521 </p></blockquote></div>
1524 — Function: void <b>arctwo_set_key_ekb</b> (<var>struct arctwo_ctx *ctx, unsigned length, const uint8_t *key, unsigned ekb</var>)<var><a name="index-arctwo_005fset_005fkey_005fekb-125"></a></var><br>
1525 — Function: void <b>arctwo_set_key</b> (<var>struct arctwo_ctx *ctx, unsigned length, const uint8_t *key</var>)<var><a name="index-arctwo_005fset_005fkey-126"></a></var><br>
1526 — Function: void <b>arctwo_set_key_gutmann</b> (<var>struct arctwo_ctx *ctx, unsigned length, const uint8_t *key</var>)<var><a name="index-arctwo_005fset_005fkey_005fgutmann-127"></a></var><br>
1527 <blockquote><p>Initialize the cipher. The same function is used for both encryption
1528 and decryption. The first function is the most general one, which lets
1529 you provide both the variable size key, and the desired effective key
1537 </p></blockquote></div>
1540 — Function: void <b>arctwo_encrypt</b> (<var>struct arctwo_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-arctwo_005fencrypt-128"></a></var><br>
1542 block size. If it is more than one block, the data is processed in ECB
1544 overlap in any other way.
1545 </p></blockquote></div>
1548 — Function: void <b>arctwo_decrypt</b> (<var>struct arctwo_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-arctwo_005fdecrypt-129"></a></var><br>
1550 </p></blockquote></div>
1554 <p>BLOWFISH is a block cipher designed by Bruce Schneier. It uses a block
1556 has some weak keys. Nettle defines BLOWFISH in <samp><span class="file"><nettle/blowfish.h></span></samp>.
1559 — Context struct: <b>struct blowfish_ctx</b><var><a name="index-struct-blowfish_005fctx-130"></a></var><br>
1560 </div>
1563 — Constant: <b>BLOWFISH_BLOCK_SIZE</b><var><a name="index-BLOWFISH_005fBLOCK_005fSIZE-131"></a></var><br>
1565 </p></blockquote></div>
1568 — Constant: <b>BLOWFISH_MIN_KEY_SIZE</b><var><a name="index-BLOWFISH_005fMIN_005fKEY_005fSIZE-132"></a></var><br>
1570 </p></blockquote></div>
1573 — Constant: <b>BLOWFISH_MAX_KEY_SIZE</b><var><a name="index-BLOWFISH_005fMAX_005fKEY_005fSIZE-133"></a></var><br>
1575 </p></blockquote></div>
1578 — Constant: <b>BLOWFISH_KEY_SIZE</b><var><a name="index-BLOWFISH_005fKEY_005fSIZE-134"></a></var><br>
1580 </p></blockquote></div>
1583 — Function: int <b>blowfish_set_key</b> (<var>struct blowfish_ctx *ctx, unsigned length, const uint8_t *key</var>)<var><a name="index-blowfish_005fset_005fkey-135"></a></var><br>
1584 <blockquote><p>Initialize the cipher. The same function is used for both encryption and
1585 decryption. Checks for weak keys, returning 1
1586 for good keys and 0 for weak keys. Applications that don't care about
1587 weak keys can ignore the return value.
1590 crash with an assert violation.
1591 </p></blockquote></div>
1594 — Function: void <b>blowfish_encrypt</b> (<var>struct blowfish_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-blowfish_005fencrypt-136"></a></var><br>
1596 block size. If it is more than one block, the data is processed in ECB
1598 in any other way.
1599 </p></blockquote></div>
1602 — Function: void <b>blowfish_decrypt</b> (<var>struct blowfish_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-blowfish_005fdecrypt-137"></a></var><br>
1604 </p></blockquote></div>
1608 <p>Camellia is a block cipher developed by Mitsubishi and Nippon Telegraph
1610 by some Japanese and European authorities as an alternative to AES. The
1611 algorithm is patented. The implementation in Nettle is derived from the
1612 implementation released by NTT under the GNU LGPL (v2.1 or later), and
1613 relies on the implicit patent license of the LGPL. There is also a
1614 statement of royalty-free licensing for Camellia at
1615 <a href="http://www.ntt.co.jp/news/news01e/0104/010417.html">http://www.ntt.co.jp/news/news01e/0104/010417.html</a>, but this
1616 statement has some limitations which seem problematic for free software.
1618 <p>Camellia uses a the same block size and key sizes as AES: The block size
1620 256 bits. Nettle defines Camellia in <samp><span class="file"><nettle/camellia.h></span></samp>.
1623 — Context struct: <b>struct camellia_ctx</b><var><a name="index-struct-camellia_005fctx-138"></a></var><br>
1624 </div>
1627 — Constant: <b>CAMELLIA_BLOCK_SIZE</b><var><a name="index-CAMELLIA_005fBLOCK_005fSIZE-139"></a></var><br>
1629 </p></blockquote></div>
1632 — Constant: <b>CAMELLIA_MIN_KEY_SIZE</b><var><a name="index-CAMELLIA_005fMIN_005fKEY_005fSIZE-140"></a></var><br>
1633 </div>
1636 — Constant: <b>CAMELLIA_MAX_KEY_SIZE</b><var><a name="index-CAMELLIA_005fMAX_005fKEY_005fSIZE-141"></a></var><br>
1637 </div>
1640 — Constant: <b>CAMELLIA_KEY_SIZE</b><var><a name="index-CAMELLIA_005fKEY_005fSIZE-142"></a></var><br>
1642 </p></blockquote></div>
1645 — Function: void <b>camellia_set_encrypt_key</b> (<var>struct camellia_ctx *ctx, unsigned length, const uint8_t *key</var>)<var><a name="index-camellia_005fset_005fencrypt_005fkey-143"></a></var><br>
1646 — Function: void <b>camellia_set_decrypt_key</b> (<var>struct camellia_ctx *ctx, unsigned length, const uint8_t *key</var>)<var><a name="index-camellia_005fset_005fdecrypt_005fkey-144"></a></var><br>
1647 <blockquote><p>Initialize the cipher, for encryption or decryption, respectively.
1648 </p></blockquote></div>
1651 — Function: void <b>camellia_invert_key</b> (<var>struct camellia_ctx *dst, const struct camellia_ctx *src</var>)<var><a name="index-camellia_005finvert_005fkey-145"></a></var><br>
1658 is mainly useful for applications which needs to both encrypt and
1660 </p></blockquote></div>
1663 — Function: void <b>camellia_crypt</b> (<var>struct camellia_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-camellia_005fcrypt-146"></a></var><br>
1664 <blockquote><p>The same function is used for both encryption and decryption.
1668 </p></blockquote></div>
1677 — Context struct: <b>struct cast128_ctx</b><var><a name="index-struct-cast128_005fctx-147"></a></var><br>
1678 </div>
1681 — Constant: <b>CAST128_BLOCK_SIZE</b><var><a name="index-CAST128_005fBLOCK_005fSIZE-148"></a></var><br>
1683 </p></blockquote></div>
1686 — Constant: <b>CAST128_MIN_KEY_SIZE</b><var><a name="index-CAST128_005fMIN_005fKEY_005fSIZE-149"></a></var><br>
1688 </p></blockquote></div>
1691 — Constant: <b>CAST128_MAX_KEY_SIZE</b><var><a name="index-CAST128_005fMAX_005fKEY_005fSIZE-150"></a></var><br>
1693 </p></blockquote></div>
1696 — Constant: <b>CAST128_KEY_SIZE</b><var><a name="index-CAST128_005fKEY_005fSIZE-151"></a></var><br>
1698 </p></blockquote></div>
1701 — Function: void <b>cast128_set_key</b> (<var>struct cast128_ctx *ctx, unsigned length, const uint8_t *key</var>)<var><a name="index-cast128_005fset_005fkey-152"></a></var><br>
1702 <blockquote><p>Initialize the cipher. The same function is used for both encryption and
1703 decryption.
1704 </p></blockquote></div>
1707 — Function: void <b>cast128_encrypt</b> (<var>struct cast128_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-cast128_005fencrypt-153"></a></var><br>
1709 block size. If it is more than one block, the data is processed in ECB
1711 in any other way.
1712 </p></blockquote></div>
1715 — Function: void <b>cast128_decrypt</b> (<var>struct cast128_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-cast128_005fdecrypt-154"></a></var><br>
1717 </p></blockquote></div>
1721 <p>DES is the old Data Encryption Standard, specified by NIST. It uses a
1723 the key bits are distributed over 8 octets, where the least significant
1724 bit of each octet may be used for parity. A common way to use DES is to
1725 generate 8 random octets in some way, then set the least significant bit
1726 of each octet to get odd parity, and initialize DES with the resulting
1727 key.
1729 <p>The key size of DES is so small that keys can be found by brute force,
1730 using specialized hardware or lots of ordinary work stations in
1731 parallel. One shouldn't be using plain DES at all today, if one uses
1734 <p>DES also has some weak keys. Nettle defines DES in <samp><span class="file"><nettle/des.h></span></samp>.
1737 — Context struct: <b>struct des_ctx</b><var><a name="index-struct-des_005fctx-155"></a></var><br>
1738 </div>
1741 — Constant: <b>DES_BLOCK_SIZE</b><var><a name="index-DES_005fBLOCK_005fSIZE-156"></a></var><br>
1743 </p></blockquote></div>
1746 — Constant: <b>DES_KEY_SIZE</b><var><a name="index-DES_005fKEY_005fSIZE-157"></a></var><br>
1748 </p></blockquote></div>
1751 — Function: int <b>des_set_key</b> (<var>struct des_ctx *ctx, const uint8_t *key</var>)<var><a name="index-des_005fset_005fkey-158"></a></var><br>
1752 <blockquote><p>Initialize the cipher. The same function is used for both encryption and
1753 decryption. Parity bits are ignored. Checks for weak keys, returning 1
1754 for good keys and 0 for weak keys. Applications that don't care about
1755 weak keys can ignore the return value.
1756 </p></blockquote></div>
1759 — Function: void <b>des_encrypt</b> (<var>struct des_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-des_005fencrypt-159"></a></var><br>
1761 block size. If it is more than one block, the data is processed in ECB
1763 in any other way.
1764 </p></blockquote></div>
1767 — Function: void <b>des_decrypt</b> (<var>struct des_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-des_005fdecrypt-160"></a></var><br>
1769 </p></blockquote></div>
1772 — Function: int <b>des_check_parity</b> (<var>unsigned length, const uint8_t *key</var>)<var>;<a name="index-des_005fcheck_005fparity-161"></a></var><br>
1774 correct parity, and 0 for bad parity.
1775 </p></blockquote></div>
1778 — Function: void <b>des_fix_parity</b> (<var>unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-des_005ffix_005fparity-162"></a></var><br>
1779 <blockquote><p>Adjusts the parity bits to match DES's requirements. You need this
1780 function if you have created a random-looking string by a key agreement
1782 be equal.
1783 </p></blockquote></div>
1787 <p>The inadequate key size of DES has already been mentioned. One way to
1788 increase the key size is to pipe together several DES boxes with
1789 independent keys. It turns out that using two DES ciphers is not as
1790 secure as one might think, even if the key size of the combination is a
1791 respectable 112 bits.
1793 <p>The standard way to increase DES's key size is to use three DES boxes.
1794 The mode of operation is a little peculiar: the middle DES box is wired
1795 in the reverse direction. To encrypt a block with DES3, you encrypt it
1797 middle 56 bits of the key, and finally encrypt it again using the last
1802 plain single DES simply by feeding the same key to all three boxes. That
1803 should help keeping down the gate count, and the price, of hardware
1804 circuits implementing both plain DES and DES3.
1808 As a 112 bit key is large enough to make brute force attacks
1810 In this mode, the same key bits are used for the first and the last DES
1811 box in the pipe, while the middle box is keyed independently. The
1812 two-key variant is believed to be secure, i.e. there are no known
1813 attacks significantly better than brute force.
1815 <p>Naturally, it's simple to implement triple-DES on top of Nettle's DES
1817 triple-DES, it is defined in the same place as plain DES,
1821 — Context struct: <b>struct des3_ctx</b><var><a name="index-struct-des3_005fctx-163"></a></var><br>
1822 </div>
1825 — Constant: <b>DES3_BLOCK_SIZE</b><var><a name="index-DES3_005fBLOCK_005fSIZE-164"></a></var><br>
1827 </p></blockquote></div>
1830 — Constant: <b>DES3_KEY_SIZE</b><var><a name="index-DES3_005fKEY_005fSIZE-165"></a></var><br>
1832 </p></blockquote></div>
1835 — Function: int <b>des3_set_key</b> (<var>struct des3_ctx *ctx, const uint8_t *key</var>)<var><a name="index-des3_005fset_005fkey-166"></a></var><br>
1836 <blockquote><p>Initialize the cipher. The same function is used for both encryption and
1837 decryption. Parity bits are ignored. Checks for weak keys, returning 1
1838 if all three keys are good keys, and 0 if one or more key is weak.
1839 Applications that don't care about weak keys can ignore the return
1840 value.
1841 </p></blockquote></div>
1847 — Function: void <b>des3_encrypt</b> (<var>struct des3_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-des3_005fencrypt-167"></a></var><br>
1849 block size. If it is more than one block, the data is processed in ECB
1851 in any other way.
1852 </p></blockquote></div>
1855 — Function: void <b>des3_decrypt</b> (<var>struct des3_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-des3_005fdecrypt-168"></a></var><br>
1857 </p></blockquote></div>
1861 <p>Salsa20 is a fairly recent stream cipher designed by D. J. Bernstein. It
1862 is built on the observation that a cryptographic hash function can be
1863 used for encryption: Form the hash input from the secret key and a
1864 counter, xor the hash output and the first block of the plaintext, then
1865 increment the counter to process the next block (similar to CTR mode, see
1867 in this way to ridicule United States export restrictions which treated hash
1868 functions as nice and harmless, but ciphers as dangerous munitions.
1870 <p>Salsa20 uses the same idea, but with a new specialized hash function to
1871 mix key, block counter, and a couple of constants. It's also designed
1872 for speed; on x86_64, it is currently the fastest cipher offered by
1878 collision resistant if arbitrary inputs are allowed, and furthermore,
1879 the input and output is of fixed size.
1881 <p>When using Salsa20 to process a message, one specifies both a key and a
1883 vector (<acronym>IV</acronym>) used with <acronym>CBC</acronym> or <acronym>CTR</acronym> mode. For
1885 nonce. One can use the same key for several messages, provided one uses
1887 bits (8 octets). The block counter is initialized to zero for each
1892 — Context struct: <b>struct salsa20_ctx</b><var><a name="index-struct-salsa20_005fctx-169"></a></var><br>
1893 </div>
1896 — Constant: <b>SALSA20_MIN_KEY_SIZE</b><var><a name="index-SALSA20_005fMIN_005fKEY_005fSIZE-170"></a></var><br>
1897 — Constant: <b>SALSA20_MAX_KEY_SIZE</b><var><a name="index-SALSA20_005fMAX_005fKEY_005fSIZE-171"></a></var><br>
1899 </p></blockquote></div>
1902 — Constant: <b>SALSA20_KEY_SIZE</b><var><a name="index-SALSA20_005fKEY_005fSIZE-172"></a></var><br>
1904 </p></blockquote></div>
1907 — Constant: <b>SALSA20_BLOCK_SIZE</b><var><a name="index-SALSA20_005fBLOCK_005fSIZE-173"></a></var><br>
1909 </p></blockquote></div>
1912 — Constant: <b>SALSA20_IV_SIZE</b><var><a name="index-SALSA20_005fIV_005fSIZE-174"></a></var><br>
1914 </p></blockquote></div>
1917 — Function: void <b>salsa20_set_key</b> (<var>struct salsa20_ctx *ctx, unsigned length, const uint8_t *key</var>)<var><a name="index-salsa20_005fset_005fkey-175"></a></var><br>
1918 <blockquote><p>Initialize the cipher. The same function is used for both encryption and
1921 </p></blockquote></div>
1924 — Function: void <b>salsa20_set_iv</b> (<var>struct salsa20_ctx *ctx, const uint8_t *iv</var>)<var><a name="index-salsa20_005fset_005fiv-176"></a></var><br>
1925 <blockquote><p>Sets the <acronym>IV</acronym>. It is always of size <code>SALSA20_IV_SIZE</code>, 8
1926 octets. This function also initializes the block counter, setting it to
1927 zero.
1928 </p></blockquote></div>
1931 — Function: void <b>salsa20_crypt</b> (<var>struct salsa20_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-salsa20_005fcrypt-177"></a></var><br>
1932 <blockquote><p>Encrypts or decrypts the data of a message, using salsa20. When a
1936 </p></blockquote></div>
1939 with fewer rounds are possible, and the 12-round variant is specified by
1940 eSTREAM, see <a href="http://www.ecrypt.eu.org/stream/finallist.html">http://www.ecrypt.eu.org/stream/finallist.html</a>.
1942 struct and key setup as the full salsa20 cipher, but a separate function
1943 for encryption and decryption.
1946 — Function: void <b>salsa20r12_crypt</b> (<var>struct salsa20_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-salsa20r12_005fcrypt-178"></a></var><br>
1948 rounds.
1949 </p></blockquote></div>
1953 <p>SERPENT is one of the AES finalists, designed by Ross Anderson, Eli
1954 Biham and Lars Knudsen. Thus, the interface and properties are similar
1955 to AES'. One peculiarity is that it is quite pointless to use it with
1956 anything but the maximum key size, smaller keys are just padded to
1957 larger ones. Nettle defines SERPENT in <samp><span class="file"><nettle/serpent.h></span></samp>.
