Hello,
I'm having a hard time running GCM from within another library on Arduino.

Heres my sketch:

#include <avr/wdt.h>
#include <Crypto.h>
#include <AES.h>
#include <GCM.h>

#include <Cryptotest.h>

Cryptotest cryptotest;

void setup() {
  wdt_disable();
  
  Serial.begin(250000);
  delay(500);
  Serial.print("START");
  cryptotest.test();
}

void loop() {

}

And the test library:

#ifndef Cryptotest_h
#define Cryptotest_h

class Cryptotest
{
  public:
    Cryptotest();
    void test();
    GCM<AES256>*gcmaes256=0;
};

#endif

#include "Arduino.h"
#include <SPI.h>
#include <Crypto.h>
#include <AES.h>
#include <GCM.h>
#include "Cryptotest.h"


Cryptotest::Cryptotest()
{
}

void Cryptotest::test()
{
    gcmaes256->clear();
}

What happens is atmega is going for an infite restart loop "START" displaying over and over in the serial.
Any ideas would be appreciated.

Thank you

The library does not seem to work when powering the DS1307 RTC from the arduino pins instead of using 5V and GND directly , any idea why that might be ?

Hello,
more than an issue, I really want to understand how can I use this library for my purposes.

I'm trying to encrypt a message that comes through the serial port of the Arduino, and send it through another serial port. But I'm having issues understanding how to use the library.
I have read the documentation of the library, but I still get errors, I need a little help with this.

This is the code I have (without involving the serial ports), initially I wanted to check if I could define my strings and use then in another way instead of using the TstVector Function:

 #include <Crypto.h>
 #include <Speck.h>
 #include <SpeckSmall.h>
 #include <SpeckTiny.h>
 #include <string.h>
 
 struct EncryptText
 {
     const char *name;
     byte key[32];
     byte plaintext[16];
     byte ciphertext[16];
 };
 
 EncryptText test ;
 
   static TestCipher {
   
   test.name = "Speck-128-ECB";
   test.key = {0x0f, 0x0e, 0x0d, 0x0c, 0x0b, 0x0a, 0x09, 0x08,
                     0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00};
   test.plaintext = {0x6c, 0x61, 0x76, 0x69, 0x75, 0x71, 0x65, 0x20,
                     0x74, 0x69, 0x20, 0x65, 0x64, 0x61, 0x6d, 0x20};
  test.ciphertext = {0xa6, 0x5d, 0x98, 0x51, 0x79, 0x78, 0x32, 0x65,
                     0x78, 0x60, 0xfe, 0xdf, 0x5c, 0x57, 0x0d, 0x18};
   }

Speck speck;
SpeckSmall speckSmall;
SpeckTiny speckTiny;

byte buffer[16];

//void testCipher(BlockCipher *cipher, const struct TestVector *test, size_t keySize, bool decryption = true)
void testCipher(BlockCipher *cipher, size_t keySize, bool decryption = true)

{

    Serial.print(" Encryption ... ");
    cipher->setKey(key, keySize);
    cipher->encryptBlock(buffer, plaintext);

    for(byte b=0; b<16; b++)
   {
      Serial.print(buffer[b], HEX);
   }
    
    if (memcmp(buffer, ciphertext, 16) == 0)
        Serial.println("Passed");
    else
        Serial.println("Failed");

    if (!decryption)
        return;

    
    Serial.print(" Decryption ... ");
    cipher->decryptBlock(buffer, ciphertext);

    for(byte b=0; b<16; b++)
   {
      Serial.print(buffer[b], HEX);
   }
    if (memcmp(buffer, plaintext, 16) == 0)
        Serial.println("Passed");
    else
        Serial.println("Failed");
}

I'm getting the error: "exit status 1 'TestCipher' does not name a type"

Any guidance would be very helpful.

Hello @rweather ,

I have one final query. I am checking the time for encryption and decryption for AES. and it's nearly double. But when I trying to look for the standard you used to build that code, it's only showing Wikipedia link.
I need to ask from which standard you design the AES algorithms for Crypto library. Please suggest as we need to check the mathematical reasoning for the time difference in encryption and decryption.

The TransistorNoiseSource.h header is missing from the plaformio package, or the seperate TransistorNoiseSource library is not published to plaformio.

Hello,

can someone provide an example how i can encrypt/decrypt a String that is longer than 16?

I'm constantly failing.

Building OS: Debian stretch
Arduino IDE version: 2:1.5.6.2+sdfsg2-3
Compiler version: gcc-avr 1:4.9.2+Atmel3.5.0-1
Onboard bootloader version: unknown, will update this evening.

Hi,

Both the full and low memory implementation of speck cipher don't match any of the reference test vectors on an Arduino Uno R3 target.

Moreover, the low memory implementation crashes when using a 192 bits or a 256 bits key size.

Here is the output I get when running the example sketch.

State Sizes:
Speck ... 275
SpeckLowMemory ... 35

Speck Test Vectors:
Speck-128-ECB Encryption ... Failed
Speck-128-ECB Decryption ... Failed
Speck-192-ECB Encryption ... Failed
Speck-192-ECB Decryption ... Failed
Speck-256-ECB Encryption ... Failed
Speck-256-ECB Decryption ... Failed

SpeckLowMemory Test Vectors:
Speck-128-ECB Encryption ... Failed
Speck-192-ECB Encryption ...[random garbage printed here]

I'm expecting to receive an arduino mega next Friday.
I'll try to reproduce the current issue on this target next weekend.

Kind regards

Thanks for creating such awesome Arduino libs, this is a great resource! 👍

I have a question regarding HMAC digests on arduino vs other systems.

