From 156b597dbe5900635fd629fd95783917b7c964d8 Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Mon, 3 Dec 2018 08:26:11 +0100 Subject: Documentation de l'implémentation de référence (reste) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - crypto_aead - nist - traces --- Makefile | 7 +- README.md | 54 ++++++++++ collect-traces.sh | 28 ----- traces-ae.patch | 275 ----------------------------------------------- traces-tbc.patch | 180 ------------------------------- traces/collect-traces.sh | 33 ++++++ traces/traces-ae.patch | 275 +++++++++++++++++++++++++++++++++++++++++++++++ traces/traces-tbc.patch | 180 +++++++++++++++++++++++++++++++ 8 files changed, 543 insertions(+), 489 deletions(-) delete mode 100755 collect-traces.sh delete mode 100644 traces-ae.patch delete mode 100644 traces-tbc.patch create mode 100755 traces/collect-traces.sh create mode 100644 traces/traces-ae.patch create mode 100644 traces/traces-tbc.patch diff --git a/Makefile b/Makefile index 7502c08..e840c8d 100644 --- a/Makefile +++ b/Makefile @@ -18,18 +18,13 @@ $(delegated):: exit $$status clean:: - - rm traces*.tgz - rm -r results -# To generate complete traces, apply this patch before running "make traces": -# $ git apply traces.patch -# To update this patch, add print statements, then run -# $ git diff src > traces.patch traces: traces-ae traces-tbc traces-%: | results @ echo "Collecting traces" - @ ./collect-traces.sh $@ + @ ./traces/collect-traces.sh $@ nist: | results ./nist/make-package.sh diff --git a/README.md b/README.md index 4623c02..dcafdf6 100644 --- a/README.md +++ b/README.md @@ -30,3 +30,57 @@ Also contains some support files: - `debug.h`: helper functions to ease debugging and dump intermediate values +`crypto_aead` +------------- + +Contains parameter-dependent code. There is one subfolder per member +of the Lilliput-AE family, named according to NIST's requirements: + +> The second-level directory name is a lowercase version of the name +> of the algorithm, including the version number and a family member +> identifier (if multiple family members in submission). […] Dashes, +> dots, slashes, and other punctuation marks are omitted; the +> directory name consists solely of digits (0123456789) and lowercase +> ASCII letters (acbdefghijklmnopqrstuvwxyz). + + +The subfolders are thus named `lilliputae${mode}${keybits}v1`: + +- mode is either i (for ΘCB3) or ii (for SCT-2) +- keybits is either 128, 192 or 256. + +Each subfolders contains: + +- a `ref` directory, containing parameter-dependent code for the + reference implementation and tests for these specific parameters +- other directories with additional implementations, named `add_*` + +TODO: the tests for a given family member should be moved up alongside +`ref` and `add_*` folders since they should apply to all +implementations. Also, the "parameter-dependent" code has been reduced +to a header with three constants; maybe the whole `crypto_aead` folder +could be removed. + +`nist` +------ + +Contains code to + +- generate the directory structure required by NIST +- compile each member of the Lilliput-AE family against NIST's + `genkat_aead.c` +- generate test vectors +- package code and test vectors together into `results/crypto_aead` + +The code can be run with `make nist`. + +`traces` +-------- + +Contains patches to add print statements for inputs, outputs and +intermediate values. `make traces` will + +- apply the patches +- run the trace programs +- collect traces +- revert the patches diff --git a/collect-traces.sh b/collect-traces.sh deleted file mode 100755 index 79d6c95..0000000 --- a/collect-traces.