1960 — Context struct: <b>struct serpent_ctx</b><var><a name="index-struct-serpent_005fctx-179"></a></var><br>
1961 </div>
1964 — Constant: <b>SERPENT_BLOCK_SIZE</b><var><a name="index-SERPENT_005fBLOCK_005fSIZE-180"></a></var><br>
1966 </p></blockquote></div>
1969 — Constant: <b>SERPENT_MIN_KEY_SIZE</b><var><a name="index-SERPENT_005fMIN_005fKEY_005fSIZE-181"></a></var><br>
1971 </p></blockquote></div>
1974 — Constant: <b>SERPENT_MAX_KEY_SIZE</b><var><a name="index-SERPENT_005fMAX_005fKEY_005fSIZE-182"></a></var><br>
1976 </p></blockquote></div>
1979 — Constant: <b>SERPENT_KEY_SIZE</b><var><a name="index-SERPENT_005fKEY_005fSIZE-183"></a></var><br>
1981 </p></blockquote></div>
1984 — Function: void <b>serpent_set_key</b> (<var>struct serpent_ctx *ctx, unsigned length, const uint8_t *key</var>)<var><a name="index-serpent_005fset_005fkey-184"></a></var><br>
1985 <blockquote><p>Initialize the cipher. The same function is used for both encryption and
1986 decryption.
1987 </p></blockquote></div>
1990 — Function: void <b>serpent_encrypt</b> (<var>struct serpent_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-serpent_005fencrypt-185"></a></var><br>
1992 block size. If it is more than one block, the data is processed in ECB
1994 in any other way.
1995 </p></blockquote></div>
1998 — Function: void <b>serpent_decrypt</b> (<var>struct serpent_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-serpent_005fdecrypt-186"></a></var><br>
2000 </p></blockquote></div>
2004 <p>Another AES finalist, this one designed by Bruce Schneier and others.
2008 — Context struct: <b>struct twofish_ctx</b><var><a name="index-struct-twofish_005fctx-187"></a></var><br>
2009 </div>
2012 — Constant: <b>TWOFISH_BLOCK_SIZE</b><var><a name="index-TWOFISH_005fBLOCK_005fSIZE-188"></a></var><br>
2014 </p></blockquote></div>
2017 — Constant: <b>TWOFISH_MIN_KEY_SIZE</b><var><a name="index-TWOFISH_005fMIN_005fKEY_005fSIZE-189"></a></var><br>
2019 </p></blockquote></div>
2022 — Constant: <b>TWOFISH_MAX_KEY_SIZE</b><var><a name="index-TWOFISH_005fMAX_005fKEY_005fSIZE-190"></a></var><br>
2024 </p></blockquote></div>
2027 — Constant: <b>TWOFISH_KEY_SIZE</b><var><a name="index-TWOFISH_005fKEY_005fSIZE-191"></a></var><br>
2029 </p></blockquote></div>
2032 — Function: void <b>twofish_set_key</b> (<var>struct twofish_ctx *ctx, unsigned length, const uint8_t *key</var>)<var><a name="index-twofish_005fset_005fkey-192"></a></var><br>
2033 <blockquote><p>Initialize the cipher. The same function is used for both encryption and
2034 decryption.
2035 </p></blockquote></div>
2038 — Function: void <b>twofish_encrypt</b> (<var>struct twofish_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-twofish_005fencrypt-193"></a></var><br>
2040 block size. If it is more than one block, the data is processed in ECB
2042 in any other way.
2043 </p></blockquote></div>
2046 — Function: void <b>twofish_decrypt</b> (<var>struct twofish_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-twofish_005fdecrypt-194"></a></var><br>
2048 </p></blockquote></div>
2050 <!-- @node nettle_cipher, Cipher Block Chaining, Cipher functions, Reference -->
2051 <!-- @comment node-name, next, previous, up -->
2054 <p>Nettle includes a struct including information about some of the more
2055 regular cipher functions. It should be considered a little experimental,
2056 but can be useful for applications that need a simple way to handle
2057 various algorithms. Nettle defines these structs in
2061 — Meta struct: <code>struct nettle_cipher</code><var> name context_size block_size key_size set_encrypt_key set_decrypt_key encrypt decrypt<a name="index-g_t_0040code_007bstruct-nettle_005fcipher_007d-195"></a></var><br>
2062 <blockquote><p>The last four attributes are function pointers, of types
2066 </p></blockquote></div>
2069 — Constant Struct: struct nettle_cipher <b>nettle_aes128</b><var><a name="index-nettle_005faes128-196"></a></var><br>
2070 — Constant Struct: struct nettle_cipher <b>nettle_aes192</b><var><a name="index-nettle_005faes192-197"></a></var><br>
2071 — Constant Struct: struct nettle_cipher <b>nettle_aes256</b><var><a name="index-nettle_005faes256-198"></a></var><br>
2073 — Constant Struct: struct nettle_cipher <b>nettle_arctwo40</b><var><a name="index-nettle_005farctwo40-199"></a></var><br>
2074 — Constant Struct: struct nettle_cipher <b>nettle_arctwo64</b><var><a name="index-nettle_005farctwo64-200"></a></var><br>
2075 — Constant Struct: struct nettle_cipher <b>nettle_arctwo128</b><var><a name="index-nettle_005farctwo128-201"></a></var><br>
2076 — Constant Struct: struct nettle_cipher <b>nettle_arctwo_gutmann128</b><var><a name="index-nettle_005farctwo_005fgutmann128-202"></a></var><br>
2078 — Constant Struct: struct nettle_cipher <b>nettle_arcfour128</b><var><a name="index-nettle_005farcfour128-203"></a></var><br>
2080 — Constant Struct: struct nettle_cipher <b>nettle_camellia128</b><var><a name="index-nettle_005fcamellia128-204"></a></var><br>
2081 — Constant Struct: struct nettle_cipher <b>nettle_camellia192</b><var><a name="index-nettle_005fcamellia192-205"></a></var><br>
2082 — Constant Struct: struct nettle_cipher <b>nettle_camellia256</b><var><a name="index-nettle_005fcamellia256-206"></a></var><br>
2084 — Constant Struct: struct nettle_cipher <b>nettle_cast128</b><var><a name="index-nettle_005fcast128-207"></a></var><br>
2086 — Constant Struct: struct nettle_cipher <b>nettle_serpent128</b><var><a name="index-nettle_005fserpent128-208"></a></var><br>
2087 — Constant Struct: struct nettle_cipher <b>nettle_serpent192</b><var><a name="index-nettle_005fserpent192-209"></a></var><br>
2088 — Constant Struct: struct nettle_cipher <b>nettle_serpent256</b><var><a name="index-nettle_005fserpent256-210"></a></var><br>
2090 — Constant Struct: struct nettle_cipher <b>nettle_twofish128</b><var><a name="index-nettle_005ftwofish128-211"></a></var><br>
2091 — Constant Struct: struct nettle_cipher <b>nettle_twofish192</b><var><a name="index-nettle_005ftwofish192-212"></a></var><br>
2092 — Constant Struct: struct nettle_cipher <b>nettle_twofish256</b><var><a name="index-nettle_005ftwofish256-213"></a></var><br>
2094 ones without weak keys or other oddities.
2095 </p></blockquote></div>
2097 <p>Nettle also exports a list of all these ciphers without weak keys or
2098 other oddities.
2101 — Constant Array: struct nettle_cipher ** <b>nettle_ciphers</b><var><a name="index-nettle_005fciphers-214"></a></var><br>
2102 <blockquote><p>This list can be used to dynamically enumerate or search the supported
2103 algorithms. NULL-terminated.
2104 </p></blockquote></div>
2108 <p><hr>
2113 </div>
2115 <!-- node-name, next, previous, up -->
2118 <p>Cipher modes of operation specifies the procedure to use when encrypting
2119 a message that is larger than the cipher's block size. As explained in
2121 processing them independently with the block cipher (Electronic Code
2123 Nettle provides three other modes of operation: Cipher Block Chaining
2126 subtle issues of information leakage, see, e.g.,
2127 <a href="http://www.kb.cert.org/vuls/id/958563"><acronym>SSH</acronym> <acronym>CBC</acronym> vulnerability</a>. <acronym>CTR</acronym> and <acronym>GCM</acronym>
2128 were standardized more recently, and are believed to be more secure.
2130 should always use a <acronym>MAC</acronym> (see <a href="#Keyed-hash-functions">Keyed hash functions</a>) or
2131 signature to authenticate the message.
2137 </ul>
2141 <p><hr>
2146 </div>
2148 <!-- node-name, next, previous, up -->
2153 independently of each other, like in Electronic Cook Book mode. Instead,
2155 block is XORed with the plaintext before it is fed to the block cipher.
2158 IV should be chosen randomly, but it need not be kept secret, and can
2159 even be transmitted in the clear together with the encrypted data.
2163 <code>M_1</code>,<small class="dots">...</small> <code>M_n</code> are transformed into <code>n</code> ciphertext blocks
2167 C_2 = E_k(C_1 XOR M_2)
2169 ...
2171 C_n = E_k(C_(n-1) XOR M_n)
2172 </pre>
2173 <p>Nettle's includes two functions for applying a block cipher in Cipher
2176 around.
2179 — Function: void <b>cbc_encrypt</b> (<var>void *ctx, nettle_crypt_func f, unsigned block_size, uint8_t *iv, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-cbc_005fencrypt-217"></a></var><br>
2180 — Function: void <b>cbc_decrypt</b> (<var>void *ctx, void </var>(<var>*f</var>)()<var>, unsigned block_size, uint8_t *iv, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-cbc_005fdecrypt-218"></a></var><br>
2181 <blockquote>
2184 before returning, so that large message be processed be a sequence of
2187 <p><code>void f (void *</code><var>ctx</var><code>, unsigned </code><var>length</var><code>, uint8_t </code><var>dst</var><code>,
2190 <p class="noindent">and the <code>cbc_encrypt</code> and <code>cbc_decrypt</code> functions pass their
2192 </p></blockquote></div>
2194 <p>There are also some macros to help use these functions correctly.
2197 — Macro: <b>CBC_CTX</b> (<var>context_type, block_size</var>)<var><a name="index-CBC_005fCTX-219"></a></var><br>
2198 <blockquote><p>Expands to
2200 context_type ctx;
2201 uint8_t iv[block_size];
2202 }
2203 </pre>
2204 </blockquote></div>
2209 </pre>
2210 <p>or to give it a struct tag,
2213 </pre>
2215 — Macro: <b>CBC_SET_IV</b> (<var>ctx, iv</var>)<var><a name="index-CBC_005fSET_005fIV-220"></a></var><br>
2216 <blockquote><p>First argument is a pointer to a context struct as defined by <code>CBC_CTX</code>,
2217 and the second is a pointer to an Initialization Vector (IV) that is
2218 copied into that context.
2219 </p></blockquote></div>
2222 — Macro: <b>CBC_ENCRYPT</b> (<var>ctx, f, length, dst, src</var>)<var><a name="index-CBC_005fENCRYPT-221"></a></var><br>
2223 — Macro: <b>CBC_DECRYPT</b> (<var>ctx, f, length, dst, src</var>)<var><a name="index-CBC_005fDECRYPT-222"></a></var><br>
2224 <blockquote><p>A simpler way to invoke <code>cbc_encrypt</code> and <code>cbc_decrypt</code>. The
2225 first argument is a pointer to a context struct as defined by
2227 function following Nettle's conventions. The last three arguments define
2228 the source and destination area for the operation.
2229 </p></blockquote></div>
2231 <p>These macros use some tricks to make the compiler display a warning if
2237 <p><hr>
2242 </div>
2244 <!-- node-name, next, previous, up -->
2249 pseudo-random generator. The output of the generator is XORed with the
2250 data to be encrypted. It can be understood as a way to transform a block
2251 cipher to a stream cipher.
2253 <p>The message is divided into <code>n</code> blocks <code>M_1</code>,<small class="dots">...</small>
2255 than the block size. Except for the last block, all the message blocks
2256 must be of size equal to the cipher's block size.
2260 transformed into <code>n</code> ciphertext blocks <code>C_1</code>,<small class="dots">...</small>
2264 C_2 = E_k(IC + 1) XOR M_2
2266 ...
2270 </pre>
2278 — Function: void <b>ctr_crypt</b> (<var>void *ctx, nettle_crypt_func f, unsigned block_size, uint8_t *ctr, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-ctr_005fcrypt-225"></a></var><br>
2279 <blockquote>
2283 underlying block cipher.
2285 <p>When a message is encrypted using a sequence of calls to
2287 a multiple of the block size.
2288 </p></blockquote></div>
2293 — Macro: <b>CTR_CTX</b> (<var>context_type, block_size</var>)<var><a name="index-CTR_005fCTX-226"></a></var><br>
2294 <blockquote><p>Expands to
2296 context_type ctx;
2297 uint8_t ctr[block_size];
2298 }
2299 </pre>
2300 </blockquote></div>
2303 — Macro: <b>CTR_SET_COUNTER</b> (<var>ctx, iv</var>)<var><a name="index-CTR_005fSET_005fCOUNTER-227"></a></var><br>
2304 <blockquote><p>First argument is a pointer to a context struct as defined by
2306 is copied into that context.
2307 </p></blockquote></div>
2310 — Macro: <b>CTR_CRYPT</b> (<var>ctx, f, length, dst, src</var>)<var><a name="index-CTR_005fCRYPT-228"></a></var><br>
2313 argument is an encryption function following Nettle's conventions. The
2314 last three arguments define the source and destination area for the
2315 operation.
2316 </p></blockquote></div>
2320 <p><hr>
2324 </div>
2326 <!-- node-name, next, previous, up -->
2330 Galois counter mode is the combination of counter mode with message
2331 authentication based on universal hashing. The main objective of the
2332 design is to provide high performance for hardware implementations,
2333 where other popular <acronym>MAC</acronym> algorithms (see <a href="#Keyed-hash-functions">Keyed hash functions</a> becomes a bottleneck for high-speed hardware implementations.
2334 It was proposed by David A. McGrew and John Viega in 2005, and
2335 recommended by NIST in 2007,
2336 <a href="http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf">NIST Special Publication 800-38D</a>. It is constructed on top of a block
2337 cipher which must have a block size of 128 bits.
2340 are:
2342 <ul>
2343 <li>A key, which can be used for many messages.
2345 each message.
2346 <li>Additional authenticated data, which is to be included in the message
2347 authentication, but not encrypted. May be empty.
2348 <li>The plaintext. Maybe empty.
2349 </ul>
2351 <p>The outputs are a ciphertext, of the same length as the plaintext, and a
2353 consists of a low-level general interface, some convenience macros, and
2355 underlying cipher. These interfaces are defined in <samp><span class="file"><nettle/gcm.h></span></samp>
2360 — Context struct: <b>struct gcm_key</b><var><a name="index-struct-gcm_005fkey-231"></a></var><br>
2361 <blockquote><p>Message independent hash sub-key, and related tables.
2362 </p></blockquote></div>
2365 — Context struct: <b>struct gcm_ctx</b><var><a name="index-struct-gcm_005fctx-232"></a></var><br>
2366 <blockquote><p>Holds state corresponding to a particular message.
2367 </p></blockquote></div>
2370 — Constant: <b>GCM_BLOCK_SIZE</b><var><a name="index-GCM_005fBLOCK_005fSIZE-233"></a></var><br>
2372 </p></blockquote></div>
2375 — Constant: <b>GCM_IV_SIZE</b><var><a name="index-GCM_005fIV_005fSIZE-234"></a></var><br>
2377 </p></blockquote></div>
2380 — Function: void <b>gcm_set_key</b> (<var>struct gcm_key *key, void *cipher, nettle_crypt_func *f</var>)<var><a name="index-gcm_005fset_005fkey-235"></a></var><br>
2382 underlying cipher, which must have been previously initialized for
2384 </p></blockquote></div>
2387 — Function: void <b>gcm_set_iv</b> (<var>struct gcm_ctx *ctx, const struct gcm_key *key, unsigned length, const uint8_t *iv</var>)<var><a name="index-gcm_005fset_005fiv-236"></a></var><br>
2388 <blockquote><p>Initializes <var>ctx</var> using the given <acronym>IV</acronym>. The <var>key</var>
2391 </p></blockquote></div>
2394 — Function: void <b>gcm_update</b> (<var>struct gcm_ctx *ctx, const struct gcm_key *key, unsigned length, const uint8_t *data</var>)<var><a name="index-gcm_005fupdate-237"></a></var><br>
2395 <blockquote><p>Provides associated data to be authenticated. If used, must be called
2398 block size.
2399 </p></blockquote></div>
2402 — Function: void <b>gcm_encrypt</b> (<var>struct gcm_ctx *ctx, const struct gcm_key *key void *cipher, nettle_crypt_func *f, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-gcm_005fencrypt-238"></a></var><br>
2403 — Function: void <b>gcm_decrypt</b> (<var>struct gcm_ctx *ctx, const struct gcm_key *key, void *cipher, nettle_crypt_func *f, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-gcm_005fdecrypt-239"></a></var><br>
2407 a multiple of the block size.
2408 </p></blockquote></div>
2411 — Function: void <b>gcm_digest</b> (<var>struct gcm_ctx *ctx, const struct gcm_key *key, void *cipher, nettle_crypt_func *f, unsigned length, uint8_t *digest</var>)<var><a name="index-gcm_005fdigest-240"></a></var><br>
2412 <blockquote><p>Extracts the message digest (also known “authentication tag”). This is
2416 </p></blockquote></div>
2419 the underlying block cipher with a key to use for encryption. Then call
2425 underlying block cipher). To process a new message, using the same key,
2430 <p>The following macros are defined.