It is mentioned here regarding this libraries BLAKE2 implementation:

They are intended as high performance replacements for SHA256 and SHA512 for when speed is critical but exact bit-compatibility of hash values is not.

• I am attempting to create an HMAC on an Arduino or Raspberry Pi and verify the hash values on the other side.
• It appears that the same input in the Blake2s C-ref produces a different hash than on Arduino using Blake2s HMAC from this Lib.
• Is this what you are referencing in regards to exact-bit compatibility?
  • An 8bit Arduino produces a different digest than the same input on a Raspberry Pi?
• Any suggestions for best accomplishing this?
  • I prefer blake2s due to variable digest size - am planning on transmitting payload + HMAC over RF24Network
  • payload size is limited(120 bytes), would prefer generating a small HMAC instead of truncating SHA256...

Any feedback is very much appreciated.
Thanks again for the awesome libraries!

I am a newbie to the Arduino. I have connected the DS3232 RTC clock module to the Arduino Uno and have tried to upload the sketch -TestRTC from File ->Examples ->RTC ->TestRTC. but receive the error, " Not used: C:\Users\Paul\Documents\Arduino\libraries\RTC
exit status 1
no matching function for call to 'DS3232RTC::DS3232RTC(SoftI2C&)'"

I followed the instructions listed here http://www.freetronics.com.au/pages/rtc-real-time-clock-module-quickstart-guide#.WDyUaPl96yI.

My IDE is Arduino v. 1.6.9

I have tried without success to look for the cause of the error. Kindly help.

I look forward to hearing from you

The library is sensitive to the include sequence.

The following two errors are creating a problem with compiling on [email protected]

.platformio\packages\framework-arduinoststm32\cores\arduino/avr/pgmspace.h:48: warning: "memcpy_P" redefined
48 | #define memcpy_P(dest, src, num) memcpy((dest), (src), (num))
|
In file included from .pio\libdeps\nucleo_l073rz\Crypto_ID1168\RNG.cpp:27:
.pio\libdeps\nucleo_l073rz\Crypto_ID1168\utility/ProgMemUtil.h:49: note: this is the location of the previous definition
49 | #define memcpy_P(d,s,l) memcpy((d), (s), (l))
|

I added a #undef in my header file that uses the crypto to remove the memcpy_P after the use of crypto is complete.

Hi, first of all I'll say it up front that I'm not very good at C or C++. I just want to get this working with my cloud backend, which uses libsodium under PyNacl.

As I understand it, in ed22519, I see that the sign function takes the following as arguments:

• signature of the sender
• privateKey of the sender
• publicKey of the sender
• plaintext message
• len of the plaintext message

I have a few questions:

1. Does it encrypt-then-sign or sign-then-encrypt?
2. Where is the resulting ciphertext stored? I plan to hex-encode this ciphertext and send it to the cloud backend.
3. How do I ensure that only the cloud backend can decrypt the ciphertext?

My idea of encrypting the message is:

1. Take the plaintext
2. Encrypt it using the privateKey of the sender.
3. Encrypt it again using the publicKey of the recipient (cloud backend).
4. Sign it using the signature of the sender.
5. Send the ciphertext to the recipient.

Sender shares the following keys to the recipient in a secure way:

1. verificationKey derived from signature
2. publicKey derived from privateKey

To decrypt it at the cloud backend:

1. Take the ciphertext.
2. Verify it using the verificationKey of the sender. This ensures the sender is authentic.
3. Decrypt it using the privateKey of the recipient. This ensures secrecy of the message and only the recipient can read it.
4. Decrypt it using the publicKey of the sender. This ensures again that the sender is authentic.
5. Hooray! I now have the plaintext.

How does your library lend itself to the above operations?

(I have left out details about defending against replay attacks and key theft, which I have already taken care of)

Hello,

I want to exchange data from the Arduino via HTTP with a PHP script and encrypt it via AES-256-ECB.

I use the "arduino cryptography library" and would use base64 encode for the transfer. PHP is running on the server and I use openssl there.

The problem now is that it working on both sides of the encryption, but the encryption is not compatible. As if both sides were encrypting with another key.

I would also choose a different encryption type, but would like to renounce RC4.

Does anyone have any suggestions?

ARDUINO

#include <Crypto.h>
#include <AES.h>
#include <string.h>
#include <Base64.h> //https://github.com/Densaugeo/base64_arduino

AES256 aes256;

byte buffer[16];
byte buffer2[16];

void setup() {
Serial.begin(115200);

BlockCipher *cipher = &aes256;

// Planetext
String message = "Hello my World!!";
byte plaintext[message.length()];
message.getBytes(plaintext, message.length());

// Key (def. by byte or char change also the result!)
/*
char keyc[32] = "12345678123456781234567812345678";
byte key[32];
//keyc.getBytes(key, keyc.length());
for (int i = 0; i<=32; i++) {
key[i] = keyc[i];
}
*/
byte key[32] = {1,2,3,4,5,6,7,8,1,2,3,4,5,6,7,8,1,2,3,4,5,6,7,8,1,2,3,4,5,6,7,8};

// Encrypt AES-256-ECB
crypto_feed_watchdog();
cipher->setKey(key, 32);
cipher->encryptBlock(buffer, plaintext);
Serial.print("Original: ");
Serial.println((char*)plaintext);

// Base64 encode
int inputStringLength = sizeof(buffer);
int encodedLength = Base64.encodedLength(inputStringLength);
char encodedString[encodedLength];
Base64.encode(encodedString, (char*)buffer, inputStringLength);
Serial.print("Base64 : ");
Serial.println(encodedString);

// Base64 decode
int inputDeStringLength = sizeof(encodedString);
int decodedLength = Base64.decodedLength(encodedString, inputDeStringLength);
char decodedString[decodedLength];
Base64.decode(decodedString, encodedString, inputDeStringLength);

// Decrypt AES-256-ECB
cipher->setKey(key, 32);
cipher->decryptBlock(buffer2, decodedString);
Serial.print("Output: ");
Serial.println((char*)buffer2);
}

void loop() {
}

OUTPUT

Original: Hello my World!
Base64 : e0Ha5Ogb3G//dqxArUU4TA==
Output: Hello my World!