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/bash - -set -eu - -trace_type=$1 - -d=$(mktemp -d) - -git apply ${trace_type}.patch - -for makefile in $(find crypto_aead -name Makefile) -do - implem_dir=$(dirname ${makefile}) - make -C ${implem_dir} clean - - [[ ${implem_dir} =~ lilliputae(i|ii)([0-9]+)v ]] - - ae_type=${BASH_REMATCH[1]} - keysize=${BASH_REMATCH[2]} - make -C ${implem_dir} ${trace_type}-${keysize}-${ae_type} - cp ${implem_dir}/results/traces*.txt ${d} -done - -tar czf results/${trace_type}.tgz -C ${d} . - -rm -r ${d} - -git apply --reverse ${trace_type}.patch diff --git a/traces-ae.patch b/traces-ae.patch deleted file mode 100644 index 8aecdf6..0000000 --- a/traces-ae.patch +++ /dev/null @@ -1,275 +0,0 @@ -diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ae-common.h b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ae-common.h -index 561854e..397dac0 100644 ---- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ae-common.h -+++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ae-common.h -@@ -1,3 +1,5 @@ -+#include "debug.h" -+ - #ifndef AE_COMMON_H - #define AE_COMMON_H - -@@ -105,20 +107,45 @@ static void process_associated_data( - size_t l_a = A_len / BLOCK_BYTES; - size_t rest = A_len % BLOCK_BYTES; - -+ fprintf(DUMP, "computing Auth\n"); -+ - for (size_t i=0; i - #include - #include -@@ -65,32 +67,54 @@ static void _encrypt_message( - memset(tweak, 0, TWEAK_BYTES); - memset(checksum, 0, BLOCK_BYTES); - -+ fprintf(DUMP, "message encryption\n"); -+ - for (size_t j=0; j - #include - #include -@@ -62,24 +64,40 @@ static void _generate_tag( - size_t l = M_len / BLOCK_BYTES; - size_t rest = M_len % BLOCK_BYTES; - -+ fprintf(DUMP, "computing tag\n"); -+ debug_dump_buffer("Auth", BLOCK_BYTES, Auth, 8); -+ - for (size_t j=0; j - #include - -@@ -47,40 +49,61 @@ static void _compute_round_tweakeys( - uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES] - ) - { -+ fprintf(DUMP, "computing %zu round sub-tweakeys\n", (size_t)ROUNDS); -+ - tweakey_state TK; - tweakey_state_init(&TK, key, tweak); - tweakey_state_extract(&TK, RTK[0], 0); - -+ fprintf(DUMP, " 0\n"); -+ debug_dump_buffer("RTK", ROUND_TWEAKEY_BYTES, RTK[0], 8); -+ - for (uint8_t i=1; iX, 12); -+ - uint8_t F[ROUND_TWEAKEY_BYTES]; - for (size_t j=0; jX[j] ^ RTK[j]; - } - -+ debug_dump_buffer("Xj XOR RTKj", sizeof(F), F, 12); -+ - for (size_t j=0; jX[dest_j] ^= F[j]; - } -+ -+ debug_dump_buffer("X (post-XOR)", BLOCK_BYTES, X->X, 12); - } - - static void _linear_layer(cipher_state *X) - { -+ fprintf(DUMP, " linear layer\n"); -+ - X->X[15] ^= X->X[1]; - X->X[15] ^= X->X[2]; - X->X[15] ^= X->X[3]; -@@ -95,6 +118,8 @@ static void _linear_layer(cipher_state *X) - X->X[11] ^= X->X[7]; - X->X[10] ^= X->X[7]; - X->X[9] ^= X->X[7]; -+ -+ debug_dump_buffer("X", BLOCK_BYTES, X->X, 12); - } - - static void _permutation_layer(cipher_state *X, permutation p) -@@ -104,6 +129,8 @@ static void _permutation_layer(cipher_state *X, permutation p) - return; - } - -+ fprintf(DUMP, " permutation layer\n"); -+ - uint8_t X_old[BLOCK_BYTES]; - memcpy(X_old, X, sizeof(X_old)); - -@@ -113,6 +140,8 @@ static void _permutation_layer(cipher_state *X, permutation p) - { - X->X[pi[j]] = X_old[j]; - } -+ -+ debug_dump_buffer("X", BLOCK_BYTES, X->X, 12); - } - - static void _one_round_egfn(cipher_state *X, const uint8_t RTK[ROUND_TWEAKEY_BYTES], permutation p) -@@ -136,11 +165,15 @@ void lilliput_tbc_encrypt( - uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES]; - _compute_round_tweakeys(key, tweak, RTK); - -+ fprintf(DUMP, "running EGFN %zu times\n", (size_t)ROUNDS); -+ - for (uint8_t i=0; i - #include - -@@ -32,10 +34,16 @@ void tweakey_state_extract( - - for (const uint8_t *lane=TK->TK; laneTK+TWEAKEY_BYTES; lane+=LANE_BYTES) - { -+ fprintf(DUMP, " XORing lane %zu/%zu\n", 1+(size_t)((lane-TK->TK)/LANE_BYTES), (size_t)LANES_NB); -+ debug_dump_buffer("RTK", ROUND_TWEAKEY_BYTES, round_tweakey, 12); -+ debug_dump_buffer("lane[j]", LANE_BYTES, lane, 12); -+ - for (size_t j=0; j RTK", ROUND_TWEAKEY_BYTES, round_tweakey, 12); - } - - round_tweakey[0] ^= i; -@@ -44,6 +52,8 @@ void tweakey_state_extract( - - static void _permute_state(tweakey_state *TK) - { -+ fprintf(DUMP, " permuting TK\n"); -+ - uint8_t TK_old[TWEAKEY_BYTES]; - memcpy(TK_old, TK->TK, sizeof(TK_old)); - -@@ -56,12 +66,19 @@ static void _permute_state(tweakey_state *TK) - TK->TK[j+h[k]] = TK_old[j+k]; - } - } -+ -+ debug_dump_buffer("TKi-1", TWEAKEY_BYTES, TK_old, 12); -+ debug_dump_buffer("TKi", TWEAKEY_BYTES, TK->TK, 12); - } - - static void _multiply_state(tweakey_state *TK) - { -+ fprintf(DUMP, " multiplying TK\n"); -+ - /* Lane 0 is multiplied by Id; lane 1 by P_0, lane 2 by P_1... */ - -+ debug_dump_buffer("TKi-1", TWEAKEY_BYTES, TK->TK, 12); -+ - for (size_t lane=1; laneTK[offset] = P_lane[TK->TK[offset]]; - } - } -+ -+ debug_dump_buffer("TKi", TWEAKEY_BYTES, TK->TK, 12); - } - - void tweakey_state_update(tweakey_state *TK) diff --git a/traces/collect-traces.sh b/traces/collect-traces.sh new file mode 100755 index 0000000..2b5eb1e --- /dev/null +++ b/traces/collect-traces.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +set -eu + +trace_type=$1 +patch=traces/${trace_type}.patch + +# To update these patches: +# - add the tracing code you need to the source files +# - run "git diff src > traces/foo.patch" + +d=$(mktemp -d) + +git apply ${patch} + +for makefile in $(find crypto_aead -name Makefile) +do + implem_dir=$(dirname ${makefile}) + make -C ${implem_dir} clean + + [[ ${implem_dir} =~ lilliputae(i|ii)([0-9]+)v ]] + + ae_type=${BASH_REMATCH[1]} + keysize=${BASH_REMATCH[2]} + make -C ${implem_dir} ${trace_type}-${keysize}-${ae_type} + cp ${implem_dir}/results/traces*.txt ${d} +done + +tar czf results/${trace_type}.tgz -C ${d} . + +rm -r ${d} + +git apply --reverse ${patch} diff --git a/traces/traces-ae.patch b/traces/traces-ae.patch new file mode 100644 index 0000000..8aecdf6 --- /dev/null +++ b/traces/traces-ae.patch @@ -0,0 +1,275 @@ +diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ae-common.h b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ae-common.h +index 561854e..397dac0 100644 +--- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ae-common.h ++++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ae-common.h +@@ -1,3 +1,5 @@ ++#include "debug.h" ++ + #ifndef AE_COMMON_H + #define AE_COMMON_H + +@@ -105,20 +107,45 @@ static void process_associated_data( + size_t l_a = A_len / BLOCK_BYTES; + size_t rest = A_len % BLOCK_BYTES; + ++ fprintf(DUMP, "computing Auth\n"); ++ + for (size_t i=0; i + #include + #include +@@ -65,32 +67,54 @@ static void _encrypt_message( + memset(tweak, 0, TWEAK_BYTES); + memset(checksum, 0, BLOCK_BYTES); + ++ fprintf(DUMP, "message