commit 4f87e35373acd3817ee6eebfc40d06918960aa0c
parent ef586cbef9eaff6a4409d777cd6102ec68e2e47a
Author: Kévin Le Gouguec <kevin.legouguec@airbus.com>
Date: Wed, 28 Nov 2018 18:33:53 +0100
Remaniement de la génération des traces
Pour que les traces des modes AE ne comprennent pas les traces de la
partie TBC.
Diffstat:
10 files changed, 602 insertions(+), 466 deletions(-)
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,2 @@
results
-traces.tgz
+traces*.tgz
diff --git a/Makefile b/Makefile
@@ -2,7 +2,7 @@ implementations = $(dir \
$(shell find crypto_aead -name Makefile) \
)
-delegated = clean test traces
+delegated = clean test
.PHONY: $(delegated)
@@ -15,14 +15,14 @@ $(delegated)::
exit $$status
clean::
- - rm traces.tgz
+ - rm traces*.tgz
# To generate complete traces, apply this patch before running "make traces":
# $ git apply traces.patch
# To update this patch, add print statements, then run
# $ git diff src > traces.patch
-traces:: traces.tgz
+traces: traces-ae traces-tbc
-traces.tgz:
+traces-%:
@ echo "Collecting traces"
- @ ./collect-traces.sh
+ @ ./collect-traces.sh $@
diff --git a/collect-traces.sh b/collect-traces.sh
@@ -2,13 +2,27 @@
set -eu
+trace_type=$1
+
d=$(mktemp -d)
-for f in $(find . -name 'traces-*.txt')
+git apply ${trace_type}.patch
+
+for makefile in $(find crypto_aead -name Makefile)
do
- cp ${f} ${d}
+ implem_dir=$(dirname ${makefile})
+ make -C ${implem_dir} clean
+
+ [[ ${implem_dir} =~ lilliputae(i|ii)([0-9]+)v ]]
+
+ ae_type=${BASH_REMATCH[1]}
+ keysize=${BASH_REMATCH[2]}
+ make -C ${implem_dir} ${trace_type}-${keysize}-${ae_type}
+ cp ${implem_dir}/results/traces*.txt ${d}
done
-tar czf traces.tgz -C ${d} .
+tar czf ${trace_type}.tgz -C ${d} .
rm -r ${d}
+
+git apply --reverse ${trace_type}.patch
diff --git a/crypto_aead/lilliputaei128v1/ref/Makefile b/crypto_aead/lilliputaei128v1/ref/Makefile
@@ -1,7 +1,7 @@
tests = test-tweakey test-tbc-encrypt test-tbc-decrypt \
test-ae-roundtrip test-ae-encrypt test-ae-decrypt
-traces = traces-ae-128-i
+traces = traces-ae-128-i traces-tbc-256-i
include src/common.mk
@@ -13,6 +13,7 @@ results/test-tbc-encrypt: results/src/cipher.o results/src/tweakey.o results/src
results/test-tweakey: results/src/tweakey.o results/src/constants.o | results
results/traces-ae-128-i: results/src/lilliput-ae-i.o results/src/cipher.o results/src/tweakey.o results/src/constants.o | results/src
+results/traces-tbc-128-i: results/src/cipher.o results/src/tweakey.o results/src/constants.o | results/src
results/test-ae-decrypt.o: src/lilliput-ae.h
results/test-ae-encrypt.o: src/lilliput-ae.h
diff --git a/crypto_aead/lilliputaei128v1/ref/test/traces-tbc-128-i.c b/crypto_aead/lilliputaei128v1/ref/test/traces-tbc-128-i.c
@@ -0,0 +1,60 @@
+#include <stdio.h>
+#include <stdint.h>
+
+#include "cipher.h"
+
+#include "debug.h"
+#include "test-helpers.h"
+
+
+FILE *DUMP;
+
+
+struct vector
+{
+ char *name;
+ uint8_t key[KEY_BYTES];
+ uint8_t tweak[TWEAK_BYTES];
+ uint8_t message[BLOCK_BYTES];
+};
+
+typedef struct vector vector;
+
+
+const vector VECTORS[] = {
+ {
+ .name = "order",
+ .key = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ },
+ .tweak = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ },
+ .message = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
+ }
+ }
+};
+
+
+int main()
+{
+ for (const vector *v=VECTORS; v<ARRAY_END(VECTORS); v++)
+ {
+ debug_open_dump("tbc-128-i", v->name);
+ debug_dump_buffer("message", BLOCK_BYTES, v->message, 0);
+ debug_dump_buffer("key", KEY_BYTES, v->key, 0);
+ debug_dump_buffer("tweak", TWEAK_BYTES, v->tweak, 0);
+
+ uint8_t ciphertext[BLOCK_BYTES];
+
+ lilliput_tbc_encrypt(v->key, v->tweak, v->message, ciphertext);
+
+ debug_dump_buffer("ciphertext", BLOCK_BYTES, ciphertext, 0);
+
+ fclose(DUMP);
+ }
+}
diff --git a/crypto_aead/lilliputaeii128v1/ref/Makefile b/crypto_aead/lilliputaeii128v1/ref/Makefile
@@ -1,11 +1,12 @@
tests = test-ae-roundtrip
-traces = traces-ae-128-ii
+traces = traces-ae-128-ii traces-tbc-128-ii
include src/common.mk
results/test-ae-roundtrip: results/src/lilliput-ae-ii.o results/src/cipher.o results/src/tweakey.o results/src/constants.o | results