2433 — Macro: <b>GCM_CTX</b> (<var>context_type</var>)<var><a name="index-GCM_005fCTX-241"></a></var><br>
2434 <blockquote><p>This defines an all-in-one context struct, including the context of the
2435 underlying cipher, the hash sub-key, and the per-message state. It expands
2436 to
2438 context_type cipher;
2439 struct gcm_key key;
2440 struct gcm_ctx gcm;
2441 }
2442 </pre>
2443 </blockquote></div>
2445 <p>Example use:
2447 </pre>
2448 <p>The following macros operate on context structs of this form.
2451 — Macro: <b>GCM_SET_KEY</b> (<var>ctx, set_key, encrypt, length, data</var>)<var><a name="index-GCM_005fSET_005fKEY-242"></a></var><br>
2454 setting the encryption key and for encrypting data using the underlying
2456 </p></blockquote></div>
2459 — Macro: <b>GCM_SET_IV</b> (<var>ctx, length, data</var>)<var><a name="index-GCM_005fSET_005fIV-243"></a></var><br>
2460 <blockquote><p>First argument is a context struct as defined by
2463 </p></blockquote></div>
2466 — Macro: <b>GCM_UPDATE</b> (<var>ctx, length, data</var>)<var><a name="index-GCM_005fUPDATE-244"></a></var><br>
2469 </p></blockquote></div>
2472 — Macro: <b>GCM_ENCRYPT</b> (<var>ctx, encrypt, length, dst, src</var>)<var><a name="index-GCM_005fENCRYPT-245"></a></var><br>
2473 — Macro: <b>GCM_DECRYPT</b> (<var>ctx, encrypt, length, dst, src</var>)<var><a name="index-GCM_005fDECRYPT-246"></a></var><br>
2474 — Macro: <b>GCM_DIGEST</b> (<var>ctx, encrypt, length, digest</var>)<var><a name="index-GCM_005fDIGEST-247"></a></var><br>
2478 encryption function of the underlying cipher.
2479 </p></blockquote></div>
2487 — Context struct: <b>struct gcm_aes_ctx</b><var><a name="index-struct-gcm_005faes_005fctx-248"></a></var><br>
2489 </p></blockquote></div>
2492 — Function: void <b>gcm_aes_set_key</b> (<var>struct gcm_aes_ctx *ctx, unsigned length, const uint8_t *key</var>)<var><a name="index-gcm_005faes_005fset_005fkey-249"></a></var><br>
2493 <blockquote><p>Initializes <var>ctx</var> using the given key. All valid <acronym>AES</acronym> key
2494 sizes can be used.
2495 </p></blockquote></div>
2498 — Function: void <b>gcm_aes_set_iv</b> (<var>struct gcm_aes_ctx *ctx, unsigned length, const uint8_t *iv</var>)<var><a name="index-gcm_005faes_005fset_005fiv-250"></a></var><br>
2500 </p></blockquote></div>
2503 — Function: void <b>gcm_aes_update</b> (<var>struct gcm_aes_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-gcm_005faes_005fupdate-251"></a></var><br>
2504 <blockquote><p>Provides associated data to be authenticated. If used, must be called
2507 block size.
2508 </p></blockquote></div>
2511 — Function: void <b>gcm_aes_encrypt</b> (<var>struct gcm_aes_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-gcm_005faes_005fencrypt-252"></a></var><br>
2512 — Function: void <b>gcm_aes_decrypt</b> (<var>struct gcm_aes_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src</var>)<var><a name="index-gcm_005faes_005fdecrypt-253"></a></var><br>
2513 <blockquote><p>Encrypts or decrypts the data of a message. All but the last call for
2515 size.
2517 </blockquote></div>
2520 — Function: void <b>gcm_aes_digest</b> (<var>struct gcm_aes_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-gcm_005faes_005fdigest-254"></a></var><br>
2521 <blockquote><p>Extracts the message digest (also known “authentication tag”). This is
2525 </p></blockquote></div>
2529 <p><hr>
2530 Next: <a rel="next" accesskey="n" href="#Key-derivation-functions">Key derivation functions</a>,
2534 </div>
2536 <!-- node-name, next, previous, up -->
2539 <p><a name="index-Keyed-Hash-Function-255"></a><a name="index-Message-Authentication-Code-256"></a><a name="index-MAC-257"></a>
2544 should also be hard to compute the key given only messages and
2547 <p>Keyed hash functions are useful primarily for message authentication,
2548 when Alice and Bob shares a secret: The sender, Alice, computes the
2551 to Alice's value. If they match, Bob can be assured that
2552 the message has not been modified on its way from Alice.
2554 <p>However, unlike digital signatures, this assurance is not transferable.
2556 prove that Alice sent that message. Not even if he gives away the key to
2559 any message. If Bob believes that only he and Alice knows the key, and
2561 he knows it must be Alice who did it. However, the third party can't
2563 Bob.
2565 <p>Keyed hash functions are typically a lot faster than digital signatures
2566 as well.
2571 One can build keyed hash functions from ordinary hash functions. Older
2572 constructions simply concatenate secret key and message and hashes that, but
2573 such constructions have weaknesses. A better construction is
2587 very useful.
2589 <p>Nettle's <acronym>HMAC</acronym> functions are defined in <samp><span class="file"><nettle/hmac.h></span></samp>.
2590 There are abstract functions that use a pointer to a <code>struct
2592 pointers that point to three different context structs for that hash
2594 <acronym>HMAC-RIPEMD160</acronym> <acronym>HMAC-SHA1</acronym>, <acronym>HMAC-SHA256</acronym>, and
2598 — Function: void <b>hmac_set_key</b> (<var>void *outer, void *inner, void *state, const struct nettle_hash *H, unsigned length, const uint8_t *key</var>)<var><a name="index-hmac_005fset_005fkey-259"></a></var><br>
2603 </p></blockquote></div>
2606 — Function: void <b>hmac_update</b> (<var>void *state, const struct nettle_hash *H, unsigned length, const uint8_t *data</var>)<var><a name="index-hmac_005fupdate-260"></a></var><br>
2607 <blockquote><p>This function is called zero or more times to process the message.
2610 ordinary update function of the underlying hash function instead.
2611 </p></blockquote></div>
2614 — Function: void <b>hmac_digest</b> (<var>const void *outer, const void *inner, void *state, const struct nettle_hash *H, unsigned length, uint8_t *digest</var>)<var><a name="index-hmac_005fdigest-261"></a></var><br>
2615 <blockquote><p>Extracts the <acronym>MAC</acronym> of the message, writing it to <var>digest</var>.
2621 over processing a new message (with the same key).
2622 </p></blockquote></div>
2625 functions correctly.
2628 — Macro: <b>HMAC_CTX</b> (<var>type</var>)<var><a name="index-HMAC_005fCTX-262"></a></var><br>
2629 <blockquote><p>Expands to
2631 type outer;
2632 type inner;
2633 type state;
2634 }
2635 </pre>
2636 </blockquote></div>
2639 directly,
2642 </pre>
2643 <p>or to give it a struct tag,
2646 </pre>
2648 — Macro: <b>HMAC_SET_KEY</b> (<var>ctx, H, length, key</var>)<var><a name="index-HMAC_005fSET_005fKEY-263"></a></var><br>
2651 nettle_hash</code> describing the underlying hash function (so it must match
2653 the secret key.
2654 </p></blockquote></div>
2657 — Macro: <b>HMAC_DIGEST</b> (<var>ctx, H, length, digest</var>)<var><a name="index-HMAC_005fDIGEST-264"></a></var><br>
2660 nettle_hash</code> describing the underlying hash function. The last two
2661 arguments specify where the digest is written.
2662 </p></blockquote></div>
2666 underlying hash function.
2676 — Context struct: <b>struct hmac_md5_ctx</b><var><a name="index-struct-hmac_005fmd5_005fctx-265"></a></var><br>
2677 </div>
2680 — Function: void <b>hmac_md5_set_key</b> (<var>struct hmac_md5_ctx *ctx, unsigned key_length, const uint8_t *key</var>)<var><a name="index-hmac_005fmd5_005fset_005fkey-266"></a></var><br>
2681 <blockquote><p>Initializes the context with the key.
2682 </p></blockquote></div>
2685 — Function: void <b>hmac_md5_update</b> (<var>struct hmac_md5_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-hmac_005fmd5_005fupdate-267"></a></var><br>
2686 <blockquote><p>Process some more data.
2687 </p></blockquote></div>
2690 — Function: void <b>hmac_md5_digest</b> (<var>struct hmac_md5_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-hmac_005fmd5_005fdigest-268"></a></var><br>
2691 <blockquote><p>Extracts the <acronym>MAC</acronym>, writing it to <var>digest</var>. <var>length</var> may be smaller than
2695 <p>This function also resets the context for processing new messages, with
2696 the same key.
2697 </p></blockquote></div>
2702 — Context struct: <b>struct hmac_ripemd160_ctx</b><var><a name="index-struct-hmac_005fripemd160_005fctx-269"></a></var><br>
2703 </div>
2706 — Function: void <b>hmac_ripemd160_set_key</b> (<var>struct hmac_ripemd160_ctx *ctx, unsigned key_length, const uint8_t *key</var>)<var><a name="index-hmac_005fripemd160_005fset_005fkey-270"></a></var><br>
2707 <blockquote><p>Initializes the context with the key.
2708 </p></blockquote></div>
2711 — Function: void <b>hmac_ripemd160_update</b> (<var>struct hmac_ripemd160_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-hmac_005fripemd160_005fupdate-271"></a></var><br>
2712 <blockquote><p>Process some more data.
2713 </p></blockquote></div>
2716 — Function: void <b>hmac_ripemd160_digest</b> (<var>struct hmac_ripemd160_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-hmac_005fripemd160_005fdigest-272"></a></var><br>
2717 <blockquote><p>Extracts the <acronym>MAC</acronym>, writing it to <var>digest</var>. <var>length</var> may be smaller than
2721 <p>This function also resets the context for processing new messages, with
2722 the same key.
2723 </p></blockquote></div>
2728 — Context struct: <b>struct hmac_sha1_ctx</b><var><a name="index-struct-hmac_005fsha1_005fctx-273"></a></var><br>
2729 </div>
2732 — Function: void <b>hmac_sha1_set_key</b> (<var>struct hmac_sha1_ctx *ctx, unsigned key_length, const uint8_t *key</var>)<var><a name="index-hmac_005fsha1_005fset_005fkey-274"></a></var><br>
2733 <blockquote><p>Initializes the context with the key.
2734 </p></blockquote></div>
2737 — Function: void <b>hmac_sha1_update</b> (<var>struct hmac_sha1_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-hmac_005fsha1_005fupdate-275"></a></var><br>
2738 <blockquote><p>Process some more data.
2739 </p></blockquote></div>
2742 — Function: void <b>hmac_sha1_digest</b> (<var>struct hmac_sha1_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-hmac_005fsha1_005fdigest-276"></a></var><br>
2743 <blockquote><p>Extracts the <acronym>MAC</acronym>, writing it to <var>digest</var>. <var>length</var> may be smaller than
2747 <p>This function also resets the context for processing new messages, with
2748 the same key.
2749 </p></blockquote></div>
2754 — Context struct: <b>struct hmac_sha256_ctx</b><var><a name="index-struct-hmac_005fsha256_005fctx-277"></a></var><br>
2755 </div>
2758 — Function: void <b>hmac_sha256_set_key</b> (<var>struct hmac_sha256_ctx *ctx, unsigned key_length, const uint8_t *key</var>)<var><a name="index-hmac_005fsha256_005fset_005fkey-278"></a></var><br>
2759 <blockquote><p>Initializes the context with the key.
2760 </p></blockquote></div>
2763 — Function: void <b>hmac_sha256_update</b> (<var>struct hmac_sha256_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-hmac_005fsha256_005fupdate-279"></a></var><br>
2764 <blockquote><p>Process some more data.
2765 </p></blockquote></div>
2768 — Function: void <b>hmac_sha256_digest</b> (<var>struct hmac_sha256_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-hmac_005fsha256_005fdigest-280"></a></var><br>
2769 <blockquote><p>Extracts the <acronym>MAC</acronym>, writing it to <var>digest</var>. <var>length</var> may be smaller than
2773 <p>This function also resets the context for processing new messages, with
2774 the same key.
2775 </p></blockquote></div>
2780 — Context struct: <b>struct hmac_sha512_ctx</b><var><a name="index-struct-hmac_005fsha512_005fctx-281"></a></var><br>
2781 </div>
2784 — Function: void <b>hmac_sha512_set_key</b> (<var>struct hmac_sha512_ctx *ctx, unsigned key_length, const uint8_t *key</var>)<var><a name="index-hmac_005fsha512_005fset_005fkey-282"></a></var><br>
2785 <blockquote><p>Initializes the context with the key.
2786 </p></blockquote></div>
2789 — Function: void <b>hmac_sha512_update</b> (<var>struct hmac_sha512_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-hmac_005fsha512_005fupdate-283"></a></var><br>
2790 <blockquote><p>Process some more data.
2791 </p></blockquote></div>
2794 — Function: void <b>hmac_sha512_digest</b> (<var>struct hmac_sha512_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-hmac_005fsha512_005fdigest-284"></a></var><br>
2795 <blockquote><p>Extracts the <acronym>MAC</acronym>, writing it to <var>digest</var>. <var>length</var> may be smaller than
2799 <p>This function also resets the context for processing new messages, with
2800 the same key.
2801 </p></blockquote></div>
2807 hashing, and designed for high performance on modern processors (in
2809 performance). On processors with good integer multiplication
2810 performance, it can be 10 times faster than SHA256 and SHA512.
2815 in counter mode to generate various internal subkeys needed in
2818 reused for two messages with the same key, but they need not be kept
2819 secret.
2822 than 16 octets are zero-padded. Nettle's implementation of
2824 explicitly setting the nonce for each message is optional. This
2825 auto-increment uses network byte order and it takes the length of the
2827 this value is zero-padded to 16 octets for the first message. For the
2829 value is zero-padded to 16 octets.
2833 (16 octets), corresponding to different tradeoffs between speed and
2834 security. Using a shorter output size sometimes (but not always!) gives
2835 the same result as using a longer output size and truncating the result.
2836 So it is important to use the right variant. For consistency with other
2839 truncated to any desired size, but it is recommended to stick to the
2841 corresponding to the desired size.
2844 generates more than 1024 bytes of subkeys. This makes the size of the
2846 algorithms in Nettle.
2848 <p>Nettle defines <acronym>UMAC</acronym> in <samp><span class="file"><nettle/umac.h></span></samp>.
2851 — Context struct: <b>struct umac32_ctx</b><var><a name="index-struct-umac32_005fctx-286"></a></var><br>
2852 — Context struct: <b>struct umac64_ctx</b><var><a name="index-struct-umac64_005fctx-287"></a></var><br>
2853 — Context struct: <b>struct umac96_ctx</b><var><a name="index-struct-umac96_005fctx-288"></a></var><br>
2854 — Context struct: <b>struct umac128_ctx</b><var><a name="index-struct-umac128_005fctx-289"></a></var><br>
2856 </p></blockquote></div>
2859 — Constant: <b>UMAC_KEY_SIZE</b><var><a name="index-UMAC_005fKEY_005fSIZE-290"></a></var><br>
2861 </p></blockquote></div>
2864 — Constant: <b>UMAC32_DIGEST_SIZE</b><var><a name="index-UMAC32_005fDIGEST_005fSIZE-291"></a></var><br>
2866 </p></blockquote></div>
2869 — Constant: <b>UMAC64_DIGEST_SIZE</b><var><a name="index-UMAC64_005fDIGEST_005fSIZE-292"></a></var><br>
2871 </p></blockquote></div>
2874 — Constant: <b>UMAC96_DIGEST_SIZE</b><var><a name="index-UMAC96_005fDIGEST_005fSIZE-293"></a></var><br>
2876 </p></blockquote></div>
2879 — Constant: <b>UMAC128_DIGEST_SIZE</b><var><a name="index-UMAC128_005fDIGEST_005fSIZE-294"></a></var><br>
2881 </p></blockquote></div>
2884 — Constant: <b>UMAC128_DATA_SIZE</b><var><a name="index-UMAC128_005fDATA_005fSIZE-295"></a></var><br>
2885 <blockquote><p>The internal block size of UMAC.
2886 </p></blockquote></div>
2889 — Function: void <b>umac32_set_key</b> (<var>struct umac32_ctx *ctx, const uint8_t *key</var>)<var><a name="index-umac32_005fset_005fkey-296"></a></var><br>
2890 — Function: void <b>umac64_set_key</b> (<var>struct umac64_ctx *ctx, const uint8_t *key</var>)<var><a name="index-umac64_005fset_005fkey-297"></a></var><br>
2891 — Function: void <b>umac96_set_key</b> (<var>struct umac96_ctx *ctx, const uint8_t *key</var>)<var><a name="index-umac96_005fset_005fkey-298"></a></var><br>
2892 — Function: void <b>umac128_set_key</b> (<var>struct umac128_ctx *ctx, const uint8_t *key</var>)<var><a name="index-umac128_005fset_005fkey-299"></a></var><br>
2893 <blockquote><p>These functions initialize the <acronym>UMAC</acronym> context struct. They also
2894 initialize the nonce to zero (with length 16, for auto-increment).
2895 </p></blockquote></div>
2898 — Function: void <b>umac32_set_nonce</b> (<var>struct umac32_ctx *ctx, unsigned length, const uint8_t *nonce</var>)<var><a name="index-umac32_005fset_005fnonce-300"></a></var><br>
2899 — Function: void <b>umac64_set_nonce</b> (<var>struct umac64_ctx *ctx, unsigned length, const uint8_t *nonce</var>)<var><a name="index-umac64_005fset_005fnonce-301"></a></var><br>
2900 — Function: void <b>umac96_set_nonce</b> (<var>struct umac96_ctx *ctx, unsigned length, const uint8_t *nonce</var>)<var><a name="index-umac96_005fset_005fnonce-302"></a></var><br>
2901 — Function: void <b>umac128_set_nonce</b> (<var>struct umac128_ctx *ctx, unsigned length, const uint8_t *nonce</var>)<var><a name="index-umac128_005fset_005fnonce-303"></a></var><br>
2902 <blockquote><p>Sets the nonce to be used for the next message. In general, nonces
2903 should be set before processing of the message. This is not strictly
2905 generating the digest), but it is nevertheless recommended that this
2907 message.