PHP openssl

$method = 'AES-256-ECB';
$kkey = '12345678123456781234567812345678';

$str = 'Hello my World!';
$encrypted = base64_encode(openssl_encrypt($str, $method, $kkey, OPENSSL_RAW_DATA));
echo $encrypted;

// decode
//$encrypted = "e0Ha5Ogb3G//dqxArUU4TA=="; // return nothing
$encrypted = base64_decode($encrypted);
echo $decryptedData = openssl_decrypt($encrypted, $method, $kkey, OPENSSL_RAW_DATA, "");

OUTPUT

YNmK+4p1TNJFY3ZhEC1CRw==Hello my World!

Thanks
Marcel

Hi Guys

congratulations for the excellent work you have done,
I wanted to know, if you have already planned to add XChaCha20 Poly1305

You can make a digital signature in PHP with libsodium and check with ED25519 library? I noticed difference in the private key size between the two libraries

Hello!

I have used your library to quite some extent, and so far I never had any problems with it. However, I tried to use the Ed25519 today, and I instantly ran out of memory on my Arduino Yún.

Before using Ed25519, I was using around 15kB program memory, while comfortable having Curve25519 and ChaChaPoly implemented already. However, simply including Ed25519.h, and calling sign() and verify() is shooting my usage to a little bit over 30kB. This was quite surprising, considering how lightweight all the other parts are.

I've been going through the Ed25519 code, and I couldn't really determine what was causing this huge hardware requirement.

Is this the usual behaviour/usage?

Hi, I really quite enjoy working with your library, great work there!

Would it be possible to also implement efficient modular exponentiation (i.e. modPow(b, e, modulus) = (b ** e) % modulus) in BigNumberUtil? That would be very helpful for my application where I need to implement the Rabin cryptosystem, which is similar to RSA.
If modular exponentiation is already possible in any way, a pointer in the right direction would also be helpful :)

Hi, I've been playing with your LCD library which is fantastic to work with (particularly for a noob), but can't for the life of me figure out how to add a field. For example, I'd like to add a field that only exists if a boolfield's value = true, else don't add the field and continue to the next field as setup at the top of the sketch. It doesn't help that I don't really understand how to read member functions but with a little help I'll get there ;)

Hi, thanks for the library, it is a big help in my project. I am trying to perform a AES256 encryption and exchange data with a mobile app build using react native and I tried just AES256, CTR and CBC. The AES256 is able to encrypt and decrypt a block properly. However, when I am trying the same block with CTR/CBC mode, the decryption is not returning the same plain text. The code I am using is as follows:

  CBC<AES256> crypto;
  byte key[]  = {0xCB, 0xC0, 0x8B, 0xEF, 0x8E, 0xEF, 0x3C, 0xBE, 0x8E, 0x21, 0xA1, 0x96, 0x6A, 0x44, 0xDE, 0xD5, 0x3A, 0x35, 0x3B, 0xBC, 0x08, 0xB4, 0x08, 0xB1, 0xF0, 0xDD, 0xCB, 0x84, 0x77, 0x24, 0xAD, 0x1E};
  byte iv[] = {0x70, 0x97, 0xDD, 0xEE, 0xA3, 0xB6, 0xEF, 0x48, 0x0E, 0x0F, 0xA5, 0xBA, 0x27, 0x5B, 0xC1, 0x15};
  byte bMsg[] = {0x48, 0x45, 0x4C, 0x4C, 0x4F, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04}; //HELLO
  byte cipher[cipherLen];
  byte plain[cipherLen];
  crypto.setKey(key, 32);
  crypto.setIV(iv, 16);
  // crypto.setCounterSize(4);
  crypto.encrypt(cipher, bMsg, cipherLen);
  crypto.decrypt(plain, cipher, cipherLen);
  dumpByteArray(bMsg, cipherLen);
  dumpByteArray(cipher, cipherLen);
  dumpByteArray(plain, cipherLen);

The CBC code is not directly in this repo, but I found the .cpp and .h file in the documentation. I copied them and tried to use it. Can you please guide me in this issue. Please let me know if you need more input from my end.

Thanks

With core version higher than 2.5.0 (latest is 2.5.2) I get a Exception (3) boot loop when calling Curve25519::dh1(uint8_t k[32], uint8_t f[32]).

I've traced the exact point and I've got to Curve25519::mulA24(limb_t *result, const limb_t *x).

I've noticed that code uses BIGNUMBER_LIMB_16BITfor ESP8266 platform.

If I change this line from
#if defined(__AVR__) || defined(ESP8266) to
#if defined(__AVR__)

so that it uses BIGNUMBER_LIMB_32BIT, the program runs fine.

I've tested it with v0.2.0 and latest master.

This would give a lot more visibility to your fantastic job.
Thanks.

P.D: See https://github.com/arduino/Arduino/wiki/Library-Manager-FAQ for more information

Hello @rweather ,

We are trying to use Ed25519, Curve25519 functions with javascript module. But there are many .cpp files linked with each other.