results/traces-ae-128-ii: results/src/lilliput-ae-ii.o results/src/cipher.o results/src/tweakey.o results/src/constants.o | results/src
+results/traces-tbc-128-ii: results/src/cipher.o results/src/tweakey.o results/src/constants.o | results/src
results/test-ae-roundtrip.o: src/lilliput-ae.h
diff --git a/crypto_aead/lilliputaeii128v1/ref/test/traces-tbc-128-ii.c b/crypto_aead/lilliputaeii128v1/ref/test/traces-tbc-128-ii.c
@@ -0,0 +1,60 @@
+#include <stdio.h>
+#include <stdint.h>
+
+#include "cipher.h"
+
+#include "debug.h"
+#include "test-helpers.h"
+
+
+FILE *DUMP;
+
+
+struct vector
+{
+ char *name;
+ uint8_t key[KEY_BYTES];
+ uint8_t tweak[TWEAK_BYTES];
+ uint8_t message[BLOCK_BYTES];
+};
+
+typedef struct vector vector;
+
+
+const vector VECTORS[] = {
+ {
+ .name = "order",
+ .key = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ },
+ .tweak = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ },
+ .message = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
+ }
+ }
+};
+
+
+int main()
+{
+ for (const vector *v=VECTORS; v<ARRAY_END(VECTORS); v++)
+ {
+ debug_open_dump("tbc-128-ii", v->name);
+ debug_dump_buffer("message", BLOCK_BYTES, v->message, 0);
+ debug_dump_buffer("key", KEY_BYTES, v->key, 0);
+ debug_dump_buffer("tweak", TWEAK_BYTES, v->tweak, 0);
+
+ uint8_t ciphertext[BLOCK_BYTES];
+
+ lilliput_tbc_encrypt(v->key, v->tweak, v->message, ciphertext);
+
+ debug_dump_buffer("ciphertext", BLOCK_BYTES, ciphertext, 0);
+
+ fclose(DUMP);
+ }
+}
diff --git a/traces-ae.patch b/traces-ae.patch
@@ -0,0 +1,275 @@
+diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ae-common.h b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ae-common.h
+index 561854e..397dac0 100644
+--- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ae-common.h
++++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ae-common.h
+@@ -1,3 +1,5 @@
++#include "debug.h"
++
+ #ifndef AE_COMMON_H
+ #define AE_COMMON_H
+
+@@ -105,20 +107,45 @@ static void process_associated_data(
+ size_t l_a = A_len / BLOCK_BYTES;
+ size_t rest = A_len % BLOCK_BYTES;
+
++ fprintf(DUMP, "computing Auth\n");
++
+ for (size_t i=0; i<l_a; i++)
+ {
++ fprintf(DUMP, " i=%zu\n", i);
++
+ fill_index_tweak(0x2, i, tweak);
++
++ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
++
+ encrypt(key, tweak, &A[i*BLOCK_BYTES], Ek_Ai);
++
++ debug_dump_buffer("Ai", BLOCK_BYTES, &A[i*BLOCK_BYTES], 8);
++ debug_dump_buffer("Ek(Ai)", BLOCK_BYTES, Ek_Ai, 8);
++
+ xor_into(Auth, Ek_Ai);
++
++ debug_dump_buffer("Auth", BLOCK_BYTES, Auth, 8);
+ }
+
+ if (rest != 0)
+ {
+ uint8_t A_rest[BLOCK_BYTES];
+ pad10(rest, &A[l_a*BLOCK_BYTES], A_rest);
++
++ fprintf(DUMP, " l_a=%zu (padding)\n", l_a);
++
+ fill_index_tweak(0x6, l_a, tweak);
++
++ debug_dump_buffer("pad10*(A*)", BLOCK_BYTES, A_rest, 8);
++ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
++
+ encrypt(key, tweak, A_rest, Ek_Ai);
++
++ debug_dump_buffer("Ek(A*)", BLOCK_BYTES, Ek_Ai, 8);
++
+ xor_into(Auth, Ek_Ai);
++
++ debug_dump_buffer("Auth", BLOCK_BYTES, Auth, 8);
+ }
+ }
+
+diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-i.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-i.c
+index b1758c9..5cbb3f4 100644
+--- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-i.c
++++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-i.c
+@@ -1,3 +1,5 @@
++#include "debug.h"
++
+ #include <stdbool.h>
+ #include <stdint.h>
+ #include <string.h>
+@@ -65,32 +67,54 @@ static void _encrypt_message(
+ memset(tweak, 0, TWEAK_BYTES);
+ memset(checksum, 0, BLOCK_BYTES);
+
++ fprintf(DUMP, "message encryption\n");
++
+ for (size_t j=0; j<l; j++)
+ {
++ fprintf(DUMP, " j=%zu\n", j);
++
++ debug_dump_buffer("Mj", BLOCK_BYTES, &M[j*BLOCK_BYTES], 8);
+ xor_into(checksum, &M[j*BLOCK_BYTES]);
++ debug_dump_buffer("Checksum", BLOCK_BYTES, checksum, 8);
+ _fill_msg_tweak(0x0, N, j, tweak);
++ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
+ encrypt(key, tweak, &M[j*BLOCK_BYTES], &C[j*BLOCK_BYTES]);
++ debug_dump_buffer("Cj", BLOCK_BYTES, &C[j*BLOCK_BYTES], 8);
+ }
+
+ if (rest == 0)
+ {
++ fprintf(DUMP, " no padding\n");
++
+ _fill_msg_tweak(0x1, N, l-1, tweak);
++ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
+ encrypt(key, tweak, checksum, Final);
++ debug_dump_buffer("Final", BLOCK_BYTES, Final, 8);
+ }
+ else
+ {
++ fprintf(DUMP, " padding\n");
++
+ uint8_t M_rest[BLOCK_BYTES];
+ uint8_t Pad[BLOCK_BYTES];
+
+ pad10(rest, &M[l*BLOCK_BYTES], M_rest);
++ debug_dump_buffer("M*", rest, &M[l*BLOCK_BYTES], 8);
++ debug_dump_buffer("pad10*(M*)", BLOCK_BYTES, M_rest, 8);
+ xor_into(checksum, M_rest);
++ debug_dump_buffer("Checksum", BLOCK_BYTES, checksum, 8);
+
+ _fill_msg_tweak(0x4, N, l, tweak);
++ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
+ encrypt(key, tweak, _0n, Pad);
+ xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Pad);
++ debug_dump_buffer("Pad", BLOCK_BYTES, Pad, 8);
++ debug_dump_buffer("C*", rest, &C[l*BLOCK_BYTES], 8);
+
+ _fill_msg_tweak(0x5, N, l, tweak);
++ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
+ encrypt(key, tweak, checksum, Final);
++ debug_dump_buffer("Final", BLOCK_BYTES, Final, 8);
+ }
+ }
+
+@@ -112,32 +136,54 @@ static void _decrypt_message(
+ memset(tweak, 0, TWEAK_BYTES);
+ memset(checksum, 0, BLOCK_BYTES);
+
++ fprintf(DUMP, "message decryption\n");
++
+ for (size_t j=0; j<l; j++)
+ {
++ fprintf(DUMP, " j=%zu\n", j);
++
++ debug_dump_buffer("Cj", BLOCK_BYTES, &C[j*BLOCK_BYTES], 8);
+ _fill_msg_tweak(0x0, N, j, tweak);
++ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
+ decrypt(key, tweak, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES]);
++ debug_dump_buffer("Mj", BLOCK_BYTES, &M[j*BLOCK_BYTES], 8);
+ xor_into(checksum, &M[j*BLOCK_BYTES]);
++ debug_dump_buffer("Checksum", BLOCK_BYTES, checksum, 8);
+ }
+
+ if (rest == 0)
+ {
++ fprintf(DUMP, " no padding\n");
++
+ _fill_msg_tweak(0x1, N, l-1, tweak);
++ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
+ encrypt(key, tweak, checksum, Final);
++ debug_dump_buffer("Final", BLOCK_BYTES, Final, 8);
+ }
+ else
+ {
++ fprintf(DUMP, " padding\n");
++
+ uint8_t M_rest[BLOCK_BYTES];
+ uint8_t Pad[BLOCK_BYTES];
+
++ debug_dump_buffer("C*", rest, &C[l*BLOCK_BYTES], 8);
+ _fill_msg_tweak(0x4, N, l, tweak);
++ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
+ encrypt(key, tweak, _0n, Pad);
++ debug_dump_buffer("Pad", BLOCK_BYTES, Pad, 8);
+ xor_arrays(rest, &M[l*BLOCK_BYTES], &C[l*BLOCK_BYTES], Pad);
++ debug_dump_buffer("M*", rest, &M[l*BLOCK_BYTES], 8);
+
+ pad10(rest, &M[l*BLOCK_BYTES], M_rest);
++ debug_dump_buffer("pad10*(M*)", BLOCK_BYTES, M_rest, 8);
+ xor_into(checksum, M_rest);
+
+ _fill_msg_tweak(0x5, N, l, tweak);
++ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
++ debug_dump_buffer("Checksum", BLOCK_BYTES, checksum, 8);
+ encrypt(key, tweak, checksum, Final);
++ debug_dump_buffer("Final", BLOCK_BYTES, Final, 8);
+ }
+ }
+
+@@ -147,7 +193,13 @@ static void _generate_tag(
+ uint8_t tag[TAG_BYTES]
+ )
+ {
++ fprintf(DUMP, "generating tag\n");
++ debug_dump_buffer("Final", BLOCK_BYTES, Final, 8);
++ debug_dump_buffer("Auth", BLOCK_BYTES, Auth, 8);
++
+ xor_arrays(TAG_BYTES, tag, Final, Auth);
++
++ debug_dump_buffer("tag", TAG_BYTES, tag, 8);
+ }
+
+
+diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-ii.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-ii.c
+index 26885e5..88f9ae0 100644
+--- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-ii.c
++++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-ii.c
+@@ -1,3 +1,5 @@
++#include "debug.h"
++
+ #include <stdbool.h>
+ #include <stdint.h>
+ #include <string.h>
+@@ -62,24 +64,40 @@ static void _generate_tag(
+ size_t l = M_len / BLOCK_BYTES;
+ size_t rest = M_len % BLOCK_BYTES;
+
++ fprintf(DUMP, "computing tag\n");
++ debug_dump_buffer("Auth", BLOCK_BYTES, Auth, 8);
++
+ for (size_t j=0; j<l; j++)
+ {
++ fprintf(DUMP, " j=%zu\n", j);
+ fill_index_tweak(0x0, j, tweak);
++ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
+ encrypt(key, tweak, &M[j*BLOCK_BYTES], Ek_Mj);
++ debug_dump_buffer("Mj", BLOCK_BYTES, &M[j*BLOCK_BYTES], 8);
++ debug_dump_buffer("Ek(Mj)", BLOCK_BYTES, Ek_Mj, 8);
+ xor_into(tag_tmp, Ek_Mj);
++ debug_dump_buffer("tag", TAG_BYTES, tag_tmp, 8);
+ }
+
+ if (rest != 0)
+ {
