From 2be282051a89cd69eba40aca79bb17daebb72dab Mon Sep 17 00:00:00 2001
From: Kévin Le Gouguec <kevin.legouguec@airbus.com>
Date: Thu, 14 Mar 2019 09:02:07 +0100
Subject: Correction de la génération du tweak pour ΘCB3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

L'implémentation de référence se basait  sur les indices figurant dans
le papier de  Deoxys. Deux questions à résoudre, que  d'autres se sont
sans doute déjà posées :

- Est-ce que ce l-1 est normal dans le papier de Deoxys ?
- Est-ce que nos changements d'indices sont bien tous corrects ?

En tout cas, les implémentations Python et C sont maintenant d'accord.
---
 python/lilliput_ae_1.py      |  8 ++++----
 src/ref/lilliput-i.c         |  8 ++++----
 test/i-128/test-ae-decrypt.c | 11 +++++------
 test/i-128/test-ae-encrypt.c |  8 ++++----
 4 files changed, 17 insertions(+), 18 deletions(-)

diff --git a/python/lilliput_ae_1.py b/python/lilliput_ae_1.py
index 6d060bb..cd7fc82 100644
--- a/python/lilliput_ae_1.py
+++ b/python/lilliput_ae_1.py
@@ -167,7 +167,7 @@ def TreatMessageEnc(M, N, key) :
         C[j] = ltbc.LilliputTBCEnc(tweak, key, M[j])
 
     if will_padd == 0 :
-        tweak = TweakMessage(N, l - 1, null = 1)
+        tweak = TweakMessage(N, l, null = 1)
         Final = ltbc.LilliputTBCEnc(tweak, key, checksum)
 
     else :
@@ -177,7 +177,7 @@ def TreatMessageEnc(M, N, key) :
         pad = ltbc.LilliputTBCEnc(tweak, key, [0 for byte in range(0, BLOCK_BYTES)])
         lower_part = LowPart(pad, M_BITS % BLOCK_BITS)
         C[l] = XorState(M[l], lower_part)
-        tweak_final = TweakMessage(N, l, final_padded = 1)
+        tweak_final = TweakMessage(N, l+1, final_padded = 1)
         Final = ltbc.LilliputTBCEnc(tweak_final, key, checksum)
 
     return (Final, C)
@@ -201,7 +201,7 @@ def TreatMessageDec(C, N, key) :
 
 
     if will_padd == 0 :
-        tweak = TweakMessage(N, l - 1, null = 1)
+        tweak = TweakMessage(N, l, null = 1)
         Final = ltbc.LilliputTBCEnc(tweak, key, checksum)
 
     else :
@@ -211,7 +211,7 @@ def TreatMessageDec(C, N, key) :
         M[l] = XorState(C[l], lower_part)
         m_padded = Padding10LSB(M[l], M_BITS % BLOCK_BITS)
         checksum = XorState(checksum, m_padded)
-        tweak_final = TweakMessage(N, l, final_padded = 1)
+        tweak_final = TweakMessage(N, l+1, final_padded = 1)
         Final = ltbc.LilliputTBCEnc(tweak_final, key, checksum)
 
     return (Final, M)
diff --git a/src/ref/lilliput-i.c b/src/ref/lilliput-i.c
index 74248a9..97c2117 100644
--- a/src/ref/lilliput-i.c
+++ b/src/ref/lilliput-i.c
@@ -93,7 +93,7 @@ static void _encrypt_message(
 
     if (rest == 0)
     {
-        _fill_msg_tweak(0x1, N, l-1, tweak);
+        _fill_msg_tweak(0x1, N, l, tweak);
         encrypt(key, tweak, checksum, Final);
     }
     else
@@ -108,7 +108,7 @@ static void _encrypt_message(
         encrypt(key, tweak, _0n, Pad);
         xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Pad);
 
