From b99f42d2f8fd935e93d9df7fc07850e906d2f6c9 Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Mon, 1 Jul 2019 17:00:15 +0200 Subject: Ajout de la multiplication M⁴ MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - α₀ devient M - α₁ M² - α₂ M³ - α₃ M⁴ - α₄ M_R - α₅ M_R² - α₆ M_R³ --- src/ref/multiplications.h | 20 ++++++++++++++++++++ src/ref/tweakey.c | 9 ++++----- 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/src/ref/multiplications.h b/src/ref/multiplications.h index 4de1848..c0645b9 100644 --- a/src/ref/multiplications.h +++ b/src/ref/multiplications.h @@ -71,6 +71,26 @@ static void _multiply_M3(const uint8_t x[LANE_BYTES], uint8_t y[LANE_BYTES]) y[0] = x[5]; } +static void _multiply_M4(const uint8_t x[LANE_BYTES], uint8_t y[LANE_BYTES]) +{ + uint8_t a_5 = x[5]<<3 ^ x[4]; + uint8_t a_4 = x[4]>>3 ^ x[3]; + uint8_t b_5 = a_5<<3 ^ a_4; + uint8_t b_4 = a_4>>3 ^ x[2]; + + uint8_t c_4 = b_4>>3 ^ x[6]<<2 ^ x[1]; + uint8_t c_5 = b_5<<3 ^ b_4; + + y[7] = b_5; + y[6] = c_5; + y[5] = c_5<<3 ^ c_4; + y[4] = c_4>>3 ^ x[5]<<2 ^ x[0]; + y[3] = a_5<<2 ^ x[7]; + y[2] = b_5<<2 ^ x[6]; + y[1] = x[5]; + y[0] = a_5; +} + static void _multiply_MR(const uint8_t x[LANE_BYTES], uint8_t y[LANE_BYTES]) { y[0] = x[1]; diff --git a/src/ref/tweakey.c b/src/ref/tweakey.c index 2f357ca..510f35a 100644 --- a/src/ref/tweakey.c +++ b/src/ref/tweakey.c @@ -63,10 +63,11 @@ void tweakey_state_extract( typedef void (*matrix_multiplication)(const uint8_t x[LANE_BYTES], uint8_t y[LANE_BYTES]); -static const matrix_multiplication ALPHAS[6] = { +static const matrix_multiplication ALPHAS[7] = { _multiply_M, _multiply_M2, _multiply_M3, + _multiply_M4, _multiply_MR, _multiply_MR2, _multiply_MR3 @@ -75,15 +76,13 @@ static const matrix_multiplication ALPHAS[6] = { void tweakey_state_update(uint8_t TK[TWEAKEY_BYTES]) { - /* Skip lane 0, as it is multiplied by the identity matrix. */ - - for (size_t j=1; j Date: Mon, 1 Jul 2019 17:16:01 +0200 Subject: Mise à jour des vecteurs de test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- test/i-128/test-ae-decrypt.c | 42 +++++++++++++++++++++--------------------- test/i-128/test-ae-encrypt.c | 42 +++++++++++++++++++++--------------------- test/i-128/test-tbc-decrypt.c | 8 ++++---- test/i-128/test-tbc-encrypt.c | 8 ++++---- test/i-128/test-tweakey.c | 6 +++--- 5 files changed, 53 insertions(+), 53 deletions(-) diff --git a/test/i-128/test-ae-decrypt.c b/test/i-128/test-ae-decrypt.c index 043185b..0a5934a 100644 --- a/test/i-128/test-ae-decrypt.c +++ b/test/i-128/test-ae-decrypt.c @@ -47,18 +47,18 @@ const vector VECTORS[] = { }, .ciphertext_len = 64, .ciphertext = (uint8_t[]) { - 0x86, 0x09, 0xbe, 0x90, 0xa2, 0x9f, 0xa0, 0xed, - 0x9a, 0xf6, 0xeb, 0x8d, 0x96, 0x0e, 0x83, 0x81, - 0x0a, 0x6b, 0x00, 0xf4, 0x76, 0x99, 0xf4, 0x62, - 0x4e, 0x3d, 0x91, 0x4c, 0x95, 0x96, 0x56, 0x91, - 0x94, 0xf2, 0x29, 0x55, 0x20, 0x11, 0x2c, 0x93, - 0x15, 0x23, 0x59, 0xe2, 0xa3, 0xc4, 0xc4, 0x62, - 0xbb, 0xa3, 0x11, 0xf1, 0x39, 0xa2, 0xe2, 0xc9, - 0x47, 0x6b, 0xe5, 0x6a, 0x97, 0x07, 0xc0, 0x87 + 0xca, 0x16, 0x03, 0x71, 0x0c, 0xca, 0x10, 0x2f, + 0xac, 0x46, 0x0c, 0xb4, 0x13, 0x2a, 0x55, 0x0d, + 0xc0, 0x59, 0x90, 0xb7, 0xca, 0xf2, 0x17, 0x9f, + 0x8f, 0xd6, 0x5a, 0x73, 0x49, 0x65, 0x14, 0xec, + 0x3e, 0xf4, 0xc5, 0xd0, 0x08, 0x3d, 0x85, 0x5c, + 0x11, 0x70, 0x42, 0x3b, 0x91, 0x61, 0xa7, 0xf2, + 0x7a, 0xbf, 0x51, 0x2c, 0xe3, 0x88, 0xc9, 0x97, + 0x34, 0x92, 0xed, 0xf9, 0x5b, 0xb4, 0x2a, 0x80 }, .tag = { - 0x2e, 0xe5, 0xbf, 0x50, 0x87, 0x71, 0x17, 0x40, - 0x1b, 0xa7, 0xe9, 0xed, 0xd5, 0xcb, 0xec, 0x6d + 0x47, 0x5b, 0x2c, 0x0e, 0x5f, 0xcf, 0x6f, 0xc0, + 0xab, 0x3c, 0x24, 0xc1, 0x66, 0x88, 0x83, 0x38 }, .message = (uint8_t[]) { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, @@ -95,19 +95,19 @@ const vector VECTORS[] = { }, .ciphertext_len = 66, .ciphertext = (uint8_t[]) { - 0x86, 0x09, 0xbe, 0x90, 0xa2, 0x9f, 0xa0, 0xed, - 0x9a, 0xf6, 0xeb, 0x8d, 0x96, 0x0e, 0x83, 0x81, - 0x0a, 0x6b, 0x00, 0xf4, 0x76, 0x99, 0xf4, 0x62, - 0x4e, 0x3d, 0x91, 0x4c, 0x95, 0x96, 0x56, 0x91, - 0x94, 0xf2, 0x29, 0x55, 0x20, 0x11, 0x2c, 0x93, - 0x15, 0x23, 0x59, 0xe2, 0xa3, 0xc4, 0xc4, 0x62, - 0xbb, 0xa3, 0x11, 0xf1, 0x39, 0xa2, 0xe2, 0xc9, - 0x47, 0x6b, 0xe5, 0x6a, 0x97, 0x07, 0xc0, 0x87, - 0x4f, 0x09 + 0xca, 0x16, 0x03, 0x71, 0x0c, 0xca, 0x10, 0x2f, + 0xac, 0x46, 0x0c, 0xb4, 0x13, 0x2a, 0x55, 0x0d, + 0xc0, 0x59, 0x90, 0xb7, 0xca, 0xf2, 0x17, 0x9f, + 0x8f, 0xd6, 0x5a, 0x73, 0x49, 0x65, 0x14, 0xec, + 0x3e, 0xf4, 0xc5, 0xd0, 0x08, 0x3d, 0x85, 0x5c, + 0x11, 0x70, 0x42, 0x3b, 0x91, 0x61, 0xa7, 0xf2, + 0x7a, 0xbf, 0x51, 0x2c, 0xe3, 0x88, 0xc9, 0x97, + 0x34, 0x92, 0xed, 0xf9, 0x5b, 0xb4, 0x2a, 0x80, + 0x27, 0x3f }, .tag = { - 0x04, 0x10, 0xbc, 0x6f, 0xe5, 0x88, 0xe0, 0xd5, - 0x09, 0x59, 0x26, 0x17, 0x12, 0x49, 0x35, 0x9a + 0xd4, 0xef, 0x1f, 0x11, 0x81, 0x90, 0xbe, 0xfd, + 0x1e, 0xa7, 0x32, 0xbe, 0x63, 0xe2, 0x18, 0x90 }, .message = (uint8_t[]) { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, diff --git a/test/i-128/test-ae-encrypt.c b/test/i-128/test-ae-encrypt.c index 522a3e6..06f3b88 100644 --- a/test/i-128/test-ae-encrypt.c +++ b/test/i-128/test-ae-encrypt.c @@ -57,18 +57,18 @@ const vector VECTORS[] = { 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, }, .ciphertext = (uint8_t[]) { - 0x86, 0x09, 0xbe, 0x90, 0xa2, 0x9f, 0xa0, 0xed, - 0x9a, 0xf6, 0xeb, 0x8d, 0x96, 0x0e, 0x83, 0x81, - 0x0a, 0x6b, 0x00, 0xf4, 0x76, 0x99, 0xf4, 0x62, - 0x4e, 0x3d, 0x91, 0x4c, 0x95, 0x96, 0x56, 0x91, - 0x94, 0xf2, 0x29, 0x55, 0x20, 0x11, 0x2c, 0x93, - 0x15, 0x23, 0x59, 0xe2, 0xa3, 0xc4, 0xc4, 0x62, - 0xbb, 0xa3, 0x11, 0xf1, 0x39, 0xa2, 0xe2, 0xc9, - 0x47, 0x6b, 0xe5, 0x6a, 0x97, 0x07, 0xc0, 0x87 + 0xca, 0x16, 0x03, 0x71, 0x0c, 0xca, 0x10, 0x2f, + 0xac, 0x46, 0x0c, 0xb4, 0x13, 0x2a, 0x55, 0x0d, + 0xc0, 0x59, 0x90, 0xb7, 0xca, 0xf2, 0x17, 0x9f, + 0x8f, 0xd6, 0x5a, 0x73, 0x49, 0x65, 0x14, 0xec, + 0x3e, 0xf4, 0xc5, 0xd0, 0x08, 0x3d, 0x85, 0x5c, + 0x11, 0x70, 0x42, 0x3b, 0x91, 0x61, 0xa7, 0xf2, + 0x7a, 0xbf, 0x51, 0x2c, 0xe3, 0x88, 0xc9, 0x97, + 0x34, 0x92, 0xed, 0xf9, 0x5b, 0xb4, 0x2a, 0x80 }, .tag = { - 0x2e, 0xe5, 0xbf, 0x50, 0x87, 0x71, 0x17, 0x40, - 0x1b, 0xa7, 0xe9, 0xed, 0xd5, 0xcb, 0xec, 0x6d + 0x47, 0x5b, 0x2c, 0x0e, 0x5f, 0xcf, 0x6f, 0xc0, + 0xab, 0x3c, 0x24, 0xc1, 0x66, 0x88, 0x83, 0x38 } }, { @@ -106,19 +106,19 @@ const vector VECTORS[] = { 0x40, 0x01 }, .ciphertext = (uint8_t[]) { - 0x86, 0x09, 0xbe, 0x90, 0xa2, 0x9f, 0xa0, 0xed, - 0x9a, 0xf6, 0xeb, 0x8d, 0x96, 0x0e, 0x83, 0x81, - 0x0a, 0x6b, 0x00, 0xf4, 0x76, 0x99, 0xf4, 0x62, - 0x4e, 0x3d, 0x91, 0x4c, 0x95, 0x96, 0x56, 0x91, - 0x94, 0xf2, 0x29, 0x55, 0x20, 0x11, 0x2c, 0x93, - 0x15, 0x23, 0x59, 0xe2, 0xa3, 0xc4, 0xc4, 0x62, - 0xbb, 0xa3, 0x11, 0xf1, 0x39, 0xa2, 0xe2, 0xc9, - 0x47, 0x6b, 0xe5, 0x6a, 0x97, 0x07, 0xc0, 0x87, - 0x4f, 0x09 + 0xca, 0x16, 0x03, 0x71, 0x0c, 0xca, 0x10, 0x2f, + 0xac, 0x46, 0x0c, 0xb4, 0x13, 0x2a, 0x55, 0x0d, + 0xc0, 0x59, 0x90, 0xb7, 0xca, 0xf2, 0x17, 0x9f, + 0x8f, 0xd6, 0x5a, 0x73, 0x49, 0x65, 0x14, 0xec, + 0x3e, 0xf4, 0xc5, 0xd0, 0x08, 0x3d, 0x85, 0x5c, + 0x11, 0x70, 0x42, 0x3b, 0x91, 0x61, 0xa7, 0xf2, + 0x7a, 0xbf, 0x51, 0x2c, 0xe3, 0x88, 0xc9, 0x97, + 0x34, 0x92, 0xed, 0xf9, 0x5b, 0xb4, 0x2a, 0x80, + 0x27, 0x3f }, .tag = { - 0x04, 0x10, 0xbc, 0x6f, 0xe5, 0x88, 0xe0, 0xd5, - 0x09, 0x59, 0x26, 0x17, 0x12, 0x49, 0x35, 0x9a + 0xd4, 0xef, 0x1f, 0x11, 0x81, 0x90, 0xbe, 0xfd, + 0x1e, 0xa7, 0x32, 0xbe, 0x63, 0xe2, 0x18, 0x90 } } }; diff --git a/test/i-128/test-tbc-decrypt.c b/test/i-128/test-tbc-decrypt.c index 6b558cb..b76f6c0 100644 --- a/test/i-128/test-tbc-decrypt.c +++ b/test/i-128/test-tbc-decrypt.c @@ -33,8 +33,8 @@ const vector VECTORS[] = { 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f }, .ciphertext = { - 0x8d, 0x95, 0xa2, 0x10, 0xe6, 0xb2, 0xce, 0xc2, - 0x52, 0x0b, 0x06, 0xaf, 0x26, 0x00, 0xce, 0xe5 + 0x03, 0xb0, 0x31, 0x5e, 0xd8, 0x98, 0x43, 0x7e, + 0xc5, 0x06, 0x4a, 0x83, 0x64, 0x11, 0xf8, 0x02 }, .message = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, @@ -53,8 +53,8 @@ const vector VECTORS[] = { 0x7f, 0xf4, 0x23, 0x4d, 0x3d, 0xd5, 0xf9, 0x9b }, .ciphertext = { - 0x5b, 0x5a, 0x1c, 0xfe, 0x25, 0x6e, 0x85, 0x69, - 0x3e, 0x71, 0x3e, 0x43, 0x30, 0xa8, 0x4c, 0x82 + 0x97, 0xff, 0x85, 0x27, 0xb6, 0x09, 0x1f, 0x51, + 0xf3, 0xcb, 0xfd, 0xd0, 0xf2, 0x72, 0xa5, 0x90 }, .message = { 0xbc, 0xd7, 0xf0, 0x29, 0x84, 0xb6, 0xc8, 0xf9, diff --git a/test/i-128/test-tbc-encrypt.c b/test/i-128/test-tbc-encrypt.c index c83754b..6503455 100644 --- a/test/i-128/test-tbc-encrypt.c +++ b/test/i-128/test-tbc-encrypt.c @@ -37,8 +37,8 @@ const vector VECTORS[] = { 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, }, .ciphertext = { - 0x8d, 0x95, 0xa2, 0x10, 0xe6, 0xb2, 0xce, 0xc2, - 0x52, 0x0b, 0x06, 0xaf, 0x26, 0x00, 0xce, 0xe5 + 0x03, 0xb0, 0x31, 0x5e, 0xd8, 0x98, 0x43, 0x7e, + 0xc5, 0x06, 0x4a, 0x83, 0x64, 0x11, 0xf8, 0x02 } }, { @@ -57,8 +57,8 @@ const vector VECTORS[] = { 0x9c, 0x9d, 0x1d, 0xbd, 0x0d, 0x30, 0x94, 0x0b }, .ciphertext = { - 0x5b, 0x5a, 0x1c, 0xfe, 0x25, 0x6e, 0x85, 0x69, - 0x3e, 0x71, 0x3e, 0x43, 0x30, 0xa8, 0x4c, 0x82 + 0x97, 0xff, 0x85, 0x27, 0xb6, 0x09, 0x1f, 0x51, + 0xf3, 0xcb, 0xfd, 0xd0, 0xf2, 0x72, 0xa5, 0x90 } } }; diff --git a/test/i-128/test-tweakey.c b/test/i-128/test-tweakey.c index a9b8b5f..ba27340 100644 --- a/test/i-128/test-tweakey.c +++ b/test/i-128/test-tweakey.c @@ -32,7 +32,7 @@ const vector VECTORS[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, .last_rtk = { - 0xec, 0xb3, 0x30, 0xd0, 0xe2, 0x90, 0xc8, 0x56 + 0x53, 0x40, 0x95, 0x96, 0xea, 0x82, 0x2b, 0x28 } }, { @@ -63,7 +63,7 @@ const vector VECTORS[] = { 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f }, .last_rtk = { - 0xda, 0xcd, 0xb4, 0x0b, 0x7b, 0x80, 0x1e, 0x9a + 0xfa, 0xd6, 0x9e, 0x4d, 0x08, 0x9a, 0x46, 0x5b } }, { @@ -78,7 +78,7 @@ const vector VECTORS[] = { 0x7f, 0xf4, 0x23, 0x4d, 0x3d, 0xd5, 0xf9, 0x9b }, .last_rtk = { - 0xdd, 0xc6, 0x4e, 0xd7, 0x1a, 0x82, 0x11, 0xf3 + 0xc2, 