++ fprintf(DUMP, " l=%zu (padding)\n", l);
+ uint8_t M_rest[BLOCK_BYTES];
+ pad10(rest, &M[l*BLOCK_BYTES], M_rest);
+ fill_index_tweak(0x4, l, tweak);
++ debug_dump_buffer("pad10*(M*)", BLOCK_BYTES, M_rest, 8);
++ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
+ encrypt(key, tweak, M_rest, Ek_Mj);
++ debug_dump_buffer("Ek(M*)", BLOCK_BYTES, Ek_Mj, 8);
+ xor_into(tag_tmp, Ek_Mj);
++ debug_dump_buffer("tag", TAG_BYTES, tag_tmp, 8);
+ }
+
++ fprintf(DUMP, " Ek(tag)\n");
+ _fill_tag_tweak(N, tweak);
++ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
+ encrypt(key, tweak, tag_tmp, tag);
++ debug_dump_buffer("tag = Ek(tag)", TAG_BYTES, tag, 8);
+ }
+
+ static void _encrypt_message(
+@@ -103,18 +121,33 @@ static void _encrypt_message(
+ size_t l = M_len / BLOCK_BYTES;
+ size_t rest = M_len % BLOCK_BYTES;
+
++ fprintf(DUMP, "message encryption\n");
++
+ for (size_t j=0; j<l; j++)
+ {
++ fprintf(DUMP, " j=%zu\n", j);
++
+ _fill_msg_tweak(tag, j, tweak);
++ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
+ encrypt(key, tweak, padded_N, Ek_N);
++ debug_dump_buffer("N (padded)", BLOCK_BYTES, padded_N, 8);
++ debug_dump_buffer("Ek(Mj, N)", BLOCK_BYTES, Ek_N, 8);
++ debug_dump_buffer("Mj", BLOCK_BYTES, &M[j*BLOCK_BYTES], 8);
+ xor_arrays(BLOCK_BYTES, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES], Ek_N);
++ debug_dump_buffer("Cj", BLOCK_BYTES, &C[j*BLOCK_BYTES], 8);
+ }
+
+ if (rest != 0)
+ {
++ fprintf(DUMP, " l=%zu (padding)\n", l);
+ _fill_msg_tweak(tag, l, tweak);
++ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
+ encrypt(key, tweak, padded_N, Ek_N);
++ debug_dump_buffer("N (padded)", BLOCK_BYTES, padded_N, 8);
++ debug_dump_buffer("Ek(M*, N)", BLOCK_BYTES, Ek_N, 8);
++ debug_dump_buffer("M*", rest, &M[l*BLOCK_BYTES], 8);
+ xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Ek_N);
++ debug_dump_buffer("C*", rest, &C[l*BLOCK_BYTES], 8);
+ }
+ }
+
diff --git a/traces-tbc.patch b/traces-tbc.patch
@@ -0,0 +1,180 @@
+diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/cipher.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/cipher.c
+index 7f1152a..caae858 100644
+--- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/cipher.c
++++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/cipher.c
+@@ -1,3 +1,5 @@
++#include "debug.h"
++
+ #include <stdint.h>
+ #include <string.h>
+
+@@ -47,40 +49,61 @@ static void _compute_round_tweakeys(
+ uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES]
+ )
+ {
++ fprintf(DUMP, "computing %zu round sub-tweakeys\n", (size_t)ROUNDS);
++
+ tweakey_state TK;
+ tweakey_state_init(&TK, key, tweak);
+ tweakey_state_extract(&TK, RTK[0], 0);
+
++ fprintf(DUMP, " 0\n");
++ debug_dump_buffer("RTK", ROUND_TWEAKEY_BYTES, RTK[0], 8);
++
+ for (uint8_t i=1; i<ROUNDS; i++)
+ {
++ fprintf(DUMP, " %zu\n", (size_t)i);
++
+ tweakey_state_update(&TK);
++ debug_dump_buffer("TK", TWEAK_BYTES, TK.TK, 8);
+ tweakey_state_extract(&TK, RTK[i], i);
++ debug_dump_buffer("RTK", ROUND_TWEAKEY_BYTES, RTK[i], 8);
+ }
+ }
+
+
+ static void _nonlinear_layer(cipher_state *X, const uint8_t RTK[ROUND_TWEAKEY_BYTES])
+ {
++ fprintf(DUMP, " nonlinear layer\n");
++
++ debug_dump_buffer("X", BLOCK_BYTES, X->X, 12);
++
+ uint8_t F[ROUND_TWEAKEY_BYTES];
+ for (size_t j=0; j<sizeof(F); j++)
+ {
+ F[j] = X->X[j] ^ RTK[j];
+ }
+
++ debug_dump_buffer("Xj XOR RTKj", sizeof(F), F, 12);
++
+ for (size_t j=0; j<sizeof(F); j++)
+ {
+ F[j] = S[F[j]];
+ }
+
++ debug_dump_buffer("F (post-S-box)", sizeof(F), F, 12);
++
+ for (size_t j=0; j<8; j++)
+ {
+ size_t dest_j = 15-j;
+ X->X[dest_j] ^= F[j];
+ }
++
++ debug_dump_buffer("X (post-XOR)", BLOCK_BYTES, X->X, 12);
+ }
+
+ static void _linear_layer(cipher_state *X)
+ {
++ fprintf(DUMP, " linear layer\n");
++
+ X->X[15] ^= X->X[1];
+ X->X[15] ^= X->X[2];
+ X->X[15] ^= X->X[3];
+@@ -95,6 +118,8 @@ static void _linear_layer(cipher_state *X)
+ X->X[11] ^= X->X[7];
+ X->X[10] ^= X->X[7];
+ X->X[9] ^= X->X[7];
++
++ debug_dump_buffer("X", BLOCK_BYTES, X->X, 12);
+ }
+
+ static void _permutation_layer(cipher_state *X, permutation p)
+@@ -104,6 +129,8 @@ static void _permutation_layer(cipher_state *X, permutation p)