2908 </p></blockquote></div>
2911 — Function: void <b>umac32_update</b> (<var>struct umac32_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-umac32_005fupdate-304"></a></var><br>
2912 — Function: void <b>umac64_update</b> (<var>struct umac64_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-umac64_005fupdate-305"></a></var><br>
2913 — Function: void <b>umac96_update</b> (<var>struct umac96_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-umac96_005fupdate-306"></a></var><br>
2914 — Function: void <b>umac128_update</b> (<var>struct umac128_ctx *ctx, unsigned length, const uint8_t *data</var>)<var><a name="index-umac128_005fupdate-307"></a></var><br>
2915 <blockquote><p>These functions are called zero or more times to process the message.
2916 </p></blockquote></div>
2919 — Function: void <b>umac32_digest</b> (<var>struct umac32_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-umac32_005fdigest-308"></a></var><br>
2920 — Function: void <b>umac64_digest</b> (<var>struct umac64_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-umac64_005fdigest-309"></a></var><br>
2921 — Function: void <b>umac96_digest</b> (<var>struct umac96_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-umac96_005fdigest-310"></a></var><br>
2922 — Function: void <b>umac128_digest</b> (<var>struct umac128_ctx *ctx, unsigned length, uint8_t *digest</var>)<var><a name="index-umac128_005fdigest-311"></a></var><br>
2923 <blockquote><p>Extracts the <acronym>MAC</acronym> of the message, writing it to <var>digest</var>.
2927 processing of a new message with the same key. The nonce is incremented
2928 as described above, the new value is used unless you call the
2930 </p></blockquote></div>
2934 <p><hr>
2935 Next: <a rel="next" accesskey="n" href="#Public_002dkey-algorithms">Public-key algorithms</a>,
2936 Previous: <a rel="previous" accesskey="p" href="#Keyed-hash-functions">Keyed hash functions</a>,
2939 </div>
2941 <!-- node-name, next, previous, up -->
2944 <p><a name="index-Key-Derivation-Function-312"></a><a name="index-Password-Based-Key-Derivation-Function-313"></a><a name="index-PKCS-_00235-314"></a><a name="index-KDF-315"></a><a name="index-PBKDF-316"></a>
2946 a given symmetric key derives other symmetric keys. A sub-class of KDFs
2948 which take as input a password or passphrase, and its purpose is
2949 typically to strengthen it and protect against certain pre-computation
2950 attacks by using salting and expensive computation.
2959 <samp><span class="file"><nettle/pbkdf2.h></span></samp>. There is an abstract function that operate on
2962 and concrete functions PBKDF2-HMAC-SHA1 and PBKDF2-HMAC-SHA256. First,
2963 the abstract function:
2966 — Function: void <b>pbkdf2</b> (<var>void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, unsigned digest_size, unsigned iterations, unsigned salt_length, const uint8_t *salt, unsigned length, uint8_t *dst</var>)<var><a name="index-pbkdf2-317"></a></var><br>
2968 PRF is assumed to have been initialized and this function will call the
2970 context parameter as an argument in order to compute digest of size
2975 </p></blockquote></div>
2977 <p>Like for CBC and HMAC, there is a macro to help use the function
2978 correctly.
2981 — Macro: <b>PBKDF2</b> (<var>ctx, update, digest, digest_size, iterations, salt_length, salt, length, dst</var>)<var><a name="index-PBKDF2-318"></a></var><br>
2990 </p></blockquote></div>
3000 — Function: void <b>pbkdf2_hmac_sha1</b> (<var>unsigned key_length, const uint8_t *key, unsigned iterations, unsigned salt_length, const uint8_t *salt, unsigned length, uint8_t *dst</var>)<var><a name="index-pbkdf2_005fhmac_005fsha1-319"></a></var><br>
3006 </p></blockquote></div>
3011 — Function: void <b>pbkdf2_hmac_sha256</b> (<var>unsigned key_length, const uint8_t *key, unsigned iterations, unsigned salt_length, const uint8_t *salt, unsigned length, uint8_t *dst</var>)<var><a name="index-pbkdf2_005fhmac_005fsha256-320"></a></var><br>
3017 </p></blockquote></div>
3022 <p><hr>
3024 Previous: <a rel="previous" accesskey="p" href="#Key-derivation-functions">Key derivation functions</a>,
3027 </div>
3029 <!-- node-name, next, previous, up -->
3033 with large numbers. In order to use the public-key features of Nettle,
3035 Nettle, and you need to link your programs with <code>-lhogweed -lnettle
3036 -lgmp</code>.
3039 discovered by Whitfield Diffie and Martin E. Hellman and described in a
3041 receiver share the same keys, and these keys must be distributed in a
3042 secure way. And if there are many users or entities that need to
3044 else.
3046 <p><a name="index-Public-Key-Cryptography-321"></a><a name="index-One_002dway-function-322"></a>
3047 Public-key cryptography uses trapdoor one-way functions. A
3052 exponentiation in certain groups.
3059 <p>Two important uses for one-way functions with trapdoors are public-key
3060 encryption, and digital signatures. The public-key encryption functions
3061 in Nettle are not yet documented; the rest of this chapter is about
3062 digital signatures.
3064 <p>To use a digital signature algorithm, one must first create a
3066 key is used to sign messages, while the public key is used for verifying
3067 that that signatures and messages match. Some care must be taken when
3068 distributing the public key; it need not be kept secret, but if a bad
3069 guy is able to replace it (in transit, or in some user's list of known
3070 public keys), bad things may happen.
3072 <p>There are two operations one can do with the keys. The signature
3073 operation takes a message and a private key, and creates a signature for
3074 the message. A signature is some string of bits, usually at most a few
3075 thousand bits or a few hundred octets. Unlike paper-and-ink signatures,
3076 the digital signature depends on the message, so one can't cut it out of
3077 context and glue it to a different message.
3079 <p>The verification operation takes a public key, a message, and a string
3080 that is claimed to be a signature on the message, and returns true or
3081 false. If it returns true, that means that the three input values
3082 matched, and the verifier can be sure that someone went through with the
3084 knows the private key corresponding to the public key.
3086 <p>The desired properties of a digital signature algorithm are as follows:
3087 Given the public key and pairs of messages and valid signatures on them,
3088 it should be hard to compute the private key, and it should also be hard
3089 to create a new message and signature that is accepted by the
3090 verification operation.
3092 <p>Besides signing meaningful messages, digital signatures can be used for
3093 authorization. A server can be configured with a public key, such that
3094 any client that connects to the service is given a random nonce message.
3095 If the server gets a reply with a correct signature matching the nonce
3096 message and the configured public key, the client is granted access. So
3097 the configuration of the server can be understood as “grant access to
3098 whoever knows the private key corresponding to this particular public
3099 key, and to no others”.
3105 </ul>
3109 <p><hr>
3111 Previous: <a rel="previous" accesskey="p" href="#Public_002dkey-algorithms">Public-key algorithms</a>,
3114 </div>
3116 <!-- node-name, next, previous, up -->
3120 algorithm that was constructed. It was described 1978 in a paper by
3121 Ronald Rivest, Adi Shamir and L.M. Adleman, and the technique was also
3122 patented in the <acronym>USA</acronym> in 1983. The patent expired on September 20, 2000, and since
3125 <p>It's remarkably simple to describe the trapdoor function behind
3129 </pre>
3134 bits or larger.
3138 But, where's the trapdoor?
3145 order of the multiplicative group of integers modulo n.
3148 particular, it must be odd), but can otherwise be chosen more or less
3158 </pre>
3163 <p>So <code>d</code> is the trapdoor, if we know <code>d</code> and <code>y = F(x)</code>, we can
3169 signed is first hashed using a cryptographic hash function, e.g.
3170 <acronym>MD5</acronym> or <acronym>SHA1</acronym>. Next, some padding, the <acronym>ASN.1</acronym>
3174 mod n</code><a rel="footnote" href="#fn-1" name="fnd-1"><sup>1</sup></a>. The signature, <code>s</code> is a
3176 sequence of octets, most significant octet first.
3180 computed, the operation returns true if and only if the result equals
3189 — Context struct: <b>rsa_public_key</b><var> size n e<a name="index-rsa_005fpublic_005fkey-323"></a></var><br>
3190 <blockquote><p><code>size</code> is the size, in octets, of the modulo, and is used internally.
3192 </p></blockquote></div>
3195 — Context struct: <b>rsa_private_key</b><var> size d p q a b c<a name="index-rsa_005fprivate_005fkey-324"></a></var><br>
3196 <blockquote><p><code>size</code> is the size, in octets, of the modulo, and is used internally.
3199 <code>a</code>, <code>b</code> and <code>c</code> are used. They are computed from <code>p</code>,
3202 </p></blockquote></div>
3204 <p>Before use, these structs must be initialized by calling one of
3207 — Function: void <b>rsa_public_key_init</b> (<var>struct rsa_public_key *pub</var>)<var><a name="index-rsa_005fpublic_005fkey_005finit-325"></a></var><br>
3208 — Function: void <b>rsa_private_key_init</b> (<var>struct rsa_private_key *key</var>)<var><a name="index-rsa_005fprivate_005fkey_005finit-326"></a></var><br>
3210 </p></blockquote></div>
3212 <p>and when finished with them, the space for the numbers must be
3213 deallocated by calling one of
3216 — Function: void <b>rsa_public_key_clear</b> (<var>struct rsa_public_key *pub</var>)<var><a name="index-rsa_005fpublic_005fkey_005fclear-327"></a></var><br>
3217 — Function: void <b>rsa_private_key_clear</b> (<var>struct rsa_private_key *key</var>)<var><a name="index-rsa_005fprivate_005fkey_005fclear-328"></a></var><br>
3219 </p></blockquote></div>
3222 memory allocation”-policy. Space for all the numbers, both in the key structs
3223 above, and temporaries, are allocated dynamically. For information on how
3224 to customize allocation, see
3227 <p>When you have assigned values to the attributes of a key, you must call
3230 — Function: int <b>rsa_public_key_prepare</b> (<var>struct rsa_public_key *pub</var>)<var><a name="index-rsa_005fpublic_005fkey_005fprepare-329"></a></var><br>
3231 — Function: int <b>rsa_private_key_prepare</b> (<var>struct rsa_private_key *key</var>)<var><a name="index-rsa_005fprivate_005fkey_005fprepare-330"></a></var><br>
3233 and may also do other basic sanity checks. Returns one if successful, or
3234 zero if the key can't be used, for instance if the modulo is smaller
3236 </p></blockquote></div>
3238 <p>Before signing or verifying a message, you first hash it with the
3239 appropriate hash function. You pass the hash function's context struct
3241 digest and do the rest of the work. There are also alternative functions
3242 that take the hash digest as argument.
3244 <p>There is currently no support for using SHA224 or SHA384 with
3246 time nor message size compared to using SHA256 and SHA512, respectively.
3248 <p>Creation and verification of signatures is done with the following functions:
3251 — Function: int <b>rsa_md5_sign</b> (<var>const struct rsa_private_key *key, struct md5_ctx *hash, mpz_t signature</var>)<var><a name="index-rsa_005fmd5_005fsign-331"></a></var><br>
3252 — Function: int <b>rsa_sha1_sign</b> (<var>const struct rsa_private_key *key, struct sha1_ctx *hash, mpz_t signature</var>)<var><a name="index-rsa_005fsha1_005fsign-332"></a></var><br>
3253 — Function: int <b>rsa_sha256_sign</b> (<var>const struct rsa_private_key *key, struct sha256_ctx *hash, mpz_t signature</var>)<var><a name="index-rsa_005fsha256_005fsign-333"></a></var><br>
3254 — Function: int <b>rsa_sha512_sign</b> (<var>const struct rsa_private_key *key, struct sha512_ctx *hash, mpz_t signature</var>)<var><a name="index-rsa_005fsha512_005fsign-334"></a></var><br>
3257 used for new messages. Returns one on success, or zero on failure.
3258 Signing fails if the key is too small for the given hash size, e.g.,
3259 it's not possible to create a signature using SHA512 and a 512-bit
3261 </p></blockquote></div>
3264 — Function: int <b>rsa_md5_sign_digest</b> (<var>const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature</var>)<var><a name="index-rsa_005fmd5_005fsign_005fdigest-335"></a></var><br>
3265 — Function: int <b>rsa_sha1_sign_digest</b> (<var>const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature</var>)<var>;<a name="index-rsa_005fsha1_005fsign_005fdigest-336"></a></var><br>
3266 — Function: int <b>rsa_sha256_sign_digest</b> (<var>const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature</var>)<var>;<a name="index-rsa_005fsha256_005fsign_005fdigest-337"></a></var><br>
3267 — Function: int <b>rsa_sha512_sign_digest</b> (<var>const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature</var>)<var>;<a name="index-rsa_005fsha512_005fsign_005fdigest-338"></a></var><br>
3273 </p></blockquote></div>
3276 — Function: int <b>rsa_md5_verify</b> (<var>const struct rsa_public_key *key, struct md5_ctx *hash, const mpz_t signature</var>)<var><a name="index-rsa_005fmd5_005fverify-339"></a></var><br>
3277 — Function: int <b>rsa_sha1_verify</b> (<var>const struct rsa_public_key *key, struct sha1_ctx *hash, const mpz_t signature</var>)<var><a name="index-rsa_005fsha1_005fverify-340"></a></var><br>
3278 — Function: int <b>rsa_sha256_verify</b> (<var>const struct rsa_public_key *key, struct sha256_ctx *hash, const mpz_t signature</var>)<var><a name="index-rsa_005fsha256_005fverify-341"></a></var><br>
3279 — Function: int <b>rsa_sha512_verify</b> (<var>const struct rsa_public_key *key, struct sha512_ctx *hash, const mpz_t signature</var>)<var><a name="index-rsa_005fsha512_005fverify-342"></a></var><br>
3281 the hash context is reset so that it can be used for new messages.
3282 </p></blockquote></div>
3285 — Function: int <b>rsa_md5_verify_digest</b> (<var>const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature</var>)<var><a name="index-rsa_005fmd5_005fverify_005fdigest-343"></a></var><br>
3286 — Function: int <b>rsa_sha1_verify_digest</b> (<var>const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature</var>)<var><a name="index-rsa_005fsha1_005fverify_005fdigest-344"></a></var><br>
3287 — Function: int <b>rsa_sha256_verify_digest</b> (<var>const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature</var>)<var><a name="index-rsa_005fsha256_005fverify_005fdigest-345"></a></var><br>
3288 — Function: int <b>rsa_sha512_verify_digest</b> (<var>const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature</var>)<var><a name="index-rsa_005fsha512_005fverify_005fdigest-346"></a></var><br>
3292 </p></blockquote></div>
3295 that isn't supported by the above functions Nettle also includes a
3300 — Function: void <b>rsa_compute_root</b> (<var>struct rsa_private_key *key, mpz_t x, const mpz_t m</var>)<var><a name="index-rsa_005fcompute_005froot-347"></a></var><br>
3302 </p></blockquote></div>
3304 <p>At last, how do you create new keys?
3307 — Function: int <b>rsa_generate_keypair</b> (<var>struct rsa_public_key *pub, struct rsa_private_key *key, void *random_ctx, nettle_random_func random, void *progress_ctx, nettle_progress_func progress, unsigned n_size, unsigned e_size</var>)<var>;<a name="index-rsa_005fgenerate_005fkeypair-348"></a></var><br>
3309 resulting key pair is stored. The structs should be initialized, but you
3319 during the key generation process, in order to uphold an illusion of
3321 callbacks.
3324 is non-zero, it is the desired size of the public exponent and a random
3328 Returns one on success, and zero on failure. The function can fail for
3331 </p></blockquote></div>
3335 <p><hr>
3340 </div>
3342 <!-- node-name, next, previous, up -->
3349 for Digital Signature Standard. The most recent revision of the
3354 computation of discrete logarithms. The public key consists of a large
3364 bits, and sizes less than 1024 bits are considered obsolete and not
3365 secure.
3367 <p>The subgroup requirement means that if you compute
3370 </pre>
3372 distinct values.
3377 </pre>
3382 logarithm problem. Current algorithms to compute discrete logarithms in
3384 type works directly in the (multiplicative) group of integers mod
3386 Sieve, and it's complexity is similar to the complexity of factoring
3389 difficult group structure. One good algorithm is Pollard-rho, which has
3394 of both discrete logarithm methods are comparable. Today, the security
3397 is expected to take about the same time as factoring a 1024-bit
3402 say, 4096 bits. This will provide excellent resistance against attacks
3403 like the number field sieve which works in the large group. But it will
3404 do very little to defend against Pollard-rho attacking the small
3405 subgroup; the attacker is slowed down at most by a single factor of 10
3406 due to the more expensive group operation. And the attacker will surely
3407 choose the latter attack.
3409 <p>The signature generation algorithm is randomized; in order to create a
3414 <p>To create a signature, one starts with the hash digest of the message,
3419 s = k^-1 (h + x r) mod q
3420 </pre>
3426 then one computes backwards,
3429 v = (g^(w h) y^(w r) mod p) mod q
3430 </pre>
3435 </pre>
3438 numbers are secret.