0xd1, 0xb0, 0x98, 0xf3, 0x74, 0x8a, 0xc0 } } }; -- cgit v1.2.3 From 1ee4f19815d95de8c47e13f7c25884126ace8f55 Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Mon, 1 Jul 2019 17:20:21 +0200 Subject: Mise à jour de l'implémentation tweakeyloop MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/add_tweakeyloop/multiplications.h | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/add_tweakeyloop/multiplications.h b/src/add_tweakeyloop/multiplications.h index 45b9eaa..650373b 100644 --- a/src/add_tweakeyloop/multiplications.h +++ b/src/add_tweakeyloop/multiplications.h @@ -55,6 +55,17 @@ static void _multiply_M3(const uint8_t x[LANE_BYTES], uint8_t y[LANE_BYTES]) _multiply_M(M2_x, y); } +static void _multiply_M4(const uint8_t x[LANE_BYTES], uint8_t y[LANE_BYTES]) +{ + uint8_t M_x[LANE_BYTES]; + uint8_t M2_x[LANE_BYTES]; + uint8_t M3_x[LANE_BYTES]; + _multiply_M(x, M_x); + _multiply_M(M_x, M2_x); + _multiply_M(M2_x, M3_x); + _multiply_M(M3_x, y); +} + static void _multiply_MR(const uint8_t x[LANE_BYTES], uint8_t y[LANE_BYTES]) { y[0] = x[1]; -- cgit v1.2.3 From d54453d2f50410cb437a9e4513af7289f45059f8 Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Mon, 1 Jul 2019 17:25:15 +0200 Subject: Mise à jour de l'implémentation felicsref MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/add_felicsref/tweakey.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/add_felicsref/tweakey.c b/src/add_felicsref/tweakey.c index 18a7792..47badde 100644 --- a/src/add_felicsref/tweakey.c +++ b/src/add_felicsref/tweakey.c @@ -81,11 +81,10 @@ static void _multiply(uint8_t TKj[LANE_BYTES], matrix_multiplication alpha) void tweakey_state_update(uint8_t TK[TWEAKEY_BYTES]) { - /* Skip lane 0, as it is multiplied by the identity matrix. */ - - _multiply(TK + 1*LANE_BYTES, _multiply_M); - _multiply(TK + 2*LANE_BYTES, _multiply_M2); - _multiply(TK + 3*LANE_BYTES, _multiply_M3); + _multiply(TK + 0*LANE_BYTES, _multiply_M); + _multiply(TK + 1*LANE_BYTES, _multiply_M2); + _multiply(TK + 2*LANE_BYTES, _multiply_M3); + _multiply(TK + 3*LANE_BYTES, _multiply_M4); #if LANES_NB >= 5 _multiply(TK + 4*LANE_BYTES, _multiply_MR); -- cgit v1.2.3 From ae1a30eccd0a8e7643c82ed51d87f585dfdd4717 Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Tue, 2 Jul 2019 09:47:19 +0200 Subject: Mise à jour de l'implémentation threshold MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/add_threshold/tweakey.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/src/add_threshold/tweakey.c b/src/add_threshold/tweakey.c index 8f531d9..7822564 100644 --- a/src/add_threshold/tweakey.c +++ b/src/add_threshold/tweakey.c @@ -90,10 +90,11 @@ void tweakey_state_extract( typedef void (*matrix_multiplication)(const uint8_t x[LANE_BYTES], uint8_t y[LANE_BYTES]); -static const matrix_multiplication ALPHAS[6] = { +static const matrix_multiplication ALPHAS[7] = { _multiply_M, _multiply_M2, _multiply_M3, + _multiply_M4, _multiply_MR, _multiply_MR2, _multiply_MR3 @@ -102,16 +103,14 @@ static const matrix_multiplication ALPHAS[6] = { void tweakey_state_update(uint8_t TK_X[TWEAKEY_BYTES], uint8_t TK_Y[KEY_BYTES]) { - /* Skip lane 0, as it is multiplied by the identity matrix. */ - - for (size_t j=1; j Date: Tue, 2 Jul 2019 10:10:59 +0200 Subject: Mise à jour des patchs de génération de traces MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- traces/traces-tbc.patch | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/traces/traces-tbc.patch b/traces/traces-tbc.patch index 2b81a6b..f03cdfc 100644 --- a/traces/traces-tbc.patch +++ b/traces/traces-tbc.patch @@ -1,5 +1,5 @@ diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/cipher.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/cipher.c -index 6f1b4b5..7a2ae05 100644 +index 8ebbbc3..c622374 100644 --- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/cipher.c +++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/cipher.c @@ -17,6 +17,8 @@ http://creativecommons.org/publicdomain/zero/1.0/ @@ -109,11 +109,11 @@ index 6f1b4b5..7a2ae05 100644 memcpy(ciphertext, X, BLOCK_BYTES); diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/tweakey.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/tweakey.c -index 78c6060..75e9290 100644 +index 510f35a..4bf027c 100644 --- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/tweakey.c +++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/tweakey.c -@@ -19,6 +19,8 @@ where multiplications by matrices M and M_R to the power n are performed - by functions expressing the exponentiated matrices with shifts and XORs. +@@ -17,6 +17,8 @@ http://creativecommons.org/publicdomain/zero/1.0/ + This file provides the implementation of Lilliput-TBC's tweakey schedule. */ +#include "debug.h" @@ -121,7 +121,7 @@ index 78c6060..75e9290 100644 #include #include -@@ -54,10 +56,16 @@ void tweakey_state_extract( +@@ -51,10 +53,16 @@ void tweakey_state_extract( { const uint8_t *TKj = TK + j*LANE_BYTES; @@ -138,23 +138,23 @@ index 