May you please suggest how to convert Crypto folder into the library, such that we can use it with my local javascript function.

Regards,
Hemant

Have you considered supporting AES-CCM mode?

It's used, for example, in Bluetooth Low Energy (BLE) applications to encrypt the payload in advertisement packets.

The code I am writing is for ESPHome and runs on ESP32 etc., so the implementation needs to be optimized for "small" µC like NodeMCUs and AVRs. This library looks ideal to me and is already supported by the Arduino IDE and PlatformIO. Additionally, it supports the other AES AEAD modes GCM and EAX, so the implementation of CCM would be trivial.

Here is a test vector for 128 bit AES-CCM I am struggling with:

static TestVector const testVectorCCM PROGMEM = {
    .name        = "AES-128 CCM BLE ADV",
    .key         = {0xE9, 0xEF, 0xAA, 0x68, 0x73, 0xF9, 0xF9, 0xC8,
                    0x7A, 0x5E, 0x75, 0xA5, 0xF8, 0x14, 0x80, 0x1C},
    .plaintext   = {0x04, 0x10, 0x02, 0xD3, 0x00},
    .ciphertext  = {0xDA, 0x61, 0x66, 0x77, 0xD5},
    .authdata    = {0x11},
    .iv          = {0x78, 0x16, 0x4E, 0x38, 0xC1, 0xA4, 0x5B, 0x05,
                    0x3D, 0x2E, 0x00, 0x00},
    .tag         = {0x92, 0x98, 0x23, 0x52},
    .authsize    = 1,
    .datasize    = 5,
    .tagsize     = 4,
    .ivsize      = 12
};

I already have the BLE decryption working "offline", but the current code uses Crypto++ as its AES library and is not portable to ESPHome.

Thank you very much for your help and support in advance.

Hello,

I've been using several sections of this library without any problem, but I just wanted to try the Curve25519 part by going through the TestCurve25519.ino.

However, it seems to fail in every test case. I guess the problem must reside in the eval() function, since even the TestEval() part is guaranteed to fail. The generated public key is just plain wrong every time.

I did not make any changes to the file, and I have picked up the most recent version.

Is the Curve25519 known to be out of order currently, or am I doing something wrong?

Hello @rweather,

I am trying to execute Signature-verification using ED25519 Curve using text example given in “Crypto” library. I was unable to get timings for signature verification.

May you please suggest any solution,

The macros like htobe64 (it is used in SHA512::finalize) are written in compiler-specific way (gcc-only?), so they make it hard to build the library with other compilers.
It would be nice to rewrite them in a standard way to make the library easily portable to other platforms.

PS: I was trying to build the library with Microsoft C++ compiler (VS2017)

See https://eprint.iacr.org/2016/1157.pdf

And example C implementation here - https://github.com/milagro-crypto/amcl/blob/master/version3/c/newhope.c

It seems the simple version has slightly larger key but the new implementation is simpler, same security, same performance.

We are looking for a C newhope implementation and a JS implementation to do key exchange between USB device and web app. Right now I am looking at using the referenced one because they already have a JS version. I really like your Newhope implementation because its good for small device like Arduino. Thanks for the great libraries.

Hello @rweather ,

I am testing the AES-GCM test file TestGCM.ino. I want to generate new key, IV and authdata, but unable to find any API. Please suggest which API to use or how can we generate new values for this.

Hi @rweather, I really appreciate the help you provide with this library. Its very comprehensive and I want to thank you for the help with AES256. Now I am trying to perform a asymmetric encryption using ED25519 curve. Here is the code I wrote following your example:

  long _millis = millis();
  String millis = String(_millis, DEC);
  Serial.println(millis);
  uint8_t privateKey[32];
  uint8_t publicKey[32];
  Ed25519::generatePrivateKey(privateKey);
  Ed25519::derivePublicKey(publicKey, privateKey);
  dumpByteArray(privateKey, 32);
  dumpByteArray(publicKey, 32);
  /*byte signature[64];
  Ed25519::sign(signature, privateKey, publicKey, (byte*)millis.c_str(), millis.length());
  dumpByteArray(signature, 64);
  int encLen = base64.encodedLength(64);
  char verifier[encLen];
  base64.encode(verifier, (char*)signature, 64);
  Serial.println("Encoded signature");*/

I initially tried to use a key pair that I generated using PyNaCl library. But that was throwing the memory dump on Ed25519::sign, then I though of generating the keys and dumping it, as you see above. I am still getting the memory corruption issue. Can you please guide me in this.

I am using a NodeMcu ESP8266 board.

Hello,

I have a question with respect to the ACL Ed25519 implementation. I have recently checked that tweetnacl [1] is compatible with RFC 8032. When providing private keys and messages from Section 7.1 of [2] to tweetnacl, I am able to derive appropriate corresponding public keys and signature values matching the output of [2] in Section 7.1.

I was trying to do the same in Ed25519, by copying the 32 byte private key and a message into uint8_t vectors. Next, I run Ed25519::derivePublicKey and Ed25519::sign. Both the corresponding public key and the message derived do not match the RFC 8032 Section 7.1 or the tweetnacl output values.

Are in general tweetnacl and the ACL Ed25519 implementation compatible or there is some difference between these two?

[1] http://tweetnacl.cr.yp.to/
[2] https://tools.ietf.org/html/rfc8032

Thanks!

Eryk Schiller

There seems to be a problem with the hashing method when reading from a file. In this case I'm using SHA256.
When I open a file and read its contents and update the hash, the resulting value is wrong.