+ return;
+ }
+
++ fprintf(DUMP, " permutation layer\n");
++
+ uint8_t X_old[BLOCK_BYTES];
+ memcpy(X_old, X, sizeof(X_old));
+
+@@ -113,6 +140,8 @@ static void _permutation_layer(cipher_state *X, permutation p)
+ {
+ X->X[pi[j]] = X_old[j];
+ }
++
++ debug_dump_buffer("X", BLOCK_BYTES, X->X, 12);
+ }
+
+ static void _one_round_egfn(cipher_state *X, const uint8_t RTK[ROUND_TWEAKEY_BYTES], permutation p)
+@@ -136,11 +165,15 @@ void lilliput_tbc_encrypt(
+ uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES];
+ _compute_round_tweakeys(key, tweak, RTK);
+
++ fprintf(DUMP, "running EGFN %zu times\n", (size_t)ROUNDS);
++
+ for (uint8_t i=0; i<ROUNDS-1; i++)
+ {
++ fprintf(DUMP, " round %zu\n", (size_t)i);
+ _one_round_egfn(&X, RTK[i], PERMUTATION_ENCRYPTION);
+ }
+
++ fprintf(DUMP, " round %zu\n", (size_t)(ROUNDS-1));
+ _one_round_egfn(&X, RTK[ROUNDS-1], PERMUTATION_NONE);
+
+ memcpy(ciphertext, X.X, BLOCK_BYTES);
+diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/tweakey.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/tweakey.c
+index da97019..cbff16a 100644
+--- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/tweakey.c
++++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/tweakey.c
+@@ -1,3 +1,5 @@
++#include "debug.h"
++
+ #include <stdint.h>
+ #include <string.h>
+
+@@ -32,10 +34,16 @@ void tweakey_state_extract(
+
+ for (const uint8_t *lane=TK->TK; lane<TK->TK+TWEAKEY_BYTES; lane+=LANE_BYTES)
+ {
++ fprintf(DUMP, " XORing lane %zu/%zu\n", 1+(size_t)((lane-TK->TK)/LANE_BYTES), (size_t)LANES_NB);
++ debug_dump_buffer("RTK", ROUND_TWEAKEY_BYTES, round_tweakey, 12);
++ debug_dump_buffer("lane[j]", LANE_BYTES, lane, 12);
++
+ for (size_t j=0; j<LANE_BYTES; j++)
+ {
+ round_tweakey[j] ^= lane[j];
+ }
++
++ debug_dump_buffer("=> RTK", ROUND_TWEAKEY_BYTES, round_tweakey, 12);
+ }
+
+ round_tweakey[0] ^= i;
+@@ -44,6 +52,8 @@ void tweakey_state_extract(
+
+ static void _permute_state(tweakey_state *TK)
+ {
++ fprintf(DUMP, " permuting TK\n");
++
+ uint8_t TK_old[TWEAKEY_BYTES];
+ memcpy(TK_old, TK->TK, sizeof(TK_old));
+
+@@ -56,12 +66,19 @@ static void _permute_state(tweakey_state *TK)
+ TK->TK[j+h[k]] = TK_old[j+k];
+ }
+ }
++
++ debug_dump_buffer("TKi-1", TWEAKEY_BYTES, TK_old, 12);
++ debug_dump_buffer("TKi", TWEAKEY_BYTES, TK->TK, 12);
+ }
+
+ static void _multiply_state(tweakey_state *TK)
+ {
++ fprintf(DUMP, " multiplying TK\n");
++
+ /* Lane 0 is multiplied by Id; lane 1 by P_0, lane 2 by P_1... */
+
++ debug_dump_buffer("TKi-1", TWEAKEY_BYTES, TK->TK, 12);
++
+ for (size_t lane=1; lane<LANES_NB; lane++)
+ {
+ const uint8_t* P_lane = P[lane-1];
+@@ -74,6 +91,8 @@ static void _multiply_state(tweakey_state *TK)
+ TK->TK[offset] = P_lane[TK->TK[offset]];
+ }
+ }
++
++ debug_dump_buffer("TKi", TWEAKEY_BYTES, TK->TK, 12);
+ }
+
+ void tweakey_state_update(tweakey_state *TK)
diff --git a/traces.patch b/traces.patch
@@ -1,455 +0,0 @@
-diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ae-common.h b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ae-common.h
-index 561854e..397dac0 100644
---- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ae-common.h
-+++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ae-common.h
-@@ -1,3 +1,5 @@
-+#include "debug.h"
-+
- #ifndef AE_COMMON_H
- #define AE_COMMON_H
-
-@@ -105,20 +107,45 @@ static void process_associated_data(
- size_t l_a = A_len / BLOCK_BYTES;
- size_t rest = A_len % BLOCK_BYTES;
-
-+ fprintf(DUMP, "computing Auth\n");
-+
- for (size_t i=0; i<l_a; i++)
- {
-+ fprintf(DUMP, " i=%zu\n", i);
-+
- fill_index_tweak(0x2, i, tweak);
-+
-+ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
-+
- encrypt(key, tweak, &A[i*BLOCK_BYTES], Ek_Ai);
-+
-+ debug_dump_buffer("Ai", BLOCK_BYTES, &A[i*BLOCK_BYTES], 8);
-+ debug_dump_buffer("Ek(Ai)", BLOCK_BYTES, Ek_Ai, 8);
-+
- xor_into(Auth, Ek_Ai);
-+
-+ debug_dump_buffer("Auth", BLOCK_BYTES, Auth, 8);
- }
-
- if (rest != 0)
- {
- uint8_t A_rest[BLOCK_BYTES];
- pad10(rest, &A[l_a*BLOCK_BYTES], A_rest);
-+
-+ fprintf(DUMP, " l_a=%zu (padding)\n", l_a);
-+
- fill_index_tweak(0x6, l_a, tweak);
-+
-+ debug_dump_buffer("pad10*(A*)", BLOCK_BYTES, A_rest, 8);