78c6060..75e9290 100644 } round_tweakey[0] ^= round_constant; -@@ -160,6 +168,10 @@ static const matrix_multiplication ALPHAS[6] = { +@@ -73,6 +81,10 @@ static const matrix_multiplication ALPHAS[7] = { _multiply_MR3 }; -+static char const * const ALPHAS_STR[6] = { -+ "M", "M²", "M³", "MR", "MR²", "MR³" ++static char const * const ALPHAS_STR[7] = { ++ "M", "M²", "M³", "M⁴", "MR", "MR²", "MR³" +}; + void tweakey_state_update(uint8_t TK[TWEAKEY_BYTES]) { -@@ -173,5 +185,9 @@ void tweakey_state_update(uint8_t TK[TWEAKEY_BYTES]) +@@ -84,5 +96,9 @@ void tweakey_state_update(uint8_t TK[TWEAKEY_BYTES]) memcpy(TKj_old, TKj, LANE_BYTES); - ALPHAS[j-1](TKj_old, TKj); + ALPHAS[j](TKj_old, TKj); + -+ fprintf(DUMP, " multiplying lane %zu/%zu by %s\n", 1+j, (size_t)LANES_NB, ALPHAS_STR[j-1]); ++ fprintf(DUMP, " multiplying lane %zu/%zu by %s\n", 1+j, (size_t)LANES_NB, ALPHAS_STR[j]); + debug_dump_buffer("TK_j^i-1", LANE_BYTES, TKj_old, 12); + debug_dump_buffer("TK_j^i", LANE_BYTES, TKj, 12); } -- cgit v1.2.3 From d8ed6474dc536812eff92e13be134f10ace6086e Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Tue, 2 Jul 2019 17:39:18 +0200 Subject: Mise à jour temporaire de l'implémentation Python MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/add_python/lilliput/multiplications.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/add_python/lilliput/multiplications.py b/src/add_python/lilliput/multiplications.py index a5faa55..65c75ab 100644 --- a/src/add_python/lilliput/multiplications.py +++ b/src/add_python/lilliput/multiplications.py @@ -135,7 +135,6 @@ def _multiplication(m, reverse=True): ALPHAS = ( - list, # Identity. _multiplication(M), _multiplication(M2), _multiplication(M3), @@ -143,3 +142,5 @@ ALPHAS = ( _multiplication(MR2, reverse=False), _multiplication(MR3, reverse=False) ) + +ALPHAS = ALPHAS[:3] + (lambda x: ALPHAS[1](ALPHAS[1](x)),) + ALPHAS[3:] -- cgit v1.2.3 From ba601f28abb6b6080d024be4390e883e592cf40f Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Wed, 3 Jul 2019 14:22:22 +0200 Subject: Implémentation de M⁴ à l'aide de sa matrice MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/add_python/lilliput/multiplications.py | 42 +++++++++++++++++++++++------- 1 file changed, 32 insertions(+), 10 deletions(-) diff --git a/src/add_python/lilliput/multiplications.py b/src/add_python/lilliput/multiplications.py index 65c75ab..09eaa08 100644 --- a/src/add_python/lilliput/multiplications.py +++ b/src/add_python/lilliput/multiplications.py @@ -23,8 +23,11 @@ from functools import reduce from operator import xor +def _shl(xi, n): + return (xi << n) & 0xff + def _Sl(n): - return lambda xi: (xi<>n @@ -36,16 +39,25 @@ def _0(xi): return 0 def _M1(xi): - return (xi<<3 ^ xi>>3) & 0xff + return _shl(xi, 3) ^ xi>>3 def _M2(xi): - return (xi<<6 ^ (xi&0b11111000) ^ xi>>6) & 0xff + return _shl(xi, 6) ^ xi&0b11111000 ^ xi>>6 def _M3(xi): - return xi & 0b00011111 + return _shl(xi>>3, 6) ^ xi>>6<<3 def _M4(xi): - return ((xi<<2) & 0xff) >> 3 + return _shl(xi, 2) >> 3 + +def _M5(xi): + return _shl(xi, 5) ^ xi>>3<<2 + +def _M6(xi): + return xi & 0b00011111 + +def _M7(xi): + return _shl(xi, 2) >> 3 M = ( @@ -81,6 +93,17 @@ M3 = ( ( _0, _0, _Id, _0, _0, _0, _0, _0), ) +M4 = ( + ( _0, _0, _Sl(6), _M1, _Id, _0, _0, _0), + ( _0, _0, _0, _M2, _M1, _Id, _0, _0), + ( _0, _Sl(2), _0, _M3, _M2, _M1, _Id, _0), + ( _0, _M4, _Sl(2), _0, _0, _Sr(6), _Sr(3), _Id), + (_Id, _0, _Sl(5), _Sl(2), _0, _0, _0, _0), + ( _0, _Id, _0, _M5, _Sl(2), _0, _0, _0), + ( _0, _0, _Id, _0, _0, _0, _0, _0), + ( _0, _0, _Sl(3), _Id, _0, _0, _0, _0), +) + # NB: shift directions are reversed with respect to the specification # for powers of M_R, since the specification reverses the byte order # for those matrices. @@ -99,7 +122,7 @@ MR = ( MR2 = ( ( _0, _0, _Id, _0, _0, _0, _0, _0), ( _0, _0, _0, _Id, _Sr(3), _0, _0, _0), - ( _0, _0, _0, _0, _Id, _Sr(3), _M3, _0), + ( _0, _0, _0, _0, _Id, _Sr(3), _M6, _0), ( _0, _0, _0, _0, _0, _Id, _Sl(3), _0), ( _0, _0, _0, _Sl(2), _0, _0, _Id, _Sl(3)), ( _0, _0, _0, _0, _Sl(2), _0, _0, _Id), @@ -109,8 +132,8 @@ MR2 = ( MR3 = ( ( _0, _0, _0, _Id, _Sr(3), _0, _0, _0), - ( _0, _0, _0, _0, _Id, _Sr(3), _M3, _0), - ( _0, _0, _0, _M4, _0, _Id, _M1, _M3), + ( _0, _0, _0, _0, _Id, _Sr(3), _M6, _0), + ( _0, _0, _0, _M7, _0, _Id, _M1, _M6), ( _0, _0, _0, _Sl(2), _0, _0, _Id, _Sl(3)), (_Sl(3), _0, _0, _0, _Sl(2), _0, _0, _Id), ( _Id, _0, _0, _0, _0, _Sl(2), _Sl(5), _0), @@ -138,9 +161,8 @@ ALPHAS = ( _multiplication(M), _multiplication(M2), _multiplication(M3), + _multiplication(M4), _multiplication(MR, reverse=False), _multiplication(MR2, reverse=False), _multiplication(MR3, reverse=False) ) - -ALPHAS = ALPHAS[:3] + (lambda x: ALPHAS[1](ALPHAS[1](x)),) + ALPHAS[3:] -- cgit v1.2.3 From 43966ffe8601c8c180c9e68e30f30fc1a1fb7f6d Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Thu, 4 Jul 2019 14:30:14 +0200 Subject: Résumé des modifications dans l'implémentation de référence MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.txt | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index d836ba6..e983aed 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,7 +1,39 @@ v1.1 ==== -TODO +ref +--- + +### Fixes + +These modifications change the algorithm's output. + +- Change alpha coefficients in tweakey schedule to ensure lane 0 is updated between each round: + - lane 0: Id => M + - lane 1: M => M^2 + - lane 2: M^2 => M^3 + - lane 3: M^3 => M^4 + - lane 4: M_R (unchanged) + - lane 5: M_R^2 (unchanged) + - lane 6: M_R^3 (unchanged) + (multiplications.h, tweakey.c) + +### Cleanups + +These modifications are structural and/or stylistic and do not change the algorithm's ouptut. + +- Introduce helper function copy_block_index() to make tweak-building functions more legible. + (lilliput-ae-utils.h, lilliput-i.c, lilliput-ii.c) + +- Initialize ΘCB3 tweak with nonce instead of copying the latter into the latter repeatedly. + (lilliput-i.c) + +- Re-write _nonlinear_layer() and _linear_layer() functions to better resemble the specification. + (cipher.c) + +- Extract tweakey multiplications into their own header file, so that other implementations can make more targeted changes. + (constants.h, multiplications.h, tweakey.c) + v1.0 ==== -- cgit v1.2.3 From 44a1b4f33efcdab910410303244f83199f1ef2a7 Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Thu, 4 Jul 2019 14:33:55 +0200 Subject: Ajout de squelettes pour les changelogs des autres implémentations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.txt | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index e983aed..9ab7d75 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -34,6 +34,26 @@ These modifications are structural and/or stylistic and do not change the algori - Extract tweakey multiplications into their own header file, so that other implementations can make more targeted changes. (constants.h, multiplications.h, tweakey.c) +add_threshold +------------- + +TODO + +add_tweakeyloop +--------------- + +TODO + +add_python +---------- + +TODO + +add_vhdl +-------- + +TODO + v1.0 ==== -- cgit v1.2.3 From c670bbe78ea9bc18c9772ba5804f610937560d5f Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Thu, 4 Jul 2019 15:05:41 +0200 Subject: Résumé des modifications dans les implémentations C et Python MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.txt | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 9ab7d75..cc38a27 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -37,17 +37,36 @@ These modifications are structural and/or stylistic and do not change the algori add_threshold ------------- -TODO +### Fixes + +See reference implementation. + +### Cleanups + +See reference implementation. Further cleanups: + +- Use size_t to iterate on arrays in lilliput_tbc_encrypt() and lilliput_tbc_decrypt(). + (cipher.c) + +- Add constant macros KEY_LANES_NB and TWEAK_LANES_NB to make tweakey schedule code more legible. + (tweakey.c) add_tweakeyloop --------------- -TODO +See reference implementation. add_python ---------- -TODO +### Fixes + +See reference implementation. + +### Cleanups + +- Re-write tweakey multiplications to better resemble the specification. + (multiplications.py) add_vhdl -------- -- cgit v1.2.3 From b29cc9d5f7bf458fb499ed6ab7c409310287397a Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Fri, 5 Jul 2019 09:48:32 +0200 Subject: Utilisation de "size_t" pour l'indexation d'un tableau MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cf. ef17fe7, surtout par souci d'homogénéité. --- CHANGELOG.txt | 6 +++--- src/add_felicsref/cipher.c | 4 ++-- src/ref/cipher.c | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index cc38a27..eb074ad 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -34,6 +34,9 @@ These modifications are structural and/or stylistic and do not change the algori - Extract tweakey multiplications into their own header file, so that other implementations can make more targeted changes. (constants.h, multiplications.h, tweakey.c) +- Use size_t to iterate on arrays in lilliput_tbc_encrypt() and lilliput_tbc_decrypt(). + (cipher.c) + add_threshold ------------- @@ -45,9 +48,6 @@ See reference implementation. See reference implementation. Further cleanups: -- Use size_t to iterate on arrays in lilliput_tbc_encrypt() and lilliput_tbc_decrypt(). - (cipher.c) - - Add constant macros KEY_LANES_NB and TWEAK_LANES_NB to make tweakey schedule code more legible. (tweakey.c) diff --git a/src/add_felicsref/cipher.c b/src/add_felicsref/cipher.c index 7de0a08..59bc5d8 100644 --- a/src/add_felicsref/cipher.c +++ b/src/add_felicsref/cipher.c @@ -150,7 +150,7 @@ void lilliput_tbc_encrypt( uint8_t RTK[ROUND_TWEAKEY_BYTES]; tweakey_state_init(TK, key, tweak); - for (unsigned i=0; i Date: Fri, 5 Jul 2019 10:12:03 +0200 Subject: Simplification du format du changelog --- CHANGELOG.txt | 51 +++++++++++++++++++++------------------------------ 1 file changed, 21 insertions(+), 30 