-        _fill_msg_tweak(0x5, N, l, tweak);
+        _fill_msg_tweak(0x5, N, l+1, tweak);
         encrypt(key, tweak, checksum, Final);
     }
 }
@@ -140,7 +140,7 @@ static void _decrypt_message(
 
     if (rest == 0)
     {
-        _fill_msg_tweak(0x1, N, l-1, tweak);
+        _fill_msg_tweak(0x1, N, l, tweak);
         encrypt(key, tweak, checksum, Final);
     }
     else
@@ -155,7 +155,7 @@ static void _decrypt_message(
         pad10(rest, &M[l*BLOCK_BYTES], M_rest);
         xor_into(checksum, M_rest);
 
-        _fill_msg_tweak(0x5, N, l, tweak);
+        _fill_msg_tweak(0x5, N, l+1, tweak);
         encrypt(key, tweak, checksum, Final);
     }
 }
diff --git a/test/i-128/test-ae-decrypt.c b/test/i-128/test-ae-decrypt.c
index d835342..043185b 100644
--- a/test/i-128/test-ae-decrypt.c
+++ b/test/i-128/test-ae-decrypt.c
@@ -57,10 +57,9 @@ const vector VECTORS[] = {
             0x47, 0x6b, 0xe5, 0x6a, 0x97, 0x07, 0xc0, 0x87
         },
         .tag = {
-            0x69, 0xb6, 0x26, 0x07, 0x4f, 0x76, 0xc6, 0x3a,
-            0x0e, 0x0e, 0xcd, 0xa4, 0x4b, 0xad, 0x77, 0x1f
-        }
-        ,
+            0x2e, 0xe5, 0xbf, 0x50, 0x87, 0x71, 0x17, 0x40,
+            0x1b, 0xa7, 0xe9, 0xed, 0xd5, 0xcb, 0xec, 0x6d
+        },
         .message = (uint8_t[]) {
             0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
             0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
@@ -107,8 +106,8 @@ const vector VECTORS[] = {
             0x4f, 0x09
         },
         .tag = {
-            0xbf, 0xe3, 0x8e, 0x6f, 0xda, 0x02, 0x5a, 0x63,
-            0x34, 0x20, 0x4a, 0x43, 0xc2, 0x54, 0x3e, 0x5b
+            0x04, 0x10, 0xbc, 0x6f, 0xe5, 0x88, 0xe0, 0xd5,
+            0x09, 0x59, 0x26, 0x17, 0x12, 0x49, 0x35, 0x9a
         },
         .message = (uint8_t[]) {
             0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
diff --git a/test/i-128/test-ae-encrypt.c b/test/i-128/test-ae-encrypt.c
index 442d621..522a3e6 100644
--- a/test/i-128/test-ae-encrypt.c
+++ b/test/i-128/test-ae-encrypt.c
@@ -67,8 +67,8 @@ const vector VECTORS[] = {
             0x47, 0x6b, 0xe5, 0x6a, 0x97, 0x07, 0xc0, 0x87
         },
         .tag = {
-            0x69, 0xb6, 0x26, 0x07, 0x4f, 0x76, 0xc6, 0x3a,
-            0x0e, 0x0e, 0xcd, 0xa4, 0x4b, 0xad, 0x77, 0x1f
+            0x2e, 0xe5, 0xbf, 0x50, 0x87, 0x71, 0x17, 0x40,
+            0x1b, 0xa7, 0xe9, 0xed, 0xd5, 0xcb, 0xec, 0x6d
         }
     },
     {
@@ -117,8 +117,8 @@ const vector VECTORS[] = {
             0x4f, 0x09
         },
         .tag = {
-            0xbf, 0xe3, 0x8e, 0x6f, 0xda, 0x02, 0x5a, 0x63,
-            0x34, 0x20, 0x4a, 0x43, 0xc2, 0x54, 0x3e, 0x5b
+            0x04, 0x10, 0xbc, 0x6f, 0xe5, 0x88, 0xe0, 0xd5,
+            0x09, 0x59, 0x26, 0x17, 0x12, 0x49, 0x35, 0x9a
         }
     }
 };
-- 
cgit v1.2.3