3445 does not provide a large security margin, and it should probably be
3449 2048 bits or more, should provide for a more comfortable security
3450 margin, but these variants are not yet in wide use.
3453 which is important for some specialized applications.
3456 randomness source is a serious disadvantage. If you ever use the same
3458 key.
3468 pointed out below. For a start, there are no functions corresponding to
3472 — Context struct: <b>dsa_public_key</b><var> p q g y<a name="index-dsa_005fpublic_005fkey-349"></a></var><br>
3473 <blockquote><p>The public parameters described above.
3474 </p></blockquote></div>
3477 — Context struct: <b>dsa_private_key</b><var> x<a name="index-dsa_005fprivate_005fkey-350"></a></var><br>
3479 </p></blockquote></div>
3481 <p>Before use, these structs must be initialized by calling one of
3484 — Function: void <b>dsa_public_key_init</b> (<var>struct dsa_public_key *pub</var>)<var><a name="index-dsa_005fpublic_005fkey_005finit-351"></a></var><br>
3485 — Function: void <b>dsa_private_key_init</b> (<var>struct dsa_private_key *key</var>)<var><a name="index-dsa_005fprivate_005fkey_005finit-352"></a></var><br>
3487 </p></blockquote></div>
3489 <p>When finished with them, the space for the numbers must be
3490 deallocated by calling one of
3493 — Function: void <b>dsa_public_key_clear</b> (<var>struct dsa_public_key *pub</var>)<var><a name="index-dsa_005fpublic_005fkey_005fclear-353"></a></var><br>
3494 — Function: void <b>dsa_private_key_clear</b> (<var>struct dsa_private_key *key</var>)<var><a name="index-dsa_005fprivate_005fkey_005fclear-354"></a></var><br>
3496 </p></blockquote></div>
3498 <p>Signatures are represented using the structure below, and need to be
3499 initialized and cleared in the same way as the key structs.
3502 — Context struct: <b>dsa_signature</b><var> r s<a name="index-dsa_005fsignature-355"></a></var><br>
3503 </div>
3506 — Function: void <b>dsa_signature_init</b> (<var>struct dsa_signature *signature</var>)<var><a name="index-dsa_005fsignature_005finit-356"></a></var><br>
3507 — Function: void <b>dsa_signature_clear</b> (<var>struct dsa_signature *signature</var>)<var><a name="index-dsa_005fsignature_005fclear-357"></a></var><br>
3510 with it.
3511 </p></blockquote></div>
3513 <p>For signing, you need to provide both the public and the private key
3515 information needed for signing), and a source for random numbers.
3519 of official test vectors and interoperability testing.
3522 — Function: int <b>dsa_sha1_sign</b> (<var>const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func random, struct sha1_ctx *hash, struct dsa_signature *signature</var>)<var><a name="index-dsa_005fsha1_005fsign-358"></a></var><br>
3523 — Function: int <b>dsa_sha1_sign_digest</b> (<var>const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func random, const uint8_t *digest, struct dsa_signature *signature</var>)<var><a name="index-dsa_005fsha1_005fsign_005fdigest-359"></a></var><br>
3524 — Function: int <b>dsa_sha256_sign</b> (<var>const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func random, struct sha256_ctx *hash, struct dsa_signature *signature</var>)<var><a name="index-dsa_005fsha256_005fsign-360"></a></var><br>
3525 — Function: int <b>dsa_sha256_sign_digest</b> (<var>const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func random, const uint8_t *digest, struct dsa_signature *signature</var>)<var><a name="index-dsa_005fsha256_005fsign_005fdigest-361"></a></var><br>
3526 <blockquote><p>Creates a signature from the given hash context or digest.
3531 Signing fails if the key size and the hash size don't match.
3532 </p></blockquote></div>
3534 <p>Verifying signatures is a little easier, since no randomness generator is
3535 needed. The functions are
3538 — Function: int <b>dsa_sha1_verify</b> (<var>const struct dsa_public_key *key, struct sha1_ctx *hash, const struct dsa_signature *signature</var>)<var><a name="index-dsa_005fsha1_005fverify-362"></a></var><br>
3539 — Function: int <b>dsa_sha1_verify_digest</b> (<var>const struct dsa_public_key *key, const uint8_t *digest, const struct dsa_signature *signature</var>)<var><a name="index-dsa_005fsha1_005fverify_005fdigest-363"></a></var><br>
3540 — Function: int <b>dsa_sha256_verify</b> (<var>const struct dsa_public_key *key, struct sha256_ctx *hash, const struct dsa_signature *signature</var>)<var><a name="index-dsa_005fsha256_005fverify-364"></a></var><br>
3541 — Function: int <b>dsa_sha256_verify_digest</b> (<var>const struct dsa_public_key *key, const uint8_t *digest, const struct dsa_signature *signature</var>)<var><a name="index-dsa_005fsha256_005fverify_005fdigest-365"></a></var><br>
3543 </p></blockquote></div>
3545 <p>Key generation uses mostly the same parameters as the corresponding
3549 — Function: int <b>dsa_generate_keypair</b> (<var>struct dsa_public_key *pub, struct dsa_private_key *key, void *random_ctx, nettle_random_func random, void *progress_ctx, nettle_progress_func progress, unsigned p_bits, unsigned q_bits</var>)<var><a name="index-dsa_005fgenerate_005fkeypair-366"></a></var><br>
3550 <blockquote><p><var>pub</var> and <var>key</var> is where the resulting key pair is stored. The
3551 structs should be initialized before you call this function.
3559 during the key generation process, in order to uphold an illusion of
3561 callbacks.
3567 smaller sizes are no longer recommended, so you should most likely stick
3570 can not in general be expected to support such keys. Also note that
3572 make much sense, because the security is also limited by the size of the
3578 <p>Returns one on success, and zero on failure. The function will fail if
3580 small.
3581 </p></blockquote></div>
3585 <p><hr>
3589 </div>
3591 <!-- node-name, next, previous, up -->
3594 <p>For cryptographic purposes, an elliptic curve is a mathematical group of
3595 points, and computing logarithms in this group is computationally
3596 difficult problem. Nettle uses additive notation for elliptic curve
3597 groups. If P and Q are two points, and k is an
3598 integer, the point sum, P + Q, and the multiple k P can be
3599 computed efficiently, but given only two points P and Q,
3600 finding an integer k such that Q = k P is the elliptic
3601 curve discrete logarithm problem.
3605 both considered as integers modulo a specified prime p. Curves
3607 declared in <samp><span class="file"><nettle/ecc-curve.h></span></samp>, e.g., <code>nettle_secp_256r1</code>
3611 shorthand for the bitsize of the curve's prime p, e.g., 256 bits
3616 <p>Nettle's implementation of the elliptic curve operations is intended to
3617 be side-channel silent. The side-channel attacks considered are:
3619 <ul>
3620 <li>Timing attacks
3621 If the timing of operations depends on secret values, an attacker
3622 interacting with your system can measure the response time, and infer
3623 information about your secrets, e.g., a private signature key.
3625 <li>Attacks using memory caches
3626 Assume you have some secret data on a multi-user system, and that this
3627 data is properly protected so that other users get no direct access to
3628 it. If you have a process operating on the secret data, and this process
3629 does memory accesses depending on the data, e.g, an internal lookup
3630 table in some cryptographic algorithm, an attacker running a separate
3631 process on the same system may use behavior of internal CPU caches to
3632 get information about your secrets.
3633 </ul>
3636 and not leak any information to these attacks. Timing and memory
3637 accesses depend only on the size of the input data and its location in
3638 memory, not on the actual data bits. This implies a performance penalty
3639 in several of the building blocks.
3644 which works over an elliptic curve group rather than over a (subgroup
3645 of) integers modulo p. Like DSA, creating a signature requires a unique
3646 random nonce (repeating the nonce with two different messages reveals
3647 the private key, and any leak or bias in the generation of the nonce
3648 also leaks information about the key).
3650 <p>Unlike DSA, signatures are in general not tied to any particular hash
3651 function or even hash size. Any hash function can be used, and the hash
3652 value is truncated or padded as needed to get a size matching the curve
3653 being used. It is recommended to use a strong cryptographic hash
3654 function with digest size close to the bit size of the curve, e.g.,
3655 SHA256 is a reasonable choice when using ECDSA signature over the curve
3656 secp256r1. A protocol or application using ECDSA has to specify which
3657 curve and which hash function to use, or provide some mechanism for
3658 negotiating.
3660 <p>Nettle defines ECDSA in <samp><span class="file"><nettle/ecdsa.h></span></samp>. We first need
3661 to define the data types used to represent public and private keys.
3664 — struct: <b>struct ecc_point</b><var><a name="index-struct-ecc_005fpoint-367"></a></var><br>
3665 <blockquote><p>Represents a point on an elliptic curve. In particular, it is used to
3666 represent an ECDSA public key.
3667 </p></blockquote></div>
3670 — Function: void <b>ecc_point_init</b> (<var>struct ecc_point *p, const structecc_curve *ecc</var>)<var><a name="index-ecc_005fpoint_005finit-368"></a></var><br>
3672 Allocates storage for the coordinates, using the same allocation
3673 functions as GMP.
3674 </p></blockquote></div>
3677 — Function: void <b>ecc_point_clear</b> (<var>struct ecc_point *p</var>)<var><a name="index-ecc_005fpoint_005fclear-369"></a></var><br>
3678 <blockquote><p>Deallocate storage.
3679 </p></blockquote></div>
3682 — Function: int <b>ecc_point_set</b> (<var>struct ecc_point *p, const mpz_t x, const mpz_t y</var>)<var><a name="index-ecc_005fpoint_005fset-370"></a></var><br>
3683 <blockquote><p>Check that the given coordinates represent a point on the curve. If so,
3684 the coordinates are copied and converted to internal representation, and
3686 infinity point (or zero point, with additive notation) i snot allowed.
3687 </p></blockquote></div>
3690 — Function: void <b>ecc_point_get</b> (<var>const struct ecc_point *p, mpz_t x, mpz_t y</var>)<var><a name="index-ecc_005fpoint_005fget-371"></a></var><br>
3693 coordinate.
3694 </p></blockquote></div>
3697 — struct: <b>struct ecc_scalar</b><var><a name="index-struct-ecc_005fscalar-372"></a></var><br>
3700 is used to represent an ECDSA private key.
3701 </p></blockquote></div>
3704 — Function: void <b>ecc_scalar_init</b> (<var>struct ecc_scalar *s, const struct ecc_curve *ecc</var>)<var><a name="index-ecc_005fscalar_005finit-373"></a></var><br>
3707 </p></blockquote></div>
3710 — Function: void <b>ecc_scalar_clear</b> (<var>struct ecc_scalar *s</var>)<var><a name="index-ecc_005fscalar_005fclear-374"></a></var><br>
3711 <blockquote><p>Deallocate storage.
3712 </p></blockquote></div>
3715 — Function: int <b>ecc_scalar_set</b> (<var>struct ecc_scalar *s, const mpz_t z</var>)<var><a name="index-ecc_005fscalar_005fset-375"></a></var><br>
3718 </p></blockquote></div>
3721 — Function: void <b>ecc_scalar_get</b> (<var>const struct ecc_scalar *s, mpz_t z</var>)<var><a name="index-ecc_005fscalar_005fget-376"></a></var><br>
3723 </p></blockquote></div>
3725 <p>To create and verify ECDSA signatures, the following functions are used.
3728 — Function: void <b>ecdsa_sign</b> (<var>const struct ecc_scalar *key, void *random_ctx, nettle_random_func *random, unsigned digest_length, const uint8_t *digest, struct dsa_signature *signature</var>)<var><a name="index-ecdsa_005fsign-377"></a></var><br>
3734 </p></blockquote></div>
3737 — Function: int <b>ecdsa_verify</b> (<var>const struct ecc_point *pub, unsigned length, const uint8_t *digest, const struct dsa_signature *signature</var>)<var><a name="index-ecdsa_005fverify-378"></a></var><br>
3738 <blockquote><p>Uses the public key <var>pub</var> to verify that <var>signature</var> is a valid
3741 </p></blockquote></div>
3743 <p>Finally, to generation of new an ECDSA key pairs
3746 — Function: void <b>ecdsa_generate_keypair</b> (<var>struct ecc_point *pub, struct ecc_scalar *key, void *random_ctx, nettle_random_func *random</var>)<var>;<a name="index-ecdsa_005fgenerate_005fkeypair-379"></a></var><br>
3747 <blockquote><p><var>pub</var> and <var>key</var> is where the resulting key pair is stored. The
3748 structs should be initialized, for the desired ECC curve, before you call this function.
3754 </p></blockquote></div>
3758 <p><hr>
3760 Previous: <a rel="previous" accesskey="p" href="#Public_002dkey-algorithms">Public-key algorithms</a>,
3763 </div>
3765 <!-- node-name, next, previous, up -->
3769 A crucial ingredient in many cryptographic contexts is randomness: Let
3772 the theories, it is assumed that you have plenty of randomness around.
3773 If this assumption is not true in practice, systems that are otherwise
3774 perfectly secure, can be broken. Randomness has often turned out to be
3775 the weakest link in the chain.
3777 <p>In non-cryptographic applications, such as games as well as scientific
3778 simulation, a good randomness generator usually means a generator that
3779 has good statistical properties, and is seeded by some simple function
3780 of things like the current time, process id, and host name.
3782 <p>However, such a generator is inadequate for cryptography, for at least
3783 two reasons:
3785 <ul>
3786 <li>It's too easy for an attacker to guess the initial seed. Even if it will
3789 is one second, and the attacker knows what day the generator was seeded,
3791 for the process id and time-of-day are tried.
3793 <li>The generator output reveals too much. By observing only a small segment
3794 of the generator's output, its internal state can be recovered, and from
3795 there, all previous output and all future output can be computed by the
3796 attacker.
3797 </ul>
3799 <p>A randomness generator that is used for cryptographic purposes must have
3800 better properties. Let's first look at the seeding, as the issues here
3801 are mostly independent of the rest of the generator. The initial state
3802 of the generator (its seed) must be unguessable by the attacker. So
3803 what's unguessable? It depends on what the attacker already knows. The
3804 concept used in information theory to reason about such things is called
3806 thermodynamic concept with the same name). A reasonable requirement is
3808 bits. This property can be explained as follows: Allow the attacker to
3810 the attacker, using this question-and-answer session, as well as any
3811 other information he knows about the seeding process, still can't guess
3813 bits.
3816 Let's look at an example. Say information about timing of received
3817 network packets is used in the seeding process. If there is some random
3818 network traffic going on, this will contribute some bits of entropy or
3820 the local network, or if all but a small number of the packets were
3821 transmitted by machines that the attacker can monitor, this additional
3822 information makes the seed easier for the attacker to figure out. Even
3823 if the information is exactly the same, the conditional entropy, or
3824 unguessability, is smaller for an attacker that knows some of it already
3825 before the hypothetical question-and-answer session.
3827 <p>Seeding of good generators is usually based on several sources. The key
3828 point here is that the amount of unguessability that each source
3829 contributes, depends on who the attacker is. Some sources that have been
3830 used are:
3832 <dl>
3833 <dt>High resolution timing of i/o activities<dd>Such as completed blocks from spinning hard disks, network packets, etc.
3834 Getting access to such information is quite system dependent, and not
3835 all systems include suitable hardware. If available, it's one of the
3836 better randomness source one can find in a digital, mostly predictable,
3837 computer.
3839 <br><dt>User activity<dd>Timing and contents of user interaction events is another popular source
3840 that is available for interactive programs (even if I suspect that it is
3841 sometimes used in order to make the user feel good, not because the
3842 quality of the input is needed or used properly). Obviously, not
3843 available when a machine is unattended. Also beware of networks: User
3846 full or partially.
3849 source of some random background noise, which can be fed into the
3850 seeding process.
3852 <br><dt>Specialized hardware<dd>Hardware devices with the sole purpose of generating random data have
3853 been designed. They range from radioactive samples with an attached
3854 Geiger counter, to amplification of the inherent noise in electronic
3855 components such as diodes and resistors, to low-frequency sampling of
3856 chaotic systems. Hashing successive images of a Lava lamp is a
3857 spectacular example of the latter type.
3859 <br><dt>Secret information<dd>Secret information, such as user passwords or keys, or private files
3860 stored on disk, can provide some unguessability. A problem is that if
3861 the information is revealed at a later time, the unguessability
3862 vanishes. Another problem is that this kind of information tends to be
3863 fairly constant, so if you rely on it and seed your generator regularly,
3864 you risk constructing almost similar seeds or even constructing the same
3865 seed more than once.
3866 </dl>
3868 <p>For all practical sources, it's difficult but important to provide a
3869 reliable lower bound on the amount of unguessability that it provides.
3870 Two important points are to make sure that the attacker can't observe
3871 your sources (so if you like the Lava lamp idea, remember that you have
3872 to get your own lamp, and not put it by a window or anywhere else where
3873 strangers can see it), and that hardware failures are detected. What if
3874 the bulb in the Lava lamp, which you keep locked into a cupboard
3875 following the above advice, breaks after a few months?
3877 <p>So let's assume that we have been able to find an unguessable seed,
3878 which contains at least 80 bits of conditional entropy, relative to all
3879 attackers that we care about (typically, we must at the very least
3880 assume that no attacker has root privileges on our machine).
3882 <p>How do we generate output from this seed, and how much can we get? Some
3883 generators (notably the Linux <samp><span class="file">/dev/random</span></samp> generator) tries to
3884 estimate available entropy and restrict the amount of output. The goal
3885 is that if you read 128 bits from <samp><span class="file">/dev/random</span></samp>, you should get 128
3887 specialized circumstances, for instance when generating key material for
3888 a one time pad, or when working with unconditional blinding, but in most
3889 cases, it doesn't matter much. For most application, there's no limit on
3891 seed; what matters is that the seed is unguessable and that the
3892 generator has good cryptographic properties.