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index eb074ad..f793279 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,26 +1,16 @@ -v1.1 -==== - -ref ---- +This document summarizes the modifications brought by each version. Some modifications are tagged as follows: -### Fixes +- [spec] when the modification is brought by a new revision of the specification, +- [break] when the modification changes the implementation's output. -These modifications change the algorithm's output. +A modification that has no tag corresponds to stylistic and/or structural changes that have no impact on test vectors. -- Change alpha coefficients in tweakey schedule to ensure lane 0 is updated between each round: - - lane 0: Id => M - - lane 1: M => M^2 - - lane 2: M^2 => M^3 - - lane 3: M^3 => M^4 - - lane 4: M_R (unchanged) - - lane 5: M_R^2 (unchanged) - - lane 6: M_R^3 (unchanged) - (multiplications.h, tweakey.c) -### Cleanups +v1.1 +==== -These modifications are structural and/or stylistic and do not change the algorithm's ouptut. +ref +--- - Introduce helper function copy_block_index() to make tweak-building functions more legible. (lilliput-ae-utils.h, lilliput-i.c, lilliput-ii.c) @@ -37,16 +27,21 @@ These modifications are structural and/or stylistic and do not change the algori - Use size_t to iterate on arrays in lilliput_tbc_encrypt() and lilliput_tbc_decrypt(). (cipher.c) +[spec][break] +- Change alpha coefficients in tweakey schedule to ensure lane 0 is updated between each round: + - lane 0: Id => M + - lane 1: M => M^2 + - lane 2: M^2 => M^3 + - lane 3: M^3 => M^4 + - lane 4: M_R (unchanged) + - lane 5: M_R^2 (unchanged) + - lane 6: M_R^3 (unchanged) + (multiplications.h, tweakey.c) + add_threshold ------------- -### Fixes - -See reference implementation. - -### Cleanups - -See reference implementation. Further cleanups: +See reference implementation. Further changes: - Add constant macros KEY_LANES_NB and TWEAK_LANES_NB to make tweakey schedule code more legible. (tweakey.c) @@ -59,11 +54,7 @@ See reference implementation. add_python ---------- -### Fixes - -See reference implementation. - -### Cleanups +See [spec] and [break] changes in reference implementation. Further changes: - Re-write tweakey multiplications to better resemble the specification. (multiplications.py) -- cgit v1.2.3 From a38039473fc57e1b31d0e321808ecf9ee19bb7e1 Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Fri, 5 Jul 2019 10:17:26 +0200 Subject: Résumé des modifications sur felicsref MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.txt | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index f793279..3a6348e 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -38,6 +38,17 @@ ref - lane 6: M_R^3 (unchanged) (multiplications.h, tweakey.c) +add_felicsref +------------- + +See reference implementation. Further changes: + +- Introduce helper function _multiply() to reduce code duplication. + (tweakey.c) + +- Compute round-tweakeys on the fly to save on RAM, instead of storing all pre-computed round-tweakeys. + (cipher.c) + add_threshold ------------- -- cgit v1.2.3 From 905416c5b9834d776683bb56ab305baa652028d4 Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Fri, 5 Jul 2019 10:24:12 +0200 Subject: Correction du patch de traces MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cassé par b29cc9d. Léger ajustement du Makefile pour que les plantages soient plus simples à comprendre. --- Makefile | 2 +- traces/traces-tbc.patch | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 2b9e4e0..00d6f66 100644 --- a/Makefile +++ b/Makefile @@ -20,7 +20,7 @@ test: $(test_variants) traces: traces-ae traces-tbc traces-%: | results - @ echo "Collecting traces" + @ echo "Collecting $@" @ ./traces/collect-traces.sh $@ nist: diff --git a/traces/traces-tbc.patch b/traces/traces-tbc.patch index f03cdfc..ff36123 100644 --- a/traces/traces-tbc.patch +++ b/traces/traces-tbc.patch @@ -1,5 +1,5 @@ diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/cipher.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/cipher.c -index 8ebbbc3..c622374 100644 +index 07405e1..0997cac 100644 --- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/cipher.c +++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/cipher.c @@ -17,6 +17,8 @@ http://creativecommons.org/publicdomain/zero/1.0/ @@ -98,9 +98,9 @@ index 8ebbbc3..c622374 100644 + fprintf(DUMP, "running EGFN %zu times\n", (size_t)ROUNDS); + - for (uint8_t i=0; i Date: Fri, 5 Jul 2019 10:32:33 +0200 Subject: Correction du patch de traces *pour l'implémentation threshold* MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 🤦 --- traces/add_threshold/traces-tbc.patch | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/traces/add_threshold/traces-tbc.patch b/traces/add_threshold/traces-tbc.patch index f1d897d..ac239fa 100644 --- a/traces/add_threshold/traces-tbc.patch +++ b/traces/add_threshold/traces-tbc.patch @@ -240,7 +240,7 @@ index a966a8e..8d5f2cc 100644 + out[i] = i; } diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/add_threshold/tweakey.