I don't understand what I'm doing wrong or if its a bug, but I can't get the correct value by reading a file and updating the hash.
This is my function:

bool calculate_file_hash(char* path, byte* result) {
  File f = SD.open(path, FILE_READ);
  if (!f) {
    return false;
  }

  SHA256 hash;
  hash.clear();
  hash.reset();
  
  while(f.available()){
    hash.update(f.read(), 1);
    if(f.peek() < 0)
      break;
  }
  f.close();
  hash.finalize(result, 32);

  return true;
}

It reads 1 byte and updates the hash. I've also tried reading chunks of 128 bytes, but it produces a different incorrect hash. When I transfer a file over serial and update the hash with successive 128 bytes, the final hash is correct. For some reason, reading a file with the SD.h library just doesn't work. In fact simply changing the filename from "t.txt" to "/t.txt" produces a different hash.
Am I doing anything wrong?

Im trying to use your library and as a beginner I am having problems with the c++ way of handling datatypes and with pointers.

I tried to follow along with your basic AES Example and use whatever I can from the testChaCha example.

can I just use the Chacha.Encrypt() like you are using the AES.Encrypt() in the sense that it can encrypt a whole array of bytes in one go? because it seems that the way you are using it is bytewise.

Here is my code so far:
`
#include <string.h>
#include "ChaCha.h"
#include "Crypto.h"
#include "utility/EndianUtil.h"
#include "utility/ProgMemUtil.h"
#include "utility/RotateUtil.h"
#define MAX_CIPHERTEXT_SIZE 32
ChaCha chacha;

const int msgLen = 32;

int size =5;
byte iv[8] = {101,102,103,104,105,106,107,108};
byte counter[8] = {109, 110, 111, 112, 113, 114, 115, 116};
byte plaintext[5] = {'H', 'e', 'l', 'l', 'o'};
byte cypher[5];
byte key[24] = {0x32, 0x62, 0x37, 0x65, 0x31, 0x35, 0x31, 0x36, 0x32, 0x38, 0x61, 0x65, 0x64, 0x32, 0x61, 0x36, 0x61, 0x62, 0x66, 0x37, 0x31, 0x35, 0x38, 0x39};
byte decrypted[5];

void setup() {
Serial.begin(115200);
}

void loop(){
chacha.clear();
chacha.setKey(key, sizeof(key));
chacha.setIV(iv,8);
chacha.setCounter(counter,8);
Serial.println("####");
for (int i = 0; i < sizeof(plaintext); i++) {Serial.printf("%c", plaintext[i]);}Serial.println();
chacha.encrypt(cypher, plaintext, sizeof(plaintext));
for (int i = 0; i < sizeof(cypher); i++) {Serial.printf("%c", cypher[i]);}Serial.println();
chacha.decrypt(decrypted, cypher, sizeof(cypher));
for (int i = 0; i < sizeof(decrypted); i++) {Serial.printf("%c", decrypted[i]);}Serial.println();
delay(1000);
}
`

Hey there, i'm trying to use this library in a program running on a Teensy 4.1, but i'm having an issue with the RNG. The Teensy 4.1 doesn't offer any (?) of the built-in entropy sources. However, it has a hardware TRNG. The Entropy.h Teensy library seems to have support for this TRNG, but i can't figure out how to feed the output from that into this library. Any pointers?

Hi, thanks for this great library.
I am using the Crypto library and AES examples.
I can compile and run ok on Teensy, M0 and M4. However when trying to compile for ESP32 I get the following error. I am using Arduino IDE 1.6.7 and latest version of this library.
TestAESCBC:172: error: 'AES128' does not name a type

AES128 aes128;

^

TestAESCBC:173: error: 'AES192' does not name a type

AES192 aes192;

^

TestAESCBC:174: error: 'AES256' does not name a type

AES256 aes256;

^

I am trying Acorn128. My trial code is very simple:

	const byte len{16};

	byte data[len]{1, 2, 3};
	byte cipher[len]{};
	byte decrypted[len]{};

	acorn.encrypt(cipher, data, len);
	acorn.decrypt(decrypted, cipher, len);

And I get wrong decrypted data. Here is the output:

data:
1:2:3:0:0:0:0:0:0:0:0:0:0:0:0:0:
encrypted:
19:CE:6F:7E:96:16:89:6A:39:FE:8:70:E2:4:95:9E:
decrypted:
DF:29:FC:C5:19:7:D5:2:58:35:16:B8:61:AA:1B:D6:

Hi, first of all - great work.

This isn't so much of an issue, but rater a query.

Are there any basic examples of how to produce the following?

Step 1)
String of length 16 > AES256 CBC encrypt > Print result in base64
Step 2)
base64 result from above > AES256 CBC decrypt > Print result

Any info will be much appreciated.

It looks like the public-key algorithms are implemented for very specific use cases: Curve25519 for ECDH, and Ed25519 for digital signatures.

Is there a way to asymmetrically encrypt/decrypt data directly using this library?

Hi,
I've been using your library on an Arduino Uno and everythings works great (thank you!). However, when I try to compile for the Arduino Uno WiFi rev2, I get a long list of errors from the RNG.cpp file. (error log below). The lines mentioned in the error log are related to the RNG watchdog. I found #31 and the suggested fix did stop the compiler errors, but I'm not sure what noise source to replace it with/how to do it.

Steps to reproduce:

• Download latest Arduino IDE (1.8.12) and library (0.2.0) version
• Set targeted board to Arduino Uno WiFi rev2
• Try to compile the TestCurve25519 example

This happens on Windows 10 as well as Arch Linux.