encryption\n"); ++ + for (size_t j=0; j + #include + #include +@@ -62,24 +64,40 @@ static void _generate_tag( + size_t l = M_len / BLOCK_BYTES; + size_t rest = M_len % BLOCK_BYTES; + ++ fprintf(DUMP, "computing tag\n"); ++ debug_dump_buffer("Auth", BLOCK_BYTES, Auth, 8); ++ + for (size_t j=0; j + #include + +@@ -47,40 +49,61 @@ static void _compute_round_tweakeys( + uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES] + ) + { ++ fprintf(DUMP, "computing %zu round sub-tweakeys\n", (size_t)ROUNDS); ++ + tweakey_state TK; + tweakey_state_init(&TK, key, tweak); + tweakey_state_extract(&TK, RTK[0], 0); + ++ fprintf(DUMP, " 0\n"); ++ debug_dump_buffer("RTK", ROUND_TWEAKEY_BYTES, RTK[0], 8); ++ + for (uint8_t i=1; iX, 12); ++ + uint8_t F[ROUND_TWEAKEY_BYTES]; + for (size_t j=0; jX[j] ^ RTK[j]; + } + ++ debug_dump_buffer("Xj XOR RTKj", sizeof(F), F, 12); ++ + for (size_t j=0; jX[dest_j] ^= F[j]; + } ++ ++ debug_dump_buffer("X (post-XOR)", BLOCK_BYTES, X->X, 12); + } + + static void _linear_layer(cipher_state *X) + { ++ fprintf(DUMP, " linear layer\n"); ++ + X->X[15] ^= X->X[1]; + X->X[15] ^= X->X[2]; + X->X[15] ^= X->X[3]; +@@ -95,6 +118,8 @@ static void _linear_layer(cipher_state *X) + X->X[11] ^= X->X[7]; + X->X[10] ^= X->X[7]; + X->X[9] ^= X->X[7]; ++ ++ debug_dump_buffer("X", BLOCK_BYTES, X->X, 12); + } + + static void _permutation_layer(cipher_state *X, permutation p) +@@ -104,6 +129,8 @@ static void _permutation_layer(cipher_state *X, permutation p) + return; + } + ++ fprintf(DUMP, " permutation layer\n"); ++ + uint8_t X_old[BLOCK_BYTES]; + memcpy(X_old, X, sizeof(X_old)); + +@@ -113,6 +140,8 @@ static void _permutation_layer(cipher_state *X, permutation p) + { + X->X[pi[j]] = X_old[j]; + } ++ ++ debug_dump_buffer("X", BLOCK_BYTES, X->X, 12); + } + + static void _one_round_egfn(cipher_state *X, const uint8_t RTK[ROUND_TWEAKEY_BYTES], permutation p) +@@ -136,11 +165,15 @@ void lilliput_tbc_encrypt( + uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES]; + _compute_round_tweakeys(key, tweak, RTK); + ++ fprintf(DUMP, "running EGFN %zu times\n", (size_t)ROUNDS); ++ + for (uint8_t i=0; i + #include + +@@ -32,10 +34,16 @@ void tweakey_state_extract( + + for (const uint8_t *lane=TK->TK; laneTK+TWEAKEY_BYTES; lane+=LANE_BYTES) + { ++ fprintf(DUMP, " XORing lane %zu/%zu\n", 1+(size_t)((lane-TK->TK)/LANE_BYTES), (size_t)LANES_NB); ++ debug_dump_buffer("RTK", ROUND_TWEAKEY_BYTES, round_tweakey, 12); ++ debug_dump_buffer("lane[j]", LANE_BYTES, lane, 12); ++ + for (size_t j=0; j RTK", ROUND_TWEAKEY_BYTES, round_tweakey, 12); + } + + round_tweakey[0] ^= i; +@@ -44,6 +52,8 @@ void tweakey_state_extract( + + static void _permute_state(tweakey_state *TK) + { ++ fprintf(DUMP, " permuting TK\n"); ++ + uint8_t TK_old[TWEAKEY_BYTES]; + memcpy(TK_old, TK->TK, sizeof(TK_old)); + +@@ -56,12 +66,19 @@ static void _permute_state(tweakey_state *TK) + TK->TK[j+h[k]] = TK_old[j+k]; + } + } ++ ++ debug_dump_buffer("TKi-1", TWEAKEY_BYTES, TK_old, 12); ++ debug_dump_buffer("TKi", TWEAKEY_BYTES, TK->TK, 12); + } + + static void _multiply_state(tweakey_state *TK) + { ++ fprintf(DUMP, " multiplying TK\n"); ++ + /* Lane 0 is multiplied by Id; lane 1 by P_0, lane 2 by P_1... */ + ++ debug_dump_buffer("TKi-1", TWEAKEY_BYTES, TK->TK, 12); ++ + for (size_t lane=1; laneTK[offset] = P_lane[TK->TK[offset]]; + } + } ++ ++ debug_dump_buffer("TKi", TWEAKEY_BYTES, TK->TK, 12); + } + + void tweakey_state_update(tweakey_state *TK) -- cgit v1.2.3