3894 <p>At the heart of all generators lies its internal state. Future output
3895 is determined by the internal state alone. Let's call it the generator's
3896 key. The key is initialized from the unguessable seed. Important
3897 properties of a generator are:
3899 <dl>
3900 <dt><dfn>Key-hiding</dfn><dd>An attacker observing the output should not be able to recover the
3901 generator's key.
3903 <br><dt><dfn>Independence of outputs</dfn><dd>Observing some of the output should not help the attacker to guess
3904 previous or future output.
3906 <br><dt><dfn>Forward secrecy</dfn><dd>Even if an attacker compromises the generator's key, he should not be
3909 <br><dt><dfn>Recovery from key compromise</dfn><dd>If an attacker compromises the generator's key, he can compute
3911 only once, at startup. However, the generator can provide a reseeding
3912 mechanism, to achieve recovery from key compromise. More precisely: If
3918 </dl>
3920 <p>Nettle includes one randomness generator that is believed to have all
3921 the above properties, and two simpler ones.
3924 generator. Its output should be of reasonable quality, if the seed is
3926 no single natural way to reseed it, but if you need reseeding, you
3927 should be using Yarrow instead.
3929 <p>The “lagged Fibonacci” generator in <samp><span class="file"><nettle/knuth-lfib.h></span></samp> is a
3931 cryptographic use, and therefore not documented here. It is included
3932 mostly because the Nettle test suite needs to generate some test data
3933 from a small seed.
3935 <p>The recommended generator to use is Yarrow, described below.
3939 <p>Yarrow is a family of pseudo-randomness generators, designed for
3940 cryptographic use, by John Kelsey, Bruce Schneier and Niels Ferguson.
3941 Yarrow-160 is described in a paper at
3942 <a href="http://www.counterpane.com/yarrow.html">http://www.counterpane.com/yarrow.html</a>, and it uses <acronym>SHA1</acronym>
3943 and triple-DES, and has a 160-bit internal state. Nettle implements
3947 <p>Yarrow was an almost finished project, the paper mentioned above is the
3948 closest thing to a specification for it, but some smaller details are
3949 left out. There is no official reference implementation or test cases.
3950 This section includes an overview of Yarrow, but for the details of
3951 Yarrow-256, as implemented by Nettle, you have to consult the source
3952 code. Maybe a complete specification can be written later.
3954 <p>Yarrow can use many sources (at least two are needed for proper
3955 reseeding), and two randomness “pools”, referred to as the “slow pool” and
3957 two pools. When one of the sources has contributed 100 bits of entropy
3959 into the internal state. When at least two of the sources have
3961 takes place. The contents of both pools are mixed into the internal
3962 state. These procedures should ensure that the generator will eventually
3963 recover after a key compromise.
3966 using the generator's current key. After each request for output,
3967 another 256 bits are generated which replace the key. This ensures
3968 forward secrecy.
3971 Yarrow is seeded by either feeding it the contents of the previous seed
3972 file, or feeding it input from its sources until a slow reseed happens.
3974 <p>Nettle defines Yarrow-256 in <samp><span class="file"><nettle/yarrow.h></span></samp>.
3977 — Context struct: <b>struct yarrow256_ctx</b><var><a name="index-struct-yarrow256_005fctx-383"></a></var><br>
3978 </div>
3981 — Context struct: <b>struct yarrow_source</b><var><a name="index-struct-yarrow_005fsource-384"></a></var><br>
3982 <blockquote><p>Information about a single source.
3983 </p></blockquote></div>
3986 — Constant: <b>YARROW256_SEED_FILE_SIZE</b><var><a name="index-YARROW256_005fSEED_005fFILE_005fSIZE-385"></a></var><br>
3988 </p></blockquote></div>
3991 — Function: void <b>yarrow256_init</b> (<var>struct yarrow256_ctx *ctx, unsigned nsources, struct yarrow_source *sources</var>)<var><a name="index-yarrow256_005finit-386"></a></var><br>
3994 you don't need the update features.
3995 </p></blockquote></div>
3998 — Function: void <b>yarrow256_seed</b> (<var>struct yarrow256_ctx *ctx, unsigned length, uint8_t *seed_file</var>)<var><a name="index-yarrow256_005fseed-387"></a></var><br>
3999 <blockquote><p>Seeds Yarrow-256 from a previous seed file. <var>length</var> should be at least
4005 possible for several processes to read the seed file at about the same
4006 time, access must be coordinated using some locking mechanism.
4007 </p></blockquote></div>
4010 — Function: int <b>yarrow256_update</b> (<var>struct yarrow256_ctx *ctx, unsigned source, unsigned entropy, unsigned length, const uint8_t *data</var>)<var><a name="index-yarrow256_005fupdate-388"></a></var><br>
4013 estimated lower bound for the entropy in the data, measured in bits.
4015 data is random or not.
4018 seed file may want to generate new seed data with
4020 function returns 0.
4021 </p></blockquote></div>
4024 — Function: void <b>yarrow256_random</b> (<var>struct yarrow256_ctx *ctx, unsigned length, uint8_t *dst</var>)<var><a name="index-yarrow256_005frandom-389"></a></var><br>
4026 before you call this function.
4028 <p>If you don't need forward secrecy, e.g. if you need non-secret
4029 randomness for initialization vectors or padding, you can gain some
4030 efficiency by buffering, calling this function for reasonably large
4032 </p></blockquote></div>
4035 — Function: int <b>yarrow256_is_seeded</b> (<var>struct yarrow256_ctx *ctx</var>)<var><a name="index-yarrow256_005fis_005fseeded-390"></a></var><br>
4037 otherwise 0.
4038 </p></blockquote></div>
4041 — Function: unsigned <b>yarrow256_needed_sources</b> (<var>struct yarrow256_ctx *ctx</var>)<var><a name="index-yarrow256_005fneeded_005fsources-391"></a></var><br>
4042 <blockquote><p>Returns the number of sources that must reach the threshold before a
4043 slow reseed will happen. Useful primarily when the generator is unseeded.
4044 </p></blockquote></div>
4047 — Function: void <b>yarrow256_fast_reseed</b> (<var>struct yarrow256_ctx *ctx</var>)<var><a name="index-yarrow256_005ffast_005freseed-392"></a></var><br>
4048 — Function: void <b>yarrow256_slow_reseed</b> (<var>struct yarrow256_ctx *ctx</var>)<var><a name="index-yarrow256_005fslow_005freseed-393"></a></var><br>
4049 <blockquote><p>Causes a fast or slow reseed to take place immediately, regardless of the
4050 current entropy estimates of the two pools. Use with care.
4051 </p></blockquote></div>
4053 <p>Nettle includes an entropy estimator for one kind of input source: User
4054 keyboard input.
4057 — Context struct: <b>struct yarrow_key_event_ctx</b><var><a name="index-struct-yarrow_005fkey_005fevent_005fctx-394"></a></var><br>
4058 <blockquote><p>Information about recent key events.
4059 </p></blockquote></div>
4062 — Function: void <b>yarrow_key_event_init</b> (<var>struct yarrow_key_event_ctx *ctx</var>)<var><a name="index-yarrow_005fkey_005fevent_005finit-395"></a></var><br>
4063 <blockquote><p>Initializes the context.
4064 </p></blockquote></div>
4067 — Function: unsigned <b>yarrow_key_event_estimate</b> (<var>struct yarrow_key_event_ctx *ctx, unsigned key, unsigned time</var>)<var><a name="index-yarrow_005fkey_005fevent_005festimate-396"></a></var><br>
4069 keysym, <small class="dots">...</small>, it doesn't matter), and <var>time</var> is the timestamp of
4070 the event. The time must be given in units matching the resolution by
4071 which you read the clock. If you read the clock with microsecond
4075 units of 10 microseconds.
4077 <p>Returns an entropy estimate, in bits, suitable for calling
4079 </p></blockquote></div>
4083 <p><hr>
4084 Next: <a rel="next" accesskey="n" href="#Miscellaneous-functions">Miscellaneous functions</a>,
4088 </div>
4090 <!-- node-name, next, previous, up -->
4093 <p>Encryption will transform your data from text into binary format, and that
4094 may be a problem if you want, for example, to send the data as if it was
4095 plain text in an email (or store it along with descriptive text in a
4096 file). You may then use an encoding from binary to text: each binary byte
4097 is translated into a number of bytes of plain text.
4099 <p>A base-N encoding of data is one representation of data that only uses N
4100 different symbols (instead of the 256 possible values of a byte).
4102 <p>The base64 encoding will always use alphanumeric (upper and lower case)
4103 characters and the '+', '/' and '=' symbols to represent the data. Four
4104 output characters are generated for each three bytes of input. In case
4105 the length of the input is not a multiple of three, padding characters
4106 are added at the end.
4109 digits and the letters from A to F. Two hexadecimal digits are generated
4110 for each input byte. Base16 may be useful if you want to use the data
4111 for filenames or URLs, for example.
4113 <p>Nettle supports both base64 and base16 encoding and decoding.
4115 <p>Encoding and decoding uses a context struct to maintain its state (with
4116 the exception of base16 encoding, which doesn't need any). To encode or
4117 decode the your data, first initialize the context, then call the update
4118 function as many times as necessary, and complete the operation by
4119 calling the final function.
4121 <p>The following functions can be used to perform base64 encoding and decoding.
4125 — Context struct: <b>struct base64_encode_ctx</b><var><a name="index-struct-base64_005fencode_005fctx-397"></a></var><br>
4126 </div>
4129 — Function: void <b>base64_encode_init</b> (<var>struct base64_encode_ctx *ctx</var>)<var><a name="index-base64_005fencode_005finit-398"></a></var><br>
4130 <blockquote><p>Initializes a base64 context. This is necessary before starting an encoding
4131 session.
4132 </p></blockquote></div>
4135 — Function: unsigned <b>base64_encode_single</b> (<var>struct base64_encode_ctx *ctx, uint8_t *dst, uint8_t src</var>)<var><a name="index-base64_005fencode_005fsingle-399"></a></var><br>
4137 </p></blockquote></div>
4140 — Macro: <b>BASE64_ENCODE_LENGTH</b> (<var>length</var>)<var><a name="index-BASE64_005fENCODE_005fLENGTH-400"></a></var><br>
4143 </p></blockquote></div>
4146 — Function: unsigned <b>base64_encode_update</b> (<var>struct base64_encode_ctx *ctx, uint8_t *dst, unsigned length, const uint8_t *src</var>)<var><a name="index-base64_005fencode_005fupdate-401"></a></var><br>
4147 <blockquote><p>After <var>ctx</var> is initialized, this function may be called to encode <var>length</var>
4151 </p></blockquote></div>
4154 — Constant: <b>BASE64_ENCODE_FINAL_LENGTH</b><var><a name="index-BASE64_005fENCODE_005fFINAL_005fLENGTH-402"></a></var><br>
4156 </p></blockquote></div>
4159 — Function: unsigned <b>base64_encode_final</b> (<var>struct base64_encode_ctx *ctx, uint8_t *dst</var>)<var><a name="index-base64_005fencode_005ffinal-403"></a></var><br>
4160 <blockquote><p>After calling base64_encode_update one or more times, this function
4161 should be called to generate the final output bytes, including any
4162 needed paddding. The return value is the number of output bytes
4163 generated.
4164 </p></blockquote></div>
4167 — Context struct: <b>struct base64_decode_ctx</b><var><a name="index-struct-base64_005fdecode_005fctx-404"></a></var><br>
4168 </div>
4171 — Function: void <b>base64_decode_init</b> (<var>struct base64_decode_ctx *ctx</var>)<var><a name="index-base64_005fdecode_005finit-405"></a></var><br>
4172 <blockquote><p>Initializes a base64 decoding context. This is necessary before starting a decoding
4173 session.
4174 </p></blockquote></div>
4177 — Function: int <b>base64_decode_single</b> (<var>struct base64_decode_ctx *ctx, uint8_t *dst, uint8_t src</var>)<var><a name="index-base64_005fdecode_005fsingle-406"></a></var><br>
4180 </p></blockquote></div>
4183 — Macro: <b>BASE64_DECODE_LENGTH</b> (<var>length</var>)<var><a name="index-BASE64_005fDECODE_005fLENGTH-407"></a></var><br>
4186 </p></blockquote></div>
4189 — Function: void <b>base64_decode_update</b> (<var>struct base64_decode_ctx *ctx, unsigned *dst_length, uint8_t *dst, unsigned src_length, const uint8_t *src</var>)<var><a name="index-base64_005fdecode_005fupdate-408"></a></var><br>
4190 <blockquote><p>After <var>ctx</var> is initialized, this function may be called to decode <var>src_length</var>
4193 should be initialized to the size of that area before the call.
4196 </p></blockquote></div>
4199 — Function: int <b>base64_decode_final</b> (<var>struct base64_decode_ctx *ctx</var>)<var><a name="index-base64_005fdecode_005ffinal-409"></a></var><br>
4201 error.
4202 </p></blockquote></div>
4204 <p>Similarly to the base64 functions, the following functions perform base16 encoding,
4205 and are defined in <samp><span class="file"><nettle/base16.h></span></samp>. Note that there is no encoding context
4206 necessary for doing base16 encoding.
4209 — Function: void <b>base16_encode_single</b> (<var>uint8_t *dst, uint8_t src</var>)<var><a name="index-base16_005fencode_005fsingle-410"></a></var><br>
4210 <blockquote><p>Encodes a single byte. Always stores two digits in <var>dst</var>[0] and <var>dst</var>[1].
4211 </p></blockquote></div>
4214 — Macro: <b>BASE16_ENCODE_LENGTH</b> (<var>length</var>)<var><a name="index-BASE16_005fENCODE_005fLENGTH-411"></a></var><br>
4217 </p></blockquote></div>
4220 — Function: void <b>base16_encode_update</b> (<var>uint8_t *dst, unsigned length, const uint8_t *src</var>)<var><a name="index-base16_005fencode_005fupdate-412"></a></var><br>
4222 </p></blockquote></div>
4225 — Context struct: <b>struct base16_decode_ctx</b><var><a name="index-struct-base16_005fdecode_005fctx-413"></a></var><br>
4226 </div>
4229 — Function: void <b>base16_decode_init</b> (<var>struct base16_decode_ctx *ctx</var>)<var><a name="index-base16_005fdecode_005finit-414"></a></var><br>
4230 <blockquote><p>Initializes a base16 decoding context. This is necessary before starting a decoding
4231 session.
4232 </p></blockquote></div>
4235 — Function: int <b>base16_decode_single</b> (<var>struct base16_decode_ctx *ctx, uint8_t *dst, uint8_t src</var>)<var><a name="index-base16_005fdecode_005fsingle-415"></a></var><br>
4236 <blockquote><p>Decodes a single byte from <var>src</var> into <var>dst</var>. Returns amount of output (0 or 1), or -1 on errors.
4237 </p></blockquote></div>
4240 — Macro: <b>BASE16_DECODE_LENGTH</b> (<var>length</var>)<var><a name="index-BASE16_005fDECODE_005fLENGTH-416"></a></var><br>
4243 </p></blockquote></div>
4246 — Function: int <b>base16_decode_update</b> (<var>struct base16_decode_ctx *ctx, unsigned *dst_length, uint8_t *dst, unsigned src_length, const uint8_t *src</var>)<var><a name="index-base16_005fdecode_005fupdate-417"></a></var><br>
4247 <blockquote><p>After <var>ctx</var> is initialized, this function may be called to decode <var>src_length</var>
4250 should be initialized to the size of that area before the call.
4253 </p></blockquote></div>
4256 — Function: int <b>base16_decode_final</b> (<var>struct base16_decode_ctx *ctx</var>)<var><a name="index-base16_005fdecode_005ffinal-418"></a></var><br>
4257 <blockquote><p>Checks that the end of data is correct (i.e., an even number of
4259 error.
4260 </p></blockquote></div>
4264 <p><hr>
4265 Next: <a rel="next" accesskey="n" href="#Compatibility-functions">Compatibility functions</a>,
4269 </div>
4271 <!-- node-name, next, previous, up -->
4275 — Function: uint8_t * <b>memxor</b> (<var>uint8_t *dst, const uint8_t *src, size_t n</var>)<var><a name="index-memxor-419"></a></var><br>
4276 <blockquote><p>XORs the source area on top of the destination area. The interface
4277 doesn't follow the Nettle conventions, because it is intended to be
4279 </p></blockquote></div>
4281 <p><code>memxor</code> is declared in <samp><span class="file"><nettle/memxor.h></span></samp>.
4285 <p><hr>
4286 Previous: <a rel="previous" accesskey="p" href="#Miscellaneous-functions">Miscellaneous functions</a>,
4289 </div>
4291 <!-- node-name, next, previous, up -->
4294 <p>For convenience, Nettle includes alternative interfaces to some
4295 algorithms, for compatibility with some other popular crypto toolkits.
4296 These are not fully documented here; refer to the source or to the
4297 documentation for the original implementation.
4300 Nettle defines a compatible interface to MD5 in
4301 <samp><span class="file"><nettle/md5-compat.h></span></samp>. This file defines the typedef
4302 <code>MD5_CTX</code>, and declares the functions <code>MD5Init</code>, <code>MD5Update</code> and
4306 implementation. Nettle includes a subset if its interface in
4307 <samp><span class="file"><nettle/des-compat.h></span></samp>. This file defines the typedefs
4319 <p><hr>
4324 </div>
4326 <!-- node-name, next, previous, up -->
4331 <ul>
4337 <li>a tad white pepper
4338 <li>some cream or milk
4339 </ul>
4342 preferable but the tops of larger nettles can also be used.
