traces-ae.patch (9453B)
1 diff --git a/src/ref/lilliput-i.c b/src/ref/lilliput-i.c 2 index 6f869c3..f7bdbde 100644 3 --- a/src/ref/lilliput-i.c 4 +++ b/src/ref/lilliput-i.c 5 @@ -17,6 +17,8 @@ http://creativecommons.org/publicdomain/zero/1.0/ 6 This file implements Lilliput-AE's nonce-respecting mode based on ΘCB3. 7 */ 8 9 +#include "debug.h" 10 + 11 #include <stdbool.h> 12 #include <stdint.h> 13 #include <string.h> 14 @@ -104,32 +106,54 @@ static void _encrypt_message( 15 uint8_t checksum[BLOCK_BYTES]; 16 memset(checksum, 0, BLOCK_BYTES); 17 18 + fprintf(DUMP, "message encryption\n"); 19 + 20 for (size_t j=0; j<l; j++) 21 { 22 + fprintf(DUMP, " j=%zu\n", j); 23 + 24 + debug_dump_buffer("Mj", BLOCK_BYTES, &M[j*BLOCK_BYTES], 8); 25 xor_into(checksum, &M[j*BLOCK_BYTES]); 26 + debug_dump_buffer("Checksum", BLOCK_BYTES, checksum, 8); 27 _fill_msg_tweak(0x0, j, tweak); 28 + debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8); 29 encrypt(key, tweak, &M[j*BLOCK_BYTES], &C[j*BLOCK_BYTES]); 30 + debug_dump_buffer("Cj", BLOCK_BYTES, &C[j*BLOCK_BYTES], 8); 31 } 32 33 if (rest == 0) 34 { 35 + fprintf(DUMP, " no padding\n"); 36 + 37 _fill_msg_tweak(0x1, l, tweak); 38 + debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8); 39 encrypt(key, tweak, checksum, Final); 40 + debug_dump_buffer("Final", BLOCK_BYTES, Final, 8); 41 } 42 else 43 { 44 + fprintf(DUMP, " padding\n"); 45 + 46 uint8_t M_rest[BLOCK_BYTES]; 47 uint8_t Pad[BLOCK_BYTES]; 48 49 pad10(rest, &M[l*BLOCK_BYTES], M_rest); 50 + debug_dump_buffer("M*", rest, &M[l*BLOCK_BYTES], 8); 51 + debug_dump_buffer("pad10*(M*)", BLOCK_BYTES, M_rest, 8); 52 xor_into(checksum, M_rest); 53 + debug_dump_buffer("Checksum", BLOCK_BYTES, checksum, 8); 54 55 _fill_msg_tweak(0x4, l, tweak); 56 + debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8); 57 encrypt(key, tweak, _0n, Pad); 58 xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Pad); 59 + debug_dump_buffer("Pad", BLOCK_BYTES, Pad, 8); 60 + debug_dump_buffer("C*", rest, &C[l*BLOCK_BYTES], 8); 61 62 _fill_msg_tweak(0x5, l+1, tweak); 63 + debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8); 64 encrypt(key, tweak, checksum, Final); 65 + debug_dump_buffer("Final", BLOCK_BYTES, Final, 8); 66 } 67 } 68 69 @@ -151,32 +175,54 @@ static void _decrypt_message( 70 uint8_t checksum[BLOCK_BYTES]; 71 memset(checksum, 0, BLOCK_BYTES); 72 73 + fprintf(DUMP, "message decryption\n"); 74 + 75 for (size_t j=0; j<l; j++) 76 { 77 + fprintf(DUMP, " j=%zu\n", j); 78 + 79 + debug_dump_buffer("Cj", BLOCK_BYTES, &C[j*BLOCK_BYTES], 8); 80 _fill_msg_tweak(0x0, j, tweak); 81 + debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8); 82 decrypt(key, tweak, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES]); 83 + debug_dump_buffer("Mj", BLOCK_BYTES, &M[j*BLOCK_BYTES], 8); 84 xor_into(checksum, &M[j*BLOCK_BYTES]); 85 + debug_dump_buffer("Checksum", BLOCK_BYTES, checksum, 8); 86 } 87 88 if (rest == 0) 89 { 90 + fprintf(DUMP, " no padding\n"); 91 + 92 _fill_msg_tweak(0x1, l, tweak); 93 + debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8); 94 encrypt(key, tweak, checksum, Final); 