Full error log (pastebin)

Arduino: 1.8.12 (Windows 10), Board: "Arduino Uno WiFi Rev2, ATMEGA328"

[System data, see pastebin]

C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp: In function 'void WDT_vect()':

C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp:239:27: error: 'TCNT0' was not declared in this scope
     unsigned char value = TCNT0;
                           ^~~~~
C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp:239:27: note: suggested alternative: 'TCA0'
     unsigned char value = TCNT0;
                           ^~~~~
                           TCA0
C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp: In destructor 'RNGClass::~RNGClass()':
C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp:288:5: error: 'MCUSR' was not declared in this scope
     MCUSR &= ~(1 << WDRF);
     ^~~~~
C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp:288:21: error: 'WDRF' was not declared in this scope
     MCUSR &= ~(1 << WDRF);
                     ^~~~
C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp:288:21: note: suggested alternative: 'DDRD'
     MCUSR &= ~(1 << WDRF);
                     ^~~~
                     DDRD
In file included from C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp:37:0:
C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp:291:30: error: 'WDCE' was not declared in this scope
     _WD_CONTROL_REG |= (1 << _WD_CHANGE_BIT) | (1 << WDE);
                              ^
C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp:291:30: note: suggested alternative: 'ADC0'
C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp:291:54: error: 'WDE' was not declared in this scope
     _WD_CONTROL_REG |= (1 << _WD_CHANGE_BIT) | (1 << WDE);
                                                      ^~~
C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp:291:54: note: suggested alternative: 'WDT'
     _WD_CONTROL_REG |= (1 << _WD_CHANGE_BIT) | (1 << WDE);
                                                      ^~~
                                                      WDT
C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp:292:23: error: no match for 'operator=' (operand types are 'WDT_t {aka WDT_struct}' and 'int')
     _WD_CONTROL_REG = 0;
                       ^
In file included from c:\users\jurriaan\appdata\local\arduino15\packages\arduino\tools\avr-gcc\7.3.0-atmel3.6.1-arduino5\avr\include\avr\io.h:677:0,
                 from c:\users\jurriaan\appdata\local\arduino15\packages\arduino\tools\avr-gcc\7.3.0-atmel3.6.1-arduino5\avr\include\avr\pgmspace.h:90,
                 from C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\utility/ProgMemUtil.h:27,
                 from C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp:27:
c:\users\jurriaan\appdata\local\arduino15\packages\arduino\tools\avr-gcc\7.3.0-atmel3.6.1-arduino5\avr\include\avr\iom4809.h:2054:16: note: candidate: WDT_struct& WDT_struct::operator=(const WDT_struct&)
 typedef struct WDT_struct
                ^~~~~~~~~~
c:\users\jurriaan\appdata\local\arduino15\packages\arduino\tools\avr-gcc\7.3.0-atmel3.6.1-arduino5\avr\include\avr\iom4809.h:2054:16: note:   no known conversion for argument 1 from 'int' to 'const WDT_struct&'
c:\users\jurriaan\appdata\local\arduino15\packages\arduino\tools\avr-gcc\7.3.0-atmel3.6.1-arduino5\avr\include\avr\iom4809.h:2054:16: note: candidate: WDT_struct& WDT_struct::operator=(WDT_struct&&)
c:\users\jurriaan\appdata\local\arduino15\packages\arduino\tools\avr-gcc\7.3.0-atmel3.6.1-arduino5\avr\include\avr\iom4809.h:2054:16: note:   no known conversion for argument 1 from 'int' to 'WDT_struct&&'
C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp: In member function 'void RNGClass::begin(const char*)':
C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp:485:5: error: 'MCUSR' was not declared in this scope
     MCUSR &= ~(1 << WDRF);
     ^~~~~
C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp:485:21: error: 'WDRF' was not declared in this scope
     MCUSR &= ~(1 << WDRF);
                     ^~~~
C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp:485:21: note: suggested alternative: 'DDRD'
     MCUSR &= ~(1 << WDRF);
                     ^~~~
                     DDRD
In file included from C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp:37:0:
C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp:489:30: error: 'WDCE' was not declared in this scope
     _WD_CONTROL_REG |= (1 << _WD_CHANGE_BIT) | (1 << WDE);
                              ^
C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp:489:30: note: suggested alternative: 'ADC0'
C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp:489:54: error: 'WDE' was not declared in this scope
     _WD_CONTROL_REG |= (1 << _WD_CHANGE_BIT) | (1 << WDE);
                                                      ^~~
C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp:489:54: note: suggested alternative: 'WDT'
     _WD_CONTROL_REG |= (1 << _WD_CHANGE_BIT) | (1 << WDE);
                                                      ^~~
                                                      WDT
C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp:490:29: error: 'WDIE' was not declared in this scope
     _WD_CONTROL_REG = (1 << WDIE);
                             ^~~~
C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto\src\RNG.cpp:490:29: note: suggested alternative: 'WDT'
     _WD_CONTROL_REG = (1 << WDIE);
                             ^~~~
                             WDT
"C:\\Users\\Jurriaan\\AppData\\Local\\Arduino15\\packages\\arduino\\tools\\avr-gcc\\7.3.0-atmel3.6.1-arduino5/bin/avr-g++" -c -g -Os -w -std=gnu++11 -fpermissive -fno-exceptions -ffunction-sections -fdata-sections -fno-threadsafe-statics -Wno-error=narrowing -MMD -flto -mmcu=atmega4809 -DF_CPU=16000000L -DARDUINO=10812 -DARDUINO_AVR_UNO_WIFI_REV2 -DARDUINO_ARCH_MEGAAVR -DUNO_WIFI_REV2_328MODE -DMILLIS_USE_TIMERB3 "-IC:\\Users\\Jurriaan\\AppData\\Local\\Arduino15\\packages\\arduino\\hardware\\megaavr\\1.8.5\\cores\\arduino/api/deprecated" "-IC:\\Users\\Jurriaan\\AppData\\Local\\Arduino15\\packages\\arduino\\hardware\\megaavr\\1.8.5\\cores\\arduino" "-IC:\\Users\\Jurriaan\\AppData\\Local\\Arduino15\\packages\\arduino\\hardware\\megaavr\\1.8.5\\variants\\uno2018" "-IC:\\Users\\Jurriaan\\Documents\\Arduino\\libraries\\Crypto\\src" "C:\\Users\\Jurriaan\\Documents\\Arduino\\libraries\\Crypto\\src\\XTS.cpp" -o "C:\\Users\\Jurriaan\\AppData\\Local\\Temp\\arduino_build_653946\\libraries\\Crypto\\XTS.cpp.o"
Using library Crypto at version 0.2.0 in folder: C:\Users\Jurriaan\Documents\Arduino\libraries\Crypto 
exit status 1
Error compiling for board Arduino Uno WiFi Rev2.