4345 water. Strain the nettles and save the water. Hack the nettles. Melt the
4346 butter and mix in the flour. Dilute with stock and the nettle-water you
4347 saved earlier. Add the hacked nettles. If you wish you can add some milk
4348 or cream at this stage. Bring to a boil and let boil for a few minutes.
4349 Season with salt and pepper.
4351 <p>Serve with boiled egg-halves.
4353 <!-- And the original Swedish version. -->
4356 <p><hr>
4361 </div>
4363 <!-- node-name, next, previous, up -->
4366 <p>Nettle uses <samp><span class="command">autoconf</span></samp>. To build it, unpack the source and run
4369 make
4370 make check
4371 make install
4372 </pre>
4373 <p class="noindent">to install in under the default prefix, <samp><span class="file">/usr/local</span></samp>.
4377 <p>By default, both static and shared libraries are built and installed. To
4378 omit building the shared libraries, use the <samp><span class="option"> --disable-shared</span></samp>
4381 <p>Using GNU make is recommended. For other make programs, in particular
4382 BSD make, you may have to use the <samp><span class="option">--disable-dependency-tracking</span></samp>
4387 <p><hr>
4391 </div>
4393 <!-- node-name, next, previous, up -->
4397 <li><a href="#index-aes_005fdecrypt-113"><code>aes_decrypt</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4398 <li><a href="#index-aes_005fencrypt-112"><code>aes_encrypt</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4399 <li><a href="#index-aes_005finvert_005fkey-111"><code>aes_invert_key</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4400 <li><a href="#index-aes_005fset_005fdecrypt_005fkey-110"><code>aes_set_decrypt_key</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4401 <li><a href="#index-aes_005fset_005fencrypt_005fkey-109"><code>aes_set_encrypt_key</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4402 <li><a href="#index-arcfour_005fcrypt-119"><code>arcfour_crypt</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4403 <li><a href="#index-arcfour_005fset_005fkey-118"><code>arcfour_set_key</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4404 <li><a href="#index-arctwo_005fdecrypt-129"><code>arctwo_decrypt</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4405 <li><a href="#index-arctwo_005fencrypt-128"><code>arctwo_encrypt</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4406 <li><a href="#index-arctwo_005fset_005fkey-126"><code>arctwo_set_key</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4407 <li><a href="#index-arctwo_005fset_005fkey_005fekb-125"><code>arctwo_set_key_ekb</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4408 <li><a href="#index-arctwo_005fset_005fkey_005fgutmann-127"><code>arctwo_set_key_gutmann</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4409 <li><a href="#index-base16_005fdecode_005ffinal-418"><code>base16_decode_final</code></a>: <a href="#ASCII-encoding">ASCII encoding</a></li>
4410 <li><a href="#index-base16_005fdecode_005finit-414"><code>base16_decode_init</code></a>: <a href="#ASCII-encoding">ASCII encoding</a></li>
4411 <li><a href="#index-BASE16_005fDECODE_005fLENGTH-416"><code>BASE16_DECODE_LENGTH</code></a>: <a href="#ASCII-encoding">ASCII encoding</a></li>
4412 <li><a href="#index-base16_005fdecode_005fsingle-415"><code>base16_decode_single</code></a>: <a href="#ASCII-encoding">ASCII encoding</a></li>
4413 <li><a href="#index-base16_005fdecode_005fupdate-417"><code>base16_decode_update</code></a>: <a href="#ASCII-encoding">ASCII encoding</a></li>
4414 <li><a href="#index-BASE16_005fENCODE_005fLENGTH-411"><code>BASE16_ENCODE_LENGTH</code></a>: <a href="#ASCII-encoding">ASCII encoding</a></li>
4415 <li><a href="#index-base16_005fencode_005fsingle-410"><code>base16_encode_single</code></a>: <a href="#ASCII-encoding">ASCII encoding</a></li>
4416 <li><a href="#index-base16_005fencode_005fupdate-412"><code>base16_encode_update</code></a>: <a href="#ASCII-encoding">ASCII encoding</a></li>
4417 <li><a href="#index-base64_005fdecode_005ffinal-409"><code>base64_decode_final</code></a>: <a href="#ASCII-encoding">ASCII encoding</a></li>
4418 <li><a href="#index-base64_005fdecode_005finit-405"><code>base64_decode_init</code></a>: <a href="#ASCII-encoding">ASCII encoding</a></li>
4419 <li><a href="#index-BASE64_005fDECODE_005fLENGTH-407"><code>BASE64_DECODE_LENGTH</code></a>: <a href="#ASCII-encoding">ASCII encoding</a></li>
4420 <li><a href="#index-base64_005fdecode_005fsingle-406"><code>base64_decode_single</code></a>: <a href="#ASCII-encoding">ASCII encoding</a></li>
4421 <li><a href="#index-base64_005fdecode_005fupdate-408"><code>base64_decode_update</code></a>: <a href="#ASCII-encoding">ASCII encoding</a></li>
4422 <li><a href="#index-base64_005fencode_005ffinal-403"><code>base64_encode_final</code></a>: <a href="#ASCII-encoding">ASCII encoding</a></li>
4423 <li><a href="#index-base64_005fencode_005finit-398"><code>base64_encode_init</code></a>: <a href="#ASCII-encoding">ASCII encoding</a></li>
4424 <li><a href="#index-BASE64_005fENCODE_005fLENGTH-400"><code>BASE64_ENCODE_LENGTH</code></a>: <a href="#ASCII-encoding">ASCII encoding</a></li>
4425 <li><a href="#index-base64_005fencode_005fsingle-399"><code>base64_encode_single</code></a>: <a href="#ASCII-encoding">ASCII encoding</a></li>
4426 <li><a href="#index-base64_005fencode_005fupdate-401"><code>base64_encode_update</code></a>: <a href="#ASCII-encoding">ASCII encoding</a></li>
4427 <li><a href="#index-Block-Cipher-102">Block Cipher</a>: <a href="#Cipher-functions">Cipher functions</a></li>
4428 <li><a href="#index-blowfish_005fdecrypt-137"><code>blowfish_decrypt</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4429 <li><a href="#index-blowfish_005fencrypt-136"><code>blowfish_encrypt</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4430 <li><a href="#index-blowfish_005fset_005fkey-135"><code>blowfish_set_key</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4431 <li><a href="#index-camellia_005fcrypt-146"><code>camellia_crypt</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4432 <li><a href="#index-camellia_005finvert_005fkey-145"><code>camellia_invert_key</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4433 <li><a href="#index-camellia_005fset_005fdecrypt_005fkey-144"><code>camellia_set_decrypt_key</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4434 <li><a href="#index-camellia_005fset_005fencrypt_005fkey-143"><code>camellia_set_encrypt_key</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4435 <li><a href="#index-cast128_005fdecrypt-154"><code>cast128_decrypt</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4436 <li><a href="#index-cast128_005fencrypt-153"><code>cast128_encrypt</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4437 <li><a href="#index-cast128_005fset_005fkey-152"><code>cast128_set_key</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4440 <li><a href="#index-CBC_005fDECRYPT-222"><code>CBC_DECRYPT</code></a>: <a href="#CBC">CBC</a></li>
4441 <li><a href="#index-cbc_005fdecrypt-218"><code>cbc_decrypt</code></a>: <a href="#CBC">CBC</a></li>
4442 <li><a href="#index-CBC_005fENCRYPT-221"><code>CBC_ENCRYPT</code></a>: <a href="#CBC">CBC</a></li>
4443 <li><a href="#index-cbc_005fencrypt-217"><code>cbc_encrypt</code></a>: <a href="#CBC">CBC</a></li>
4444 <li><a href="#index-CBC_005fSET_005fIV-220"><code>CBC_SET_IV</code></a>: <a href="#CBC">CBC</a></li>
4445 <li><a href="#index-Cipher-101">Cipher</a>: <a href="#Cipher-functions">Cipher functions</a></li>
4446 <li><a href="#index-Cipher-Block-Chaining-215">Cipher Block Chaining</a>: <a href="#CBC">CBC</a></li>
4447 <li><a href="#index-Collision_002dresistant-3">Collision-resistant</a>: <a href="#Hash-functions">Hash functions</a></li>
4448 <li><a href="#index-Conditional-entropy-382">Conditional entropy</a>: <a href="#Randomness">Randomness</a></li>
4454 <li><a href="#index-CTR_005fSET_005fCOUNTER-227"><code>CTR_SET_COUNTER</code></a>: <a href="#CTR">CTR</a></li>
4455 <li><a href="#index-des3_005fdecrypt-168"><code>des3_decrypt</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4456 <li><a href="#index-des3_005fencrypt-167"><code>des3_encrypt</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4457 <li><a href="#index-des3_005fset_005fkey-166"><code>des3_set_key</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4458 <li><a href="#index-des_005fcheck_005fparity-161"><code>des_check_parity</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4459 <li><a href="#index-des_005fdecrypt-160"><code>des_decrypt</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4460 <li><a href="#index-des_005fencrypt-159"><code>des_encrypt</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4461 <li><a href="#index-des_005ffix_005fparity-162"><code>des_fix_parity</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4462 <li><a href="#index-des_005fset_005fkey-158"><code>des_set_key</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4463 <li><a href="#index-dsa_005fgenerate_005fkeypair-366"><code>dsa_generate_keypair</code></a>: <a href="#DSA">DSA</a></li>
4464 <li><a href="#index-dsa_005fprivate_005fkey_005fclear-354"><code>dsa_private_key_clear</code></a>: <a href="#DSA">DSA</a></li>
4465 <li><a href="#index-dsa_005fprivate_005fkey_005finit-352"><code>dsa_private_key_init</code></a>: <a href="#DSA">DSA</a></li>
4466 <li><a href="#index-dsa_005fpublic_005fkey_005fclear-353"><code>dsa_public_key_clear</code></a>: <a href="#DSA">DSA</a></li>
4467 <li><a href="#index-dsa_005fpublic_005fkey_005finit-351"><code>dsa_public_key_init</code></a>: <a href="#DSA">DSA</a></li>
4468 <li><a href="#index-dsa_005fsha1_005fsign-358"><code>dsa_sha1_sign</code></a>: <a href="#DSA">DSA</a></li>
4469 <li><a href="#index-dsa_005fsha1_005fsign_005fdigest-359"><code>dsa_sha1_sign_digest</code></a>: <a href="#DSA">DSA</a></li>
4470 <li><a href="#index-dsa_005fsha1_005fverify-362"><code>dsa_sha1_verify</code></a>: <a href="#DSA">DSA</a></li>
4471 <li><a href="#index-dsa_005fsha1_005fverify_005fdigest-363"><code>dsa_sha1_verify_digest</code></a>: <a href="#DSA">DSA</a></li>
4472 <li><a href="#index-dsa_005fsha256_005fsign-360"><code>dsa_sha256_sign</code></a>: <a href="#DSA">DSA</a></li>
4473 <li><a href="#index-dsa_005fsha256_005fsign_005fdigest-361"><code>dsa_sha256_sign_digest</code></a>: <a href="#DSA">DSA</a></li>
4474 <li><a href="#index-dsa_005fsha256_005fverify-364"><code>dsa_sha256_verify</code></a>: <a href="#DSA">DSA</a></li>
4475 <li><a href="#index-dsa_005fsha256_005fverify_005fdigest-365"><code>dsa_sha256_verify_digest</code></a>: <a href="#DSA">DSA</a></li>
4476 <li><a href="#index-dsa_005fsignature_005fclear-357"><code>dsa_signature_clear</code></a>: <a href="#DSA">DSA</a></li>
4477 <li><a href="#index-dsa_005fsignature_005finit-356"><code>dsa_signature_init</code></a>: <a href="#DSA">DSA</a></li>
4478 <li><a href="#index-ecc_005fpoint_005fclear-369"><code>ecc_point_clear</code></a>: <a href="#Elliptic-curves">Elliptic curves</a></li>
4479 <li><a href="#index-ecc_005fpoint_005fget-371"><code>ecc_point_get</code></a>: <a href="#Elliptic-curves">Elliptic curves</a></li>
4480 <li><a href="#index-ecc_005fpoint_005finit-368"><code>ecc_point_init</code></a>: <a href="#Elliptic-curves">Elliptic curves</a></li>
4481 <li><a href="#index-ecc_005fpoint_005fset-370"><code>ecc_point_set</code></a>: <a href="#Elliptic-curves">Elliptic curves</a></li>
4482 <li><a href="#index-ecc_005fscalar_005fclear-374"><code>ecc_scalar_clear</code></a>: <a href="#Elliptic-curves">Elliptic curves</a></li>
4483 <li><a href="#index-ecc_005fscalar_005fget-376"><code>ecc_scalar_get</code></a>: <a href="#Elliptic-curves">Elliptic curves</a></li>
4484 <li><a href="#index-ecc_005fscalar_005finit-373"><code>ecc_scalar_init</code></a>: <a href="#Elliptic-curves">Elliptic curves</a></li>
4485 <li><a href="#index-ecc_005fscalar_005fset-375"><code>ecc_scalar_set</code></a>: <a href="#Elliptic-curves">Elliptic curves</a></li>
4486 <li><a href="#index-ecdsa_005fgenerate_005fkeypair-379"><code>ecdsa_generate_keypair</code></a>: <a href="#Elliptic-curves">Elliptic curves</a></li>
4487 <li><a href="#index-ecdsa_005fsign-377"><code>ecdsa_sign</code></a>: <a href="#Elliptic-curves">Elliptic curves</a></li>
4488 <li><a href="#index-ecdsa_005fverify-378"><code>ecdsa_verify</code></a>: <a href="#Elliptic-curves">Elliptic curves</a></li>
4490 <li><a href="#index-Galois-Counter-Mode-229">Galois Counter Mode</a>: <a href="#GCM">GCM</a></li>
4492 <li><a href="#index-gcm_005faes_005fdecrypt-253"><code>gcm_aes_decrypt</code></a>: <a href="#GCM">GCM</a></li>
4493 <li><a href="#index-gcm_005faes_005fdigest-254"><code>gcm_aes_digest</code></a>: <a href="#GCM">GCM</a></li>
4494 <li><a href="#index-gcm_005faes_005fencrypt-252"><code>gcm_aes_encrypt</code></a>: <a href="#GCM">GCM</a></li>
4495 <li><a href="#index-gcm_005faes_005fset_005fiv-250"><code>gcm_aes_set_iv</code></a>: <a href="#GCM">GCM</a></li>
4496 <li><a href="#index-gcm_005faes_005fset_005fkey-249"><code>gcm_aes_set_key</code></a>: <a href="#GCM">GCM</a></li>
4497 <li><a href="#index-gcm_005faes_005fupdate-251"><code>gcm_aes_update</code></a>: <a href="#GCM">GCM</a></li>
4499 <li><a href="#index-GCM_005fDECRYPT-246"><code>GCM_DECRYPT</code></a>: <a href="#GCM">GCM</a></li>
4500 <li><a href="#index-gcm_005fdecrypt-239"><code>gcm_decrypt</code></a>: <a href="#GCM">GCM</a></li>
4501 <li><a href="#index-GCM_005fDIGEST-247"><code>GCM_DIGEST</code></a>: <a href="#GCM">GCM</a></li>
4502 <li><a href="#index-gcm_005fdigest-240"><code>gcm_digest</code></a>: <a href="#GCM">GCM</a></li>
4503 <li><a href="#index-GCM_005fENCRYPT-245"><code>GCM_ENCRYPT</code></a>: <a href="#GCM">GCM</a></li>
4504 <li><a href="#index-gcm_005fencrypt-238"><code>gcm_encrypt</code></a>: <a href="#GCM">GCM</a></li>
4505 <li><a href="#index-GCM_005fSET_005fIV-243"><code>GCM_SET_IV</code></a>: <a href="#GCM">GCM</a></li>
4506 <li><a href="#index-gcm_005fset_005fiv-236"><code>gcm_set_iv</code></a>: <a href="#GCM">GCM</a></li>
4507 <li><a href="#index-GCM_005fSET_005fKEY-242"><code>GCM_SET_KEY</code></a>: <a href="#GCM">GCM</a></li>
4508 <li><a href="#index-gcm_005fset_005fkey-235"><code>gcm_set_key</code></a>: <a href="#GCM">GCM</a></li>
4509 <li><a href="#index-GCM_005fUPDATE-244"><code>GCM_UPDATE</code></a>: <a href="#GCM">GCM</a></li>
4510 <li><a href="#index-gcm_005fupdate-237"><code>gcm_update</code></a>: <a href="#GCM">GCM</a></li>
4511 <li><a href="#index-gosthash94_005fdigest-87"><code>gosthash94_digest</code></a>: <a href="#Legacy-hash-functions">Legacy hash functions</a></li>
4512 <li><a href="#index-gosthash94_005finit-85"><code>gosthash94_init</code></a>: <a href="#Legacy-hash-functions">Legacy hash functions</a></li>
4513 <li><a href="#index-gosthash94_005fupdate-86"><code>gosthash94_update</code></a>: <a href="#Legacy-hash-functions">Legacy hash functions</a></li>
4514 <li><a href="#index-Hash-function-1">Hash function</a>: <a href="#Hash-functions">Hash functions</a></li>
4515 <li><a href="#index-HMAC-258">HMAC</a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4516 <li><a href="#index-HMAC_005fCTX-262"><code>HMAC_CTX</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4517 <li><a href="#index-HMAC_005fDIGEST-264"><code>HMAC_DIGEST</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4518 <li><a href="#index-hmac_005fdigest-261"><code>hmac_digest</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4519 <li><a href="#index-hmac_005fmd5_005fdigest-268"><code>hmac_md5_digest</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4520 <li><a href="#index-hmac_005fmd5_005fset_005fkey-266"><code>hmac_md5_set_key</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4521 <li><a href="#index-hmac_005fmd5_005fupdate-267"><code>hmac_md5_update</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4522 <li><a href="#index-hmac_005fripemd160_005fdigest-272"><code>hmac_ripemd160_digest</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4523 <li><a href="#index-hmac_005fripemd160_005fset_005fkey-270"><code>hmac_ripemd160_set_key</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4524 <li><a href="#index-hmac_005fripemd160_005fupdate-271"><code>hmac_ripemd160_update</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4525 <li><a href="#index-HMAC_005fSET_005fKEY-263"><code>HMAC_SET_KEY</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4526 <li><a href="#index-hmac_005fset_005fkey-259"><code>hmac_set_key</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4527 <li><a href="#index-hmac_005fsha1_005fdigest-276"><code>hmac_sha1_digest</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4528 <li><a href="#index-hmac_005fsha1_005fset_005fkey-274"><code>hmac_sha1_set_key</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4529 <li><a href="#index-hmac_005fsha1_005fupdate-275"><code>hmac_sha1_update</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4530 <li><a href="#index-hmac_005fsha256_005fdigest-280"><code>hmac_sha256_digest</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4531 <li><a href="#index-hmac_005fsha256_005fset_005fkey-278"><code>hmac_sha256_set_key</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4532 <li><a href="#index-hmac_005fsha256_005fupdate-279"><code>hmac_sha256_update</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4533 <li><a href="#index-hmac_005fsha512_005fdigest-284"><code>hmac_sha512_digest</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4534 <li><a href="#index-hmac_005fsha512_005fset_005fkey-282"><code>hmac_sha512_set_key</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4535 <li><a href="#index-hmac_005fsha512_005fupdate-283"><code>hmac_sha512_update</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4536 <li><a href="#index-hmac_005fupdate-260"><code>hmac_update</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4537 <li><a href="#index-KDF-315">KDF</a>: <a href="#Key-derivation-functions">Key derivation functions</a></li>