-+ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
-+
- encrypt(key, tweak, A_rest, Ek_Ai);
-+
-+ debug_dump_buffer("Ek(A*)", BLOCK_BYTES, Ek_Ai, 8);
-+
- xor_into(Auth, Ek_Ai);
-+
-+ debug_dump_buffer("Auth", BLOCK_BYTES, Auth, 8);
- }
- }
-
-diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/cipher.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/cipher.c
-index 7f1152a..caae858 100644
---- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/cipher.c
-+++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/cipher.c
-@@ -1,3 +1,5 @@
-+#include "debug.h"
-+
- #include <stdint.h>
- #include <string.h>
-
-@@ -47,40 +49,61 @@ static void _compute_round_tweakeys(
- uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES]
- )
- {
-+ fprintf(DUMP, "computing %zu round sub-tweakeys\n", (size_t)ROUNDS);
-+
- tweakey_state TK;
- tweakey_state_init(&TK, key, tweak);
- tweakey_state_extract(&TK, RTK[0], 0);
-
-+ fprintf(DUMP, " 0\n");
-+ debug_dump_buffer("RTK", ROUND_TWEAKEY_BYTES, RTK[0], 8);
-+
- for (uint8_t i=1; i<ROUNDS; i++)
- {
-+ fprintf(DUMP, " %zu\n", (size_t)i);
-+
- tweakey_state_update(&TK);
-+ debug_dump_buffer("TK", TWEAK_BYTES, TK.TK, 8);
- tweakey_state_extract(&TK, RTK[i], i);
-+ debug_dump_buffer("RTK", ROUND_TWEAKEY_BYTES, RTK[i], 8);
- }
- }
-
-
- static void _nonlinear_layer(cipher_state *X, const uint8_t RTK[ROUND_TWEAKEY_BYTES])
- {
-+ fprintf(DUMP, " nonlinear layer\n");
-+
-+ debug_dump_buffer("X", BLOCK_BYTES, X->X, 12);
-+
- uint8_t F[ROUND_TWEAKEY_BYTES];
- for (size_t j=0; j<sizeof(F); j++)
- {
- F[j] = X->X[j] ^ RTK[j];
- }
-
-+ debug_dump_buffer("Xj XOR RTKj", sizeof(F), F, 12);
-+
- for (size_t j=0; j<sizeof(F); j++)
- {
- F[j] = S[F[j]];
- }
-
-+ debug_dump_buffer("F (post-S-box)", sizeof(F), F, 12);
-+
- for (size_t j=0; j<8; j++)
- {
- size_t dest_j = 15-j;
- X->X[dest_j] ^= F[j];
- }
-+
-+ debug_dump_buffer("X (post-XOR)", BLOCK_BYTES, X->X, 12);
- }
-
- static void _linear_layer(cipher_state *X)
- {
-+ fprintf(DUMP, " linear layer\n");
-+
- X->X[15] ^= X->X[1];
- X->X[15] ^= X->X[2];
- X->X[15] ^= X->X[3];
-@@ -95,6 +118,8 @@ static void _linear_layer(cipher_state *X)
- X->X[11] ^= X->X[7];
- X->X[10] ^= X->X[7];
- X->X[9] ^= X->X[7];
-+
-+ debug_dump_buffer("X", BLOCK_BYTES, X->X, 12);
- }
-
- static void _permutation_layer(cipher_state *X, permutation p)
-@@ -104,6 +129,8 @@ static void _permutation_layer(cipher_state *X, permutation p)
- return;
- }
-
-+ fprintf(DUMP, " permutation layer\n");
-+
- uint8_t X_old[BLOCK_BYTES];
- memcpy(X_old, X, sizeof(X_old));
-
-@@ -113,6 +140,8 @@ static void _permutation_layer(cipher_state *X, permutation p)
- {
- X->X[pi[j]] = X_old[j];
- }
-+
-+ debug_dump_buffer("X", BLOCK_BYTES, X->X, 12);
- }
-
- static void _one_round_egfn(cipher_state *X, const uint8_t RTK[ROUND_TWEAKEY_BYTES], permutation p)
-@@ -136,11 +165,15 @@ void lilliput_tbc_encrypt(
- uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES];
- _compute_round_tweakeys(key, tweak, RTK);
-
-+ fprintf(DUMP, "running EGFN %zu times\n", (size_t)ROUNDS);
-+
- for (uint8_t i=0; i<ROUNDS-1; i++)
- {
-+ fprintf(DUMP, " round %zu\n", (size_t)i);
- _one_round_egfn(&X, RTK[i], PERMUTATION_ENCRYPTION);
- }
-
-+ fprintf(DUMP, " round %zu\n", (size_t)(ROUNDS-1));
- _one_round_egfn(&X, RTK[ROUNDS-1], PERMUTATION_NONE);
-
- memcpy(ciphertext, X.X, BLOCK_BYTES);
-diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-i.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-i.c
-index b1758c9..5cbb3f4 100644
---- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-i.c
-+++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-i.c
-@@ -1,3 +1,5 @@
-+#include "debug.h"
-+
- #include <stdbool.h>
- #include <stdint.h>
- #include <string.h>
-@@ -65,32 +67,54 @@ static void _encrypt_message(
- memset(tweak, 0, TWEAK_BYTES);
- memset(checksum, 0, BLOCK_BYTES);
-
-+ fprintf(DUMP, "message encryption\n");
-+
- for (size_t j=0; j<l; j++)
- {
-+ fprintf(DUMP, " j=%zu\n", j);
-+
-+ debug_dump_buffer("Mj", BLOCK_BYTES, &M[j*BLOCK_BYTES], 8);
- xor_into(checksum, &M[j*BLOCK_BYTES]);
-+ debug_dump_buffer("Checksum", BLOCK_BYTES, checksum, 8);