Looking through the Crypto Library i wasn't able to found an implementation of the different types of standard paddings to be added in the case the data size to be cipher/decipher is not a multiple of the base block. Why this feature is not present?

"C:\Users\username\Documents\Arduino\libraries\Crypto\src\AES.h:200:10: fatal error: hwcrypto/aes.h: No such file or directory"

Board selected on Arduino IDE: ESP32 Dev Module

Comment:

• It appears that with Arduino core for the ESP32 version 2.0, the folder hwcrypto no longer exists.
  • Compile correctly with the previous version (1.0.6)

Hi,

Great job on this project it is top notch. I am using a modified version of the RNG, AES-GCM, and Ed25519 for our OnlyKey firmware.

I am implementing ECDH now and I am wondering if I am missing something here. You have DH1 and DH2 functions but neither uses the private key as an input, just public key. https://rweather.github.io/arduinolibs/classCurve25519.html

The other implementations I have seen use a private and public key to generate the shared secret - Mbedtls for example. I have to be missing something here because using public keys from each party to generate shared secret would mean that anyone with access to the public keys would be able to generate the shared secret too and decrypt communication.

Thanks,

The STM32L073RZ has a HW RNG with the unfortunate register name of RNG.
This collides with the RNGClass RNG; line on RNG.cpp:159

The RNG global needs a new name.

I suffixed RNG with _ making RNG_ for a temporary hack. Fortunately I do not need the RNG at this time.

Hello there,

I have some memmory problem (on Wemos D1... on Arduino UNO works it good) with methods: update/finalize in lib: blake2s.cpp (Reset method work properly on both hw).

When I call this ones (e.g.: blake.update(salted_code, sizeof(salted_code));), in console I can see only:

Exception (3):
epc1=0x4020211d epc2=0x00000000 epc3=0x00000000 excvaddr=0x40230420 depc=0x00000000

ctx: cont 
sp: 3ffef600 end: 3ffef920 offset: 01a0

>>>stack>>>
3ffef7a0:  feefeffe feefeffe feefeffe 3ffee8c8  
3ffef7b0:  6b08c647 bb67ae85 3c6ef372 a54ff53a  
3ffef7c0:  510e527f 9b05688c 1f83d9ab 5be0cd19  
3ffef7d0:  6a09e667 bb67ae85 3c6ef372 a54ff53a  
3ffef7e0:  510e523f 9b05688c 1f83d9ab 40100574  
3ffef7f0:  5be0cd19 3c6ef372 a54ff53a 1f83d9ab  
3ffef800:  a54ff53a 1f83d9ab 3ffe84c1 40203fb8  
3ffef810:  00000009 00000019 3ffee8c8 3ffee8ec  
3ffef820:  3ffe84c0 3ffee6f0 3ffee8c8 3ffee6f0  
3ffef830:  00000002 3ffee6f0 3ffef860 402024ef  
3ffef840:  feefeffe feefeffe 3ffee8c8 3ffee8ec  
3ffef850:  3ffe84c0 3ffee6f0 3ffee8c8 40201ce1  
3ffef860:  3ffe85f8 feefeffe 6b08c647 bb67ae85  
3ffef870:  3c6ef372 a54ff53a 510e527f 9b05688c  
3ffef880:  1f83d9ab 5be0cd19 00000000 00000000  
3ffef890:  00000000 00000000 00000000 00000000  
3ffef8a0:  00000000 00000000 00000000 00000000  
3ffef8b0:  00000000 00000000 00000000 00000000  
3ffef8c0:  00000000 00000000 00000040 00000000  
3ffef8d0:  feefef40 feefeffe feefeffe feefeffe  
3ffef8e0:  feefeffe feefeffe feefeffe feefeffe  
3ffef8f0:  feefeffe feefeffe feefeffe 3ffee8ec  
3ffef900:  3fffdad0 00000000 3ffee8e4 40203d54  
3ffef910:  feefeffe feefeffe 3ffee900 40100114  
<<<stack<<<

Firstly I think it is similar problem, resolved here:
https://github.com/rweather/arduinolibs/issues/20#issuecomment-366459155

But I don't know how resolved it, or I can print some help notes via library methods).
I add @freezedi, cause he has similar problem, and resolved it.

I hope that somebody of you help me with this problem.