95 + debug_dump_buffer("Final", BLOCK_BYTES, Final, 8); 96 } 97 else 98 { 99 + fprintf(DUMP, " padding\n"); 100 + 101 uint8_t M_rest[BLOCK_BYTES]; 102 uint8_t Pad[BLOCK_BYTES]; 103 104 + debug_dump_buffer("C*", rest, &C[l*BLOCK_BYTES], 8); 105 _fill_msg_tweak(0x4, l, tweak); 106 + debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8); 107 encrypt(key, tweak, _0n, Pad); 108 + debug_dump_buffer("Pad", BLOCK_BYTES, Pad, 8); 109 xor_arrays(rest, &M[l*BLOCK_BYTES], &C[l*BLOCK_BYTES], Pad); 110 + debug_dump_buffer("M*", rest, &M[l*BLOCK_BYTES], 8); 111 112 pad10(rest, &M[l*BLOCK_BYTES], M_rest); 113 + debug_dump_buffer("pad10*(M*)", BLOCK_BYTES, M_rest, 8); 114 xor_into(checksum, M_rest); 115 116 _fill_msg_tweak(0x5, l+1, tweak); 117 + debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8); 118 + debug_dump_buffer("Checksum", BLOCK_BYTES, checksum, 8); 119 encrypt(key, tweak, checksum, Final); 120 + debug_dump_buffer("Final", BLOCK_BYTES, Final, 8); 121 } 122 } 123 124 @@ -186,7 +232,13 @@ static void _generate_tag( 125 uint8_t tag[TAG_BYTES] 126 ) 127 { 128 + fprintf(DUMP, "generating tag\n"); 129 + debug_dump_buffer("Final", BLOCK_BYTES, Final, 8); 130 + debug_dump_buffer("Auth", BLOCK_BYTES, Auth, 8); 131 + 132 xor_arrays(TAG_BYTES, tag, Final, Auth); 133 + 134 + debug_dump_buffer("tag", TAG_BYTES, tag, 8); 135 } 136 137 138 diff --git a/src/ref/lilliput-ii.c b/src/ref/lilliput-ii.c 139 index 862892c..7dfb38e 100644 140 --- a/src/ref/lilliput-ii.c 141 +++ b/src/ref/lilliput-ii.c 142 @@ -15,6 +15,8 @@ http://creativecommons.org/publicdomain/zero/1.0/ 143 This file implements Lilliput-AE's nonce-misuse-resistant mode based on SCT-2. 144 */ 145 146 +#include "debug.h" 147 + 148 #include <stdbool.h> 149 #include <stdint.h> 150 #include <string.h> 151 @@ -79,24 +81,40 @@ static void _generate_tag( 152 size_t l = M_len / BLOCK_BYTES; 153 size_t rest = M_len % BLOCK_BYTES; 154 155 + fprintf(DUMP, "computing tag\n"); 156 + debug_dump_buffer("Auth", BLOCK_BYTES, Auth, 8); 157 + 158 for (size_t j=0; j<l; j++) 159 { 160 + fprintf(DUMP, " j=%zu\n", j); 161 fill_index_tweak(0x0, j, tweak); 162 + debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8); 163 encrypt(key, tweak, &M[j*BLOCK_BYTES], Ek_Mj); 164 + debug_dump_buffer("Mj", BLOCK_BYTES, &M[j*BLOCK_BYTES], 8); 165 + debug_dump_buffer("Ek(Mj)", BLOCK_BYTES, Ek_Mj, 8); 166 xor_into(tag_tmp, Ek_Mj); 167 + debug_dump_buffer("tag", TAG_BYTES, tag_tmp, 8); 168 } 169 170 if (rest != 0) 171 { 172 + fprintf(DUMP, " l=%zu (padding)\n", l); 173 uint8_t M_rest[BLOCK_BYTES]; 174 pad10(rest, &M[l*BLOCK_BYTES], M_rest); 175 fill_index_tweak(0x4, l, tweak); 176 + debug_dump_buffer("pad10*(M*)", BLOCK_BYTES, M_rest, 8); 177 + debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8); 178 encrypt(key, tweak, M_rest, Ek_Mj); 179 + debug_dump_buffer("Ek(M*)", BLOCK_BYTES, Ek_Mj, 8); 180 xor_into(tag_tmp, Ek_Mj); 181 + debug_dump_buffer("tag", TAG_BYTES, tag_tmp, 8); 182 } 183 184 + fprintf(DUMP, " Ek(tag)\n"); 185 _fill_tag_tweak(N, tweak); 186 + debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8); 187 