- _fill_msg_tweak(0x0, N, j, tweak);
-+ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
- encrypt(key, tweak, &M[j*BLOCK_BYTES], &C[j*BLOCK_BYTES]);
-+ debug_dump_buffer("Cj", BLOCK_BYTES, &C[j*BLOCK_BYTES], 8);
- }
-
- if (rest == 0)
- {
-+ fprintf(DUMP, " no padding\n");
-+
- _fill_msg_tweak(0x1, N, l-1, tweak);
-+ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
- encrypt(key, tweak, checksum, Final);
-+ debug_dump_buffer("Final", BLOCK_BYTES, Final, 8);
- }
- else
- {
-+ fprintf(DUMP, " padding\n");
-+
- uint8_t M_rest[BLOCK_BYTES];
- uint8_t Pad[BLOCK_BYTES];
-
- pad10(rest, &M[l*BLOCK_BYTES], M_rest);
-+ debug_dump_buffer("M*", rest, &M[l*BLOCK_BYTES], 8);
-+ debug_dump_buffer("pad10*(M*)", BLOCK_BYTES, M_rest, 8);
- xor_into(checksum, M_rest);
-+ debug_dump_buffer("Checksum", BLOCK_BYTES, checksum, 8);
-
- _fill_msg_tweak(0x4, N, l, tweak);
-+ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
- encrypt(key, tweak, _0n, Pad);
- xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Pad);
-+ debug_dump_buffer("Pad", BLOCK_BYTES, Pad, 8);
-+ debug_dump_buffer("C*", rest, &C[l*BLOCK_BYTES], 8);
-
- _fill_msg_tweak(0x5, N, l, tweak);
-+ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
- encrypt(key, tweak, checksum, Final);
-+ debug_dump_buffer("Final", BLOCK_BYTES, Final, 8);
- }
- }
-
-@@ -112,32 +136,54 @@ static void _decrypt_message(
- memset(tweak, 0, TWEAK_BYTES);
- memset(checksum, 0, BLOCK_BYTES);
-
-+ fprintf(DUMP, "message decryption\n");
-+
- for (size_t j=0; j<l; j++)
- {
-+ fprintf(DUMP, " j=%zu\n", j);
-+
-+ debug_dump_buffer("Cj", BLOCK_BYTES, &C[j*BLOCK_BYTES], 8);
- _fill_msg_tweak(0x0, N, j, tweak);
-+ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
- decrypt(key, tweak, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES]);
-+ debug_dump_buffer("Mj", BLOCK_BYTES, &M[j*BLOCK_BYTES], 8);
- xor_into(checksum, &M[j*BLOCK_BYTES]);
-+ debug_dump_buffer("Checksum", BLOCK_BYTES, checksum, 8);
- }
-
- if (rest == 0)
- {
-+ fprintf(DUMP, " no padding\n");
-+
- _fill_msg_tweak(0x1, N, l-1, tweak);
-+ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
- encrypt(key, tweak, checksum, Final);
-+ debug_dump_buffer("Final", BLOCK_BYTES, Final, 8);
- }
- else
- {
-+ fprintf(DUMP, " padding\n");
-+
- uint8_t M_rest[BLOCK_BYTES];
- uint8_t Pad[BLOCK_BYTES];
-
-+ debug_dump_buffer("C*", rest, &C[l*BLOCK_BYTES], 8);
- _fill_msg_tweak(0x4, N, l, tweak);
-+ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
- encrypt(key, tweak, _0n, Pad);
-+ debug_dump_buffer("Pad", BLOCK_BYTES, Pad, 8);
- xor_arrays(rest, &M[l*BLOCK_BYTES], &C[l*BLOCK_BYTES], Pad);
-+ debug_dump_buffer("M*", rest, &M[l*BLOCK_BYTES], 8);
-
- pad10(rest, &M[l*BLOCK_BYTES], M_rest);
-+ debug_dump_buffer("pad10*(M*)", BLOCK_BYTES, M_rest, 8);
- xor_into(checksum, M_rest);
-
- _fill_msg_tweak(0x5, N, l, tweak);
-+ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
-+ debug_dump_buffer("Checksum", BLOCK_BYTES, checksum, 8);
- encrypt(key, tweak, checksum, Final);
-+ debug_dump_buffer("Final", BLOCK_BYTES, Final, 8);
- }
- }
-
-@@ -147,7 +193,13 @@ static void _generate_tag(
- uint8_t tag[TAG_BYTES]
- )
- {
-+ fprintf(DUMP, "generating tag\n");
-+ debug_dump_buffer("Final", BLOCK_BYTES, Final, 8);
-+ debug_dump_buffer("Auth", BLOCK_BYTES, Auth, 8);
-+
- xor_arrays(TAG_BYTES, tag, Final, Auth);
-+
-+ debug_dump_buffer("tag", TAG_BYTES, tag, 8);
- }
-
-
-diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-ii.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-ii.c
-index 26885e5..88f9ae0 100644
---- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-ii.c
-+++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-ii.c
-@@ -1,3 +1,5 @@
-+#include "debug.h"
-+
- #include <stdbool.h>
- #include <stdint.h>
- #include <string.h>
-@@ -62,24 +64,40 @@ static void _generate_tag(
- size_t l = M_len / BLOCK_BYTES;
- size_t rest = M_len % BLOCK_BYTES;
-
-+ fprintf(DUMP, "computing tag\n");
-+ debug_dump_buffer("Auth", BLOCK_BYTES, Auth, 8);
-+
- for (size_t j=0; j<l; j++)
- {
-+ fprintf(DUMP, " j=%zu\n", j);
- fill_index_tweak(0x0, j, tweak);