Best regards
Ján

CRYPTO/RNG.cpp uses the watchdog to generate entropy, however I need to use it for other purposes.
I see that part is guarded by a macro, but setting RNG_WATCHDOG to 0 causes compilation errors.
Is there a simple way to disable it?

I'm getting lots of compilation errors in the Speck example. I already updated my Arduino IDE.

The many errors include:

In file included from C:\Program Files (x86)\Arduino\libraries\Crypto\Ed25519.cpp:27:0:

C:\Program Files (x86)\Arduino\libraries\Crypto\utility/LimbUtil.h:60:48: warning: right shift count >= width of type

                         ((uint16_t)((value) >> 16))
C:\Program Files (x86)\Arduino\libraries\Crypto\utility/LimbUtil.h:61:25: note: in expansion of macro 'LIMB'

 #define LIMB_PAIR(x,y)  LIMB((x)), LIMB((y))

                         ^

C:\Program Files (x86)\Arduino\libraries\Crypto\Ed25519.cpp:100:5: note: in expansion of macro 'LIMB_PAIR'

     LIMB_PAIR(0x00000001, 0x00000000), LIMB_PAIR(0x00000000, 0x00000000),

And so on, many many errors like this.

I just opened the example and tried to compile it. What's going on?

For instance, if I want to use simple Acorm128, it steals 153 bytes from the global memory of microcontroller!
That’s definitely bad behavior.

Every byte matters in embedded programming .

Hello,

Is is possible to combine multiple modes of AES encryption?
I tried to combine GCM and CTR mode with HMAC in the same program and the program crashed.
Please suggest how to implement it.

Hello,

I've been trying out this library (which is great by the way!), but it seems to consume a lot of SRAM. I've already tried to squeeze as much RAM as possible from my program, (not using Strings and allocating variables to flash with PROGMEM) and I don't know where else to cut.

I'm using the XTS-AES128 and SHA256 alongside the SD and Serial libraries. I managed to have the encryption functioning, but once I add the SHA256 there isn't enough memory to open files in the SD card. Both the XTS and SHA256 are declared as variables, should I use pointers instead?

So, what do you recommend?

(I'm using an Arduino UNO, btw)

Hi, I have used for some time the library EEPROM24 with excellent results. I have a request: how can I change it to hide the ACK EPROM?
I would write the EPROM without waiting for its answer.
You can show me how to make the change?
Thank you

I'm learning cryptography and I manage to use AES without the CTR, but when I added the CTR mode the decrypted data does not match the original. In my application I'll use an Arduino UNO r3 to send a luminosity sensor data for a node-red applications using MQTT and in the Json format (the application will get more complex and I plan on using the node-red interface to open a door, for instance). Sorry for the newbie doubt, but can you help me to understand what is wrong with my code?

`
CTR ctraes128;

byte payload_encrypted[16];
byte payload_decrypted[16];

byte iv[16] = {
    0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
};
const char key[16] = "5TGB&YHN7UJM(IK<";
const char text[16] = "Single block msg";

bool prepareCipher(Cipher *cipher, byte key[], byte iv[]){
cipher->clear();
if (!cipher->setKey(key, cipher->keySize()))
{
    return false;
}
if (!cipher->setIV(iv, cipher->ivSize()))
{
    return false;
}
return true;
}

void encryptData(Cipher *cipher, const uint8_t data[], uint8_t encryptedData[], size_t tam){
size_t posn, len, inc;
inc = 1; // idk what it does but it was used in the example
for (posn = 0; posn < tam; posn += inc)
{
    len = tam - posn;
    if (len > inc)
    len = inc;
    cipher->encrypt(encryptedData + posn, data + posn, len);
}
cipher->clear();

Serial.print("Payload Encrypted: ");
    for(int i = 0; i < sizeof(text); i++){
        Serial.print(payload_encrypted[i]);
        Serial.print(":");
    }
    Serial.println();
}

void decryptData(Cipher *cipher, const uint8_t encryptedData[], uint8_t data[], size_t tam){
size_t posn, len, inc;
inc = 1; // idk what it does but it was used in the example
for (posn = 0; posn < tam; posn += inc)
{
    len = tam - posn;
    if (len > inc)
    len = inc;
    cipher->decrypt(data + posn, encryptedData + posn, len);
}
cipher->clear();

Serial.print("Payload Decrypted: ");
    for(unsigned int i = 0; i < sizeof(text); i++){
        Serial.print(payload_decrypted[i]);
        Serial.print(":");
    }
    Serial.println();
}

void setup()
{
    Serial.begin(9600);
    Serial.print("Original text msg: ");
    for(unsigned int i = 0; i < sizeof(text); i++){
        Serial.print(text[i], HEX);
        Serial.print(":");
    }
    Serial.println();

    prepareCipher(&ctraes128, (byte*) key, iv);
    encryptData(&ctraes128, (byte*)text, payload_encrypted, sizeof(text));
    decryptData(&ctraes128, payload_encrypted, payload_decrypted, sizeof(text));
}

void loop()
{
}

`

Output

Original text msg: 53:69:6E:67:6C:65:20:62:6C:6F:63:6B:20:6D:73:67:
Payload Encrypted: 195:215:51:126:242:227:195:100:216:60:7:16:140:95:79:209:
Payload Decrypted: 245:225:5:72:196:213:245:82:238:10:49:38:186:105:121:231:

Hi!

It would be nice to have HMAC Key Derivation Function ( RFC5869: https://tools.ietf.org/html/rfc5869 ) support for Crypto's Hash classes.
I wrote (and tested) an implementation which works with the SHA256 module and might also work with other Hash classes. If you are interested I would be glad to contribute to this project.

Best regards,

Miguel A.