encrypt(key, tweak, tag_tmp, tag); 188 + debug_dump_buffer("tag = Ek(tag)", TAG_BYTES, tag, 8); 189 } 190 191 static void _encrypt_message( 192 @@ -120,18 +138,33 @@ static void _encrypt_message( 193 size_t l = M_len / BLOCK_BYTES; 194 size_t rest = M_len % BLOCK_BYTES; 195 196 + fprintf(DUMP, "message encryption\n"); 197 + 198 for (size_t j=0; j<l; j++) 199 { 200 + fprintf(DUMP, " j=%zu\n", j); 201 + 202 _fill_msg_tweak(tag, j, tweak); 203 + debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8); 204 encrypt(key, tweak, padded_N, Ek_N); 205 + debug_dump_buffer("N (padded)", BLOCK_BYTES, padded_N, 8); 206 + debug_dump_buffer("Ek(Mj, N)", BLOCK_BYTES, Ek_N, 8); 207 + debug_dump_buffer("Mj", BLOCK_BYTES, &M[j*BLOCK_BYTES], 8); 208 xor_arrays(BLOCK_BYTES, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES], Ek_N); 209 + debug_dump_buffer("Cj", BLOCK_BYTES, &C[j*BLOCK_BYTES], 8); 210 } 211 212 if (rest != 0) 213 { 214 + fprintf(DUMP, " l=%zu (padding)\n", l); 215 _fill_msg_tweak(tag, l, tweak); 216 + debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8); 217 encrypt(key, tweak, padded_N, Ek_N); 218 + debug_dump_buffer("N (padded)", BLOCK_BYTES, padded_N, 8); 219 + debug_dump_buffer("Ek(M*, N)", BLOCK_BYTES, Ek_N, 8); 220 + debug_dump_buffer("M*", rest, &M[l*BLOCK_BYTES], 8); 221 xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Ek_N); 222 + debug_dump_buffer("C*", rest, &C[l*BLOCK_BYTES], 8); 223 } 224 } 225 226 diff --git a/src/ref/lilliput-ae-utils.h b/src/ref/lilliput-ae-utils.h 227 index 6b60adc..0bd77cf 100644 228 --- a/src/ref/lilliput-ae-utils.h 229 +++ b/src/ref/lilliput-ae-utils.h 230 @@ -18,6 +18,8 @@ This file provides functions used by both authenticated encryption modes. 231 #ifndef LILLIPUT_AE_UTILS_H 232 #define LILLIPUT_AE_UTILS_H 233 234 +#include "debug.h" 235 + 236 #include <stddef.h> 237 #include <stdint.h> 238 #include <string.h> 239 @@ -122,20 +124,45 @@ static void process_associated_data( 240 size_t l_a = A_len / BLOCK_BYTES; 241 size_t rest = A_len % BLOCK_BYTES; 242 243 + fprintf(DUMP, "computing Auth\n"); 244 + 245 for (size_t i=0; i<l_a; i++) 246 { 247 + fprintf(DUMP, " i=%zu\n", i); 248 + 249 fill_index_tweak(0x2, i, tweak); 250 + 251 + debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8); 252 + 253 encrypt(key, tweak, &A[i*BLOCK_BYTES], Ek_Ai); 254 + 255 + debug_dump_buffer("Ai", BLOCK_BYTES, &A[i*BLOCK_BYTES], 8); 256 + debug_dump_buffer("Ek(Ai)", BLOCK_BYTES, Ek_Ai, 8); 257 + 258 xor_into(Auth, Ek_Ai); 259 + 260 + debug_dump_buffer("Auth", BLOCK_BYTES, Auth, 8); 261 } 262 263 if (rest != 0) 264 { 265 uint8_t A_rest[BLOCK_BYTES]; 266 pad10(rest, &A[l_a*BLOCK_BYTES], A_rest); 267 + 268 + fprintf(DUMP, " l_a=%zu (padding)\n", l_a); 269 + 270 fill_index_tweak(0x6, l_a, tweak); 271 + 272 + debug_dump_buffer("pad10*(A*)", BLOCK_BYTES, A_rest, 8); 273 + debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8); 274 + 275 encrypt(key, tweak, A_rest, Ek_Ai); 276 + 277 + debug_dump_buffer("Ek(A*)", BLOCK_BYTES, Ek_Ai, 8); 278 + 279 xor_into(Auth, Ek_Ai); 280 + 281 + debug_dump_buffer("Auth", BLOCK_BYTES, Auth, 8); 282 } 283 } 284