-+ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
- encrypt(key, tweak, &M[j*BLOCK_BYTES], Ek_Mj);
-+ debug_dump_buffer("Mj", BLOCK_BYTES, &M[j*BLOCK_BYTES], 8);
-+ debug_dump_buffer("Ek(Mj)", BLOCK_BYTES, Ek_Mj, 8);
- xor_into(tag_tmp, Ek_Mj);
-+ debug_dump_buffer("tag", TAG_BYTES, tag_tmp, 8);
- }
-
- if (rest != 0)
- {
-+ fprintf(DUMP, " l=%zu (padding)\n", l);
- uint8_t M_rest[BLOCK_BYTES];
- pad10(rest, &M[l*BLOCK_BYTES], M_rest);
- fill_index_tweak(0x4, l, tweak);
-+ debug_dump_buffer("pad10*(M*)", BLOCK_BYTES, M_rest, 8);
-+ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
- encrypt(key, tweak, M_rest, Ek_Mj);
-+ debug_dump_buffer("Ek(M*)", BLOCK_BYTES, Ek_Mj, 8);
- xor_into(tag_tmp, Ek_Mj);
-+ debug_dump_buffer("tag", TAG_BYTES, tag_tmp, 8);
- }
-
-+ fprintf(DUMP, " Ek(tag)\n");
- _fill_tag_tweak(N, tweak);
-+ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
- encrypt(key, tweak, tag_tmp, tag);
-+ debug_dump_buffer("tag = Ek(tag)", TAG_BYTES, tag, 8);
- }
-
- static void _encrypt_message(
-@@ -103,18 +121,33 @@ static void _encrypt_message(
- size_t l = M_len / BLOCK_BYTES;
- size_t rest = M_len % BLOCK_BYTES;
-
-+ fprintf(DUMP, "message encryption\n");
-+
- for (size_t j=0; j<l; j++)
- {
-+ fprintf(DUMP, " j=%zu\n", j);
-+
- _fill_msg_tweak(tag, j, tweak);
-+ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
- encrypt(key, tweak, padded_N, Ek_N);
-+ debug_dump_buffer("N (padded)", BLOCK_BYTES, padded_N, 8);
-+ debug_dump_buffer("Ek(Mj, N)", BLOCK_BYTES, Ek_N, 8);
-+ debug_dump_buffer("Mj", BLOCK_BYTES, &M[j*BLOCK_BYTES], 8);
- xor_arrays(BLOCK_BYTES, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES], Ek_N);
-+ debug_dump_buffer("Cj", BLOCK_BYTES, &C[j*BLOCK_BYTES], 8);
- }
-
- if (rest != 0)
- {
-+ fprintf(DUMP, " l=%zu (padding)\n", l);
- _fill_msg_tweak(tag, l, tweak);
-+ debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
- encrypt(key, tweak, padded_N, Ek_N);
-+ debug_dump_buffer("N (padded)", BLOCK_BYTES, padded_N, 8);
-+ debug_dump_buffer("Ek(M*, N)", BLOCK_BYTES, Ek_N, 8);
-+ debug_dump_buffer("M*", rest, &M[l*BLOCK_BYTES], 8);
- xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Ek_N);
-+ debug_dump_buffer("C*", rest, &C[l*BLOCK_BYTES], 8);
- }
- }
-
-diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/tweakey.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/tweakey.c
-index da97019..cbff16a 100644
---- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/tweakey.c
-+++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/tweakey.c
-@@ -1,3 +1,5 @@
-+#include "debug.h"
-+
- #include <stdint.h>
- #include <string.h>
-
-@@ -32,10 +34,16 @@ void tweakey_state_extract(
-
- for (const uint8_t *lane=TK->TK; lane<TK->TK+TWEAKEY_BYTES; lane+=LANE_BYTES)
- {
-+ fprintf(DUMP, " XORing lane %zu/%zu\n", 1+(size_t)((lane-TK->TK)/LANE_BYTES), (size_t)LANES_NB);
-+ debug_dump_buffer("RTK", ROUND_TWEAKEY_BYTES, round_tweakey, 12);
-+ debug_dump_buffer("lane[j]", LANE_BYTES, lane, 12);
-+
- for (size_t j=0; j<LANE_BYTES; j++)
- {
- round_tweakey[j] ^= lane[j];
- }
-+
-+ debug_dump_buffer("=> RTK", ROUND_TWEAKEY_BYTES, round_tweakey, 12);
- }
-
- round_tweakey[0] ^= i;
-@@ -44,6 +52,8 @@ void tweakey_state_extract(
-
- static void _permute_state(tweakey_state *TK)
- {
-+ fprintf(DUMP, " permuting TK\n");
-+
- uint8_t TK_old[TWEAKEY_BYTES];
- memcpy(TK_old, TK->TK, sizeof(TK_old));
-
-@@ -56,12 +66,19 @@ static void _permute_state(tweakey_state *TK)
- TK->TK[j+h[k]] = TK_old[j+k];
- }
- }
-+
-+ debug_dump_buffer("TKi-1", TWEAKEY_BYTES, TK_old, 12);
-+ debug_dump_buffer("TKi", TWEAKEY_BYTES, TK->TK, 12);
- }
-
- static void _multiply_state(tweakey_state *TK)
- {
-+ fprintf(DUMP, " multiplying TK\n");
-+
- /* Lane 0 is multiplied by Id; lane 1 by P_0, lane 2 by P_1... */
-
-+ debug_dump_buffer("TKi-1", TWEAKEY_BYTES, TK->TK, 12);
-+
- for (size_t lane=1; lane<LANES_NB; lane++)
- {
- const uint8_t* P_lane = P[lane-1];
-@@ -74,6 +91,8 @@ static void _multiply_state(tweakey_state *TK)
- TK->TK[offset] = P_lane[TK->TK[offset]];
- }
- }
-+
-+ debug_dump_buffer("TKi", TWEAKEY_BYTES, TK->TK, 12);
- }
-
- void tweakey_state_update(tweakey_state *TK)