4538 <li><a href="#index-Key-Derivation-Function-312">Key Derivation Function</a>: <a href="#Key-derivation-functions">Key derivation functions</a></li>
4539 <li><a href="#index-Keyed-Hash-Function-255">Keyed Hash Function</a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4540 <li><a href="#index-MAC-257">MAC</a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4541 <li><a href="#index-md2_005fdigest-63"><code>md2_digest</code></a>: <a href="#Legacy-hash-functions">Legacy hash functions</a></li>
4542 <li><a href="#index-md2_005finit-61"><code>md2_init</code></a>: <a href="#Legacy-hash-functions">Legacy hash functions</a></li>
4543 <li><a href="#index-md2_005fupdate-62"><code>md2_update</code></a>: <a href="#Legacy-hash-functions">Legacy hash functions</a></li>
4544 <li><a href="#index-md4_005fdigest-69"><code>md4_digest</code></a>: <a href="#Legacy-hash-functions">Legacy hash functions</a></li>
4545 <li><a href="#index-md4_005finit-67"><code>md4_init</code></a>: <a href="#Legacy-hash-functions">Legacy hash functions</a></li>
4546 <li><a href="#index-md4_005fupdate-68"><code>md4_update</code></a>: <a href="#Legacy-hash-functions">Legacy hash functions</a></li>
4547 <li><a href="#index-md5_005fdigest-57"><code>md5_digest</code></a>: <a href="#Legacy-hash-functions">Legacy hash functions</a></li>
4548 <li><a href="#index-md5_005finit-55"><code>md5_init</code></a>: <a href="#Legacy-hash-functions">Legacy hash functions</a></li>
4549 <li><a href="#index-md5_005fupdate-56"><code>md5_update</code></a>: <a href="#Legacy-hash-functions">Legacy hash functions</a></li>
4550 <li><a href="#index-memxor-419"><code>memxor</code></a>: <a href="#Miscellaneous-functions">Miscellaneous functions</a></li>
4551 <li><a href="#index-Message-Authentication-Code-256">Message Authentication Code</a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4552 <li><a href="#index-One_002dway-2">One-way</a>: <a href="#Hash-functions">Hash functions</a></li>
4553 <li><a href="#index-One_002dway-function-322">One-way function</a>: <a href="#Public_002dkey-algorithms">Public-key algorithms</a></li>
4554 <li><a href="#index-Password-Based-Key-Derivation-Function-313">Password Based Key Derivation Function</a>: <a href="#Key-derivation-functions">Key derivation functions</a></li>
4555 <li><a href="#index-PBKDF-316">PBKDF</a>: <a href="#Key-derivation-functions">Key derivation functions</a></li>
4556 <li><a href="#index-PBKDF2-318"><code>PBKDF2</code></a>: <a href="#Key-derivation-functions">Key derivation functions</a></li>
4557 <li><a href="#index-pbkdf2-317"><code>pbkdf2</code></a>: <a href="#Key-derivation-functions">Key derivation functions</a></li>
4558 <li><a href="#index-pbkdf2_005fhmac_005fsha1-319"><code>pbkdf2_hmac_sha1</code></a>: <a href="#Key-derivation-functions">Key derivation functions</a></li>
4559 <li><a href="#index-pbkdf2_005fhmac_005fsha256-320"><code>pbkdf2_hmac_sha256</code></a>: <a href="#Key-derivation-functions">Key derivation functions</a></li>
4560 <li><a href="#index-PKCS-_00235-314">PKCS #5</a>: <a href="#Key-derivation-functions">Key derivation functions</a></li>
4561 <li><a href="#index-Public-Key-Cryptography-321">Public Key Cryptography</a>: <a href="#Public_002dkey-algorithms">Public-key algorithms</a></li>
4563 <li><a href="#index-ripemd160_005fdigest-75"><code>ripemd160_digest</code></a>: <a href="#Legacy-hash-functions">Legacy hash functions</a></li>
4564 <li><a href="#index-ripemd160_005finit-73"><code>ripemd160_init</code></a>: <a href="#Legacy-hash-functions">Legacy hash functions</a></li>
4565 <li><a href="#index-ripemd160_005fupdate-74"><code>ripemd160_update</code></a>: <a href="#Legacy-hash-functions">Legacy hash functions</a></li>
4566 <li><a href="#index-rsa_005fcompute_005froot-347"><code>rsa_compute_root</code></a>: <a href="#RSA">RSA</a></li>
4567 <li><a href="#index-rsa_005fgenerate_005fkeypair-348"><code>rsa_generate_keypair</code></a>: <a href="#RSA">RSA</a></li>
4568 <li><a href="#index-rsa_005fmd5_005fsign-331"><code>rsa_md5_sign</code></a>: <a href="#RSA">RSA</a></li>
4569 <li><a href="#index-rsa_005fmd5_005fsign_005fdigest-335"><code>rsa_md5_sign_digest</code></a>: <a href="#RSA">RSA</a></li>
4570 <li><a href="#index-rsa_005fmd5_005fverify-339"><code>rsa_md5_verify</code></a>: <a href="#RSA">RSA</a></li>
4571 <li><a href="#index-rsa_005fmd5_005fverify_005fdigest-343"><code>rsa_md5_verify_digest</code></a>: <a href="#RSA">RSA</a></li>
4572 <li><a href="#index-rsa_005fprivate_005fkey_005fclear-328"><code>rsa_private_key_clear</code></a>: <a href="#RSA">RSA</a></li>
4573 <li><a href="#index-rsa_005fprivate_005fkey_005finit-326"><code>rsa_private_key_init</code></a>: <a href="#RSA">RSA</a></li>
4574 <li><a href="#index-rsa_005fprivate_005fkey_005fprepare-330"><code>rsa_private_key_prepare</code></a>: <a href="#RSA">RSA</a></li>
4575 <li><a href="#index-rsa_005fpublic_005fkey_005fclear-327"><code>rsa_public_key_clear</code></a>: <a href="#RSA">RSA</a></li>
4576 <li><a href="#index-rsa_005fpublic_005fkey_005finit-325"><code>rsa_public_key_init</code></a>: <a href="#RSA">RSA</a></li>
4577 <li><a href="#index-rsa_005fpublic_005fkey_005fprepare-329"><code>rsa_public_key_prepare</code></a>: <a href="#RSA">RSA</a></li>
4578 <li><a href="#index-rsa_005fsha1_005fsign-332"><code>rsa_sha1_sign</code></a>: <a href="#RSA">RSA</a></li>
4579 <li><a href="#index-rsa_005fsha1_005fsign_005fdigest-336"><code>rsa_sha1_sign_digest</code></a>: <a href="#RSA">RSA</a></li>
4580 <li><a href="#index-rsa_005fsha1_005fverify-340"><code>rsa_sha1_verify</code></a>: <a href="#RSA">RSA</a></li>
4581 <li><a href="#index-rsa_005fsha1_005fverify_005fdigest-344"><code>rsa_sha1_verify_digest</code></a>: <a href="#RSA">RSA</a></li>
4582 <li><a href="#index-rsa_005fsha256_005fsign-333"><code>rsa_sha256_sign</code></a>: <a href="#RSA">RSA</a></li>
4583 <li><a href="#index-rsa_005fsha256_005fsign_005fdigest-337"><code>rsa_sha256_sign_digest</code></a>: <a href="#RSA">RSA</a></li>
4584 <li><a href="#index-rsa_005fsha256_005fverify-341"><code>rsa_sha256_verify</code></a>: <a href="#RSA">RSA</a></li>
4585 <li><a href="#index-rsa_005fsha256_005fverify_005fdigest-345"><code>rsa_sha256_verify_digest</code></a>: <a href="#RSA">RSA</a></li>
4586 <li><a href="#index-rsa_005fsha512_005fsign-334"><code>rsa_sha512_sign</code></a>: <a href="#RSA">RSA</a></li>
4587 <li><a href="#index-rsa_005fsha512_005fsign_005fdigest-338"><code>rsa_sha512_sign_digest</code></a>: <a href="#RSA">RSA</a></li>
4588 <li><a href="#index-rsa_005fsha512_005fverify-342"><code>rsa_sha512_verify</code></a>: <a href="#RSA">RSA</a></li>
4589 <li><a href="#index-rsa_005fsha512_005fverify_005fdigest-346"><code>rsa_sha512_verify_digest</code></a>: <a href="#RSA">RSA</a></li>
4590 <li><a href="#index-salsa20_005fcrypt-177"><code>salsa20_crypt</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4591 <li><a href="#index-salsa20_005fset_005fiv-176"><code>salsa20_set_iv</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4592 <li><a href="#index-salsa20_005fset_005fkey-175"><code>salsa20_set_key</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4593 <li><a href="#index-salsa20r12_005fcrypt-178"><code>salsa20r12_crypt</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4594 <li><a href="#index-serpent_005fdecrypt-186"><code>serpent_decrypt</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4595 <li><a href="#index-serpent_005fencrypt-185"><code>serpent_encrypt</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4596 <li><a href="#index-serpent_005fset_005fkey-184"><code>serpent_set_key</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4597 <li><a href="#index-sha1_005fdigest-81"><code>sha1_digest</code></a>: <a href="#Legacy-hash-functions">Legacy hash functions</a></li>
4598 <li><a href="#index-sha1_005finit-79"><code>sha1_init</code></a>: <a href="#Legacy-hash-functions">Legacy hash functions</a></li>
4599 <li><a href="#index-sha1_005fupdate-80"><code>sha1_update</code></a>: <a href="#Legacy-hash-functions">Legacy hash functions</a></li>
4600 <li><a href="#index-sha224_005fdigest-15"><code>sha224_digest</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4601 <li><a href="#index-sha224_005finit-13"><code>sha224_init</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4602 <li><a href="#index-sha224_005fupdate-14"><code>sha224_update</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4603 <li><a href="#index-sha256_005fdigest-9"><code>sha256_digest</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4604 <li><a href="#index-sha256_005finit-7"><code>sha256_init</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4605 <li><a href="#index-sha256_005fupdate-8"><code>sha256_update</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4606 <li><a href="#index-sha384_005fdigest-27"><code>sha384_digest</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4607 <li><a href="#index-sha384_005finit-25"><code>sha384_init</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4608 <li><a href="#index-sha384_005fupdate-26"><code>sha384_update</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4609 <li><a href="#index-sha3_005f224_005fdigest-33"><code>sha3_224_digest</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4610 <li><a href="#index-sha3_005f224_005finit-31"><code>sha3_224_init</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4611 <li><a href="#index-sha3_005f224_005fupdate-32"><code>sha3_224_update</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4612 <li><a href="#index-sha3_005f256_005fdigest-39"><code>sha3_256_digest</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4613 <li><a href="#index-sha3_005f256_005finit-37"><code>sha3_256_init</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4614 <li><a href="#index-sha3_005f256_005fupdate-38"><code>sha3_256_update</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4615 <li><a href="#index-sha3_005f384_005fdigest-45"><code>sha3_384_digest</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4616 <li><a href="#index-sha3_005f384_005finit-43"><code>sha3_384_init</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4617 <li><a href="#index-sha3_005f384_005fupdate-44"><code>sha3_384_update</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4618 <li><a href="#index-sha3_005f512_005fdigest-51"><code>sha3_512_digest</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4619 <li><a href="#index-sha3_005f512_005finit-49"><code>sha3_512_init</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4620 <li><a href="#index-sha3_005f512_005fupdate-50"><code>sha3_512_update</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4621 <li><a href="#index-sha512_005fdigest-21"><code>sha512_digest</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4622 <li><a href="#index-sha512_005finit-19"><code>sha512_init</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4623 <li><a href="#index-sha512_005fupdate-20"><code>sha512_update</code></a>: <a href="#Recommended-hash-functions">Recommended hash functions</a></li>
4624 <li><a href="#index-Stream-Cipher-103">Stream Cipher</a>: <a href="#Cipher-functions">Cipher functions</a></li>
4625 <li><a href="#index-twofish_005fdecrypt-194"><code>twofish_decrypt</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4626 <li><a href="#index-twofish_005fencrypt-193"><code>twofish_encrypt</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4627 <li><a href="#index-twofish_005fset_005fkey-192"><code>twofish_set_key</code></a>: <a href="#Cipher-functions">Cipher functions</a></li>
4628 <li><a href="#index-UMAC-285">UMAC</a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4629 <li><a href="#index-umac128_005fdigest-311"><code>umac128_digest</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4630 <li><a href="#index-umac128_005fset_005fkey-299"><code>umac128_set_key</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4631 <li><a href="#index-umac128_005fset_005fnonce-303"><code>umac128_set_nonce</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4632 <li><a href="#index-umac128_005fupdate-307"><code>umac128_update</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4633 <li><a href="#index-umac32_005fdigest-308"><code>umac32_digest</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4634 <li><a href="#index-umac32_005fset_005fkey-296"><code>umac32_set_key</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4635 <li><a href="#index-umac32_005fset_005fnonce-300"><code>umac32_set_nonce</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4636 <li><a href="#index-umac32_005fupdate-304"><code>umac32_update</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4637 <li><a href="#index-umac64_005fdigest-309"><code>umac64_digest</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4638 <li><a href="#index-umac64_005fset_005fkey-297"><code>umac64_set_key</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4639 <li><a href="#index-umac64_005fset_005fnonce-301"><code>umac64_set_nonce</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4640 <li><a href="#index-umac64_005fupdate-305"><code>umac64_update</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4641 <li><a href="#index-umac96_005fdigest-310"><code>umac96_digest</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4642 <li><a href="#index-umac96_005fset_005fkey-298"><code>umac96_set_key</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4643 <li><a href="#index-umac96_005fset_005fnonce-302"><code>umac96_set_nonce</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4644 <li><a href="#index-umac96_005fupdate-306"><code>umac96_update</code></a>: <a href="#Keyed-hash-functions">Keyed hash functions</a></li>
4645 <li><a href="#index-yarrow256_005ffast_005freseed-392"><code>yarrow256_fast_reseed</code></a>: <a href="#Randomness">Randomness</a></li>
4646 <li><a href="#index-yarrow256_005finit-386"><code>yarrow256_init</code></a>: <a href="#Randomness">Randomness</a></li>
4647 <li><a href="#index-yarrow256_005fis_005fseeded-390"><code>yarrow256_is_seeded</code></a>: <a href="#Randomness">Randomness</a></li>
4648 <li><a href="#index-yarrow256_005fneeded_005fsources-391"><code>yarrow256_needed_sources</code></a>: <a href="#Randomness">Randomness</a></li>
4649 <li><a href="#index-yarrow256_005frandom-389"><code>yarrow256_random</code></a>: <a href="#Randomness">Randomness</a></li>
4650 <li><a href="#index-yarrow256_005fseed-387"><code>yarrow256_seed</code></a>: <a href="#Randomness">Randomness</a></li>
4651 <li><a href="#index-yarrow256_005fslow_005freseed-393"><code>yarrow256_slow_reseed</code></a>: <a href="#Randomness">Randomness</a></li>
4652 <li><a href="#index-yarrow256_005fupdate-388"><code>yarrow256_update</code></a>: <a href="#Randomness">Randomness</a></li>
4653 <li><a href="#index-yarrow_005fkey_005fevent_005festimate-396"><code>yarrow_key_event_estimate</code></a>: <a href="#Randomness">Randomness</a></li>
4654 <li><a href="#index-yarrow_005fkey_005fevent_005finit-395"><code>yarrow_key_event_init</code></a>: <a href="#Randomness">Randomness</a></li>
4656 <hr>
4657 <a name="texinfo-footnotes-in-document"></a><h4>Fotnoter</h4><p class="footnote"><small>[<a name="fn-1" href="#fnd-1">1</a>]</small> Actually, the computation is not done like this, it is
4661 <hr></div>
4663 </body></html>
4665 <!--
4666 \x1f
4667 Local Variables:
4668 coding: utf-8
4669 End:
4671 -->