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/add_threshold/tweakey.c -index e228a69..b1aadc6 100644 +index 7822564..e1abbb6 100644 --- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/add_threshold/tweakey.c +++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/add_threshold/tweakey.c @@ -20,6 +20,8 @@ This file provides a first-order threshold implementation of Lilliput-TBC's @@ -252,7 +252,7 @@ index e228a69..b1aadc6 100644 #include #include -@@ -42,6 +44,7 @@ void tweakey_state_init( +@@ -43,6 +45,7 @@ void tweakey_state_init( { uint8_t SHARES_0[KEY_BYTES]; randombytes(sizeof(SHARES_0), SHARES_0); @@ -260,7 +260,7 @@ index e228a69..b1aadc6 100644 memcpy(TK_Y, SHARES_0, KEY_BYTES); memcpy(TK_X, tweak, TWEAK_BYTES); -@@ -67,10 +70,16 @@ void tweakey_state_extract( +@@ -68,20 +71,32 @@ void tweakey_state_extract( { const uint8_t *TKj_X = TK_X + j*LANE_BYTES; @@ -276,8 +276,7 @@ index e228a69..b1aadc6 100644 + debug_dump_buffer("=> RTK_X", ROUND_TWEAKEY_BYTES, round_tweakey_X, 12); } - -@@ -78,10 +87,16 @@ void tweakey_state_extract( + for (size_t j=0; j Date: Fri, 5 Jul 2019 10:34:16 +0200 Subject: Ajout d'un script de vérification plus exhaustif MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- test/check-all.sh | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100755 test/check-all.sh diff --git a/test/check-all.sh b/test/check-all.sh new file mode 100755 index 0000000..e59b98c --- /dev/null +++ b/test/check-all.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +set -eux + +run () +{ + make clean + "$@" +} + +add_implems=(src/add_felicsref src/add_tweakeyloop src/add_threshold) + +for implem in ref ${add_implems[@]} +do + run make test IMPLEMENTATION=$(basename $implem) +done + +run make traces +run make traces IMPLEMENTATION=add_threshold + +for implem in ${add_implems[@]} +do + run ./test/check-implementation.sh $(basename $implem) +done + +run make nist +./test/python.sh -- cgit v1.2.3 From 3d4608aac686498fa6a84f71dee05dadfd057dc9 Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Fri, 5 Jul 2019 11:07:41 +0200 Subject: Renommage de la version initiale en "v1" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Une traduction automatique de la version en nom de dossier crypto_aead transformerait v1.0 en v10, or 1. nos dossiers s'appelaient v1 2. un jour on aura peut-être une version 10 (Le schéma de nommage crypto_aead ouvre la porte a pas mal d'ambiguïtés, de toute façon…) --- CHANGELOG.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 3a6348e..5a15c61 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -76,7 +76,7 @@ add_vhdl TODO -v1.0 -==== +v1 +== Initial release to round 1 of the LWC standardization process. -- cgit v1.2.3 From 390b7a8ac7c14f73bf216561416f444109f24ec4 Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Wed, 12 Jun 2019 17:34:41 +0200 Subject: Changement de la concaténation des chaînes de bits MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit L'implémentation précédente n'était pas cohérente. Étant données deux chaînes X et Y de longueur x et y, et Z=X∥Y de longueur z=x+y, - pad10* et la construction des tweaks fonctionnaient selon la logique "indices faibles = LSB", donc Z[0] = Y[0] Z[z-1] = X[x-1] - le découpage de M, C et A en blocs fonctionnait selon la logique "indices faibles = premiers blocs", donc Z[0] = X[0] Z[z-1] = Y[y-1] En conséquence, la façon dont M, C et A étaient paddés n'avait aucun sens, e.g. pour un message M de taille 35, pad10*(M*) donnait : { M[34], M[33], M[32], 0b10000000, 0, … } Les deux seules façons logiques de padder M* sont { M[32], M[33], M[34], 0b10000000, 0, … } ou { M[2], M[1], M[0], 0b10000000, 0, … } Après revue d'autres implémentations de ΘCB3 et SCT-2, j'ai choisi de suivre la convention MSB. En conséquence, quand la spécification dit Z = X∥Y L'implémentation traduira : Z[] = { X[0], … X[x-1], Y[0], … Y[y-1] } Dans la même logique, les compteurs de blocs seront insérés MSB d'abord et paddés en conséquence, e.g. j=0x01020304 ≡ J[] = { 0, …, 0x01, 0x02, 0x03, 0x04 } --- src/ref/lilliput-ae-utils.h | 62 ++++++++++++++++++++--------------------- src/ref/lilliput-i.c | 67 +++++++++++++++++++++++++-------------------- src/ref/lilliput-ii.c | 40 +++++++++++++-------------- 3 files changed, 87 insertions(+), 82 deletions(-) diff --git a/src/ref/lilliput-ae-utils.h b/src/ref/lilliput-ae-utils.h index 0efb776..a66b75c 100644 --- a/src/ref/lilliput-ae-utils.h +++ b/src/ref/lilliput-ae-utils.h @@ -28,16 +28,6 @@ This file provides functions used by both authenticated encryption modes. #include "constants.h" -static inline uint8_t upper_nibble(uint8_t i) -{ - return i >> 4; -} - -static inline uint8_t lower_nibble(uint8_t i) -{ - return i & 0x0f; -} - static inline void encrypt(const uint8_t K[KEY_BYTES], const uint8_t T[TWEAK_BYTES], const uint8_t M[BLOCK_BYTES], @@ -68,35 +58,41 @@ static inline void xor_arrays(size_t len, uint8_t out[len], const uint8_t a[len] static inline void pad10(size_t X_len, const uint8_t X[X_len], uint8_t padded[BLOCK_BYTES]) { - /* pad10*(X) = X || 1 || 0^{n-|X|-1} */ - - /* For example, with uint8_t X[3] = { [0]=0x01, [1]=0x02, [2]=0x03 } + /* Assuming 0 < |X| < n: + * + * pad10*(X) = X || 1 || 0^{n-|X|-1} + * + * For example, with uint8_t X[3] = { [0]=0x01, [1]=0x02, [2]=0x03 } * * pad10*(X) = - * X[2] X[1] X[0] 1 0* - * 00000011 00000010 00000001 1 0000000 00000000... + * X[0] X[1] X[2] 1 0* + * 00000001 00000010 00000011 1 0000000 00000000... * - * - padded[0, 11]: zeroes - * - padded[12]: 10000000 - * - padded[13, 15]: X[0, 2] + * - padded[0, 2]: X[0, 2] + * - padded[3]: 10000000 + * - padded[4, 15]: zeroes */ - /* Assume that X_len> 8*i & 0xff; + dest[i] = index >> 8*(s-1-i); } } @@ -108,17 +104,17 @@ static inline void fill_index_tweak( { /* With an s-bit block index, the t-bit tweak is filled as follows: * - * - bits [ 1, t-4]: block index - * [ 1, s]: actual block index - * [s+1, t-4]: 0-padding - * - bits [t-3, t]: 4-bit prefix + * [ 1, 4]: 4-bit prefix + * [ 5, t]: block index + * [ 5, t-s]: 0-padding + * [t-s+1, t]: actual block index, from MSB to LSB */ - copy_block_index(block_index, tweak); + tweak[0] = prefix<<4; /* Assume padding bytes have already been set to 0. */ - tweak[TWEAK_BYTES-1] |= prefix << 4; + copy_block_index(block_index, tweak); } static void process_associated_data( diff --git a/src/ref/lilliput-i.c b/src/ref/lilliput-i.c index 6f869c3..fb06237 100644 --- a/src/ref/lilliput-i.c +++ b/src/ref/lilliput-i.c @@ -32,58 +32,67 @@ static const uint8_t _0n[BLOCK_BYTES] = { }; +static uint8_t _upper_nibble(uint8_t i) +{ + return i >> 4; +} + +static uint8_t _lower_nibble(uint8_t i) +{ + return i & 0x0f; +} + static void _init_msg_tweak(const uint8_t N[NONCE_BYTES], uint8_t tweak[TWEAK_BYTES]) { /* With an s-bit block index, the t-bit tweak is filled as follows: * - * - bits [ 1, t-|N|-4]: block index - * [ 1, s]: actual block index - * [ s+1, t-|N|-4]: 0-padding - * - bits [t-|N|-3, t-4]: nonce - * - bits [ t-3, t]: 4-bit prefix + * [ 1, 4]: 4-bit prefix + * [ 5, |N|+4]: nonce + * [ |N|+5, t]: block index + * [|N|+5, t-s]: 0-padding + * [t-s+1, t]: actual block index, from MSB to LSB * - * This function sets bits s+1 to t-4 once and for all. + * This function sets bits 5 to t-s once and for all. */ - size_t N_start = TWEAK_BYTES - NONCE_BYTES - 1; - - for (size_t i=sizeof(size_t); i Date: Thu, 13 Jun 2019 15:16:19 +0200 Subject: Adaptation des tests et des traces MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - mise à jour des vecteurs de test i-128/test-ae-*crypt - affichage des tableaux d'octets par indices croissants --- test/debug.h | 24 ++++++++++-------------- test/i-128/test-ae-decrypt.c | 42 +++++++++++++++++++++--------------------- test/i-128/test-ae-encrypt.c | 42 +++++++++++++++++++++--------------------- test/i-128/traces-ae.c | 4 ++-- test/i-192/traces-ae.c | 4 ++-- test/i-256/traces-ae.c | 4 ++-- test/ii-128/traces-ae.c | 4 ++-- test/ii-192/traces-ae.c | 4 ++-- test/ii-256/traces-ae.c | 4 ++-- 9 files changed, 64 insertions(+), 68 deletions(-) diff --git a/test/debug.h b/test/debug.h index 24b7787..d958475 100644 --- a/test/debug.h +++ b/test/debug.h @@ -17,9 +17,7 @@ static inline void debug_dump_lanes(const char *header, size_t len, const uint8_ fprintf(DUMP, "%*s", indent, ""); for (size_t b=0; b<8; b++) { - /* start with MSB */ - size_t byte_index = len-(1+line*8+b); - fprintf(DUMP, "%*s%02x", 5, "", buf[byte_index]); + fprintf(DUMP, "%*s%02x", 5, "", buf[line*8+b]); } fprintf(DUMP, "\n"); } @@ -30,26 +28,24 @@ static inline void debug_dump_buffer(const char *header, size_t len, const uint8 { fprintf(DUMP, "%*s%s\n", indent, "", header); - if (len%8 != 0) + for (size_t line=0; line %zu]", line, b, line*8+b); */ + fprintf(DUMP, "%02x ", buf[line*8+b]); } fprintf(DUMP, "\n"); } - for (size_t line=0; line %zu]", line, b, byte_index); */ - fprintf(DUMP, "%02x ", buf[byte_index]); + fprintf(DUMP, "%02x ", buf[len-rest+b]); } fprintf(DUMP, "\n"); } diff --git a/test/i-128/test-ae-decrypt.c b/test/i-128/test-ae-decrypt.c index 0a5934a..812eda2 100644 --- a/test/i-128/test-ae-decrypt.c +++ b/test/i-128/test-ae-decrypt.c @@ -47,18 +47,18 @@ const vector VECTORS[] = { }, .ciphertext_len = 64, .ciphertext = (uint8_t[]) { - 0xca, 0x16, 0x03, 0x71, 0x0c, 0xca, 0x10, 0x2f, - 0xac, 0x46, 0x0c, 0xb4, 0x13, 0x2a, 0x55, 0x0d, - 0xc0, 0x59, 0x90, 0xb7, 0xca, 0xf2, 0x17, 0x9f, - 0x8f, 0xd6, 0x5a, 0x73, 0x49, 0x65, 0x14, 0xec, - 0x3e, 0xf4, 0xc5, 0xd0, 0x08, 0x3d, 0x85, 0x5c, - 0x11, 0x70, 0x42, 0x3b, 0x91, 0x61, 0xa7, 0xf2, - 0x7a, 0xbf, 0x51, 0x2c, 0xe3, 0x88, 0xc9, 0x97, - 0x34, 0x92, 0xed, 0xf9, 0x5b, 0xb4, 0x2a, 0x80 + 0xa2, 0xd5, 0xa6, 0x38, 0xca, 0xcf, 0xce, 0x90, + 0xaf, 0xc3, 0xb8, 0x99, 0x36, 0xba, 0xf1, 0x12, + 0x94, 0x13, 0x87, 0xb8, 0x7e, 0x6c, 0x07, 0x48, + 0x25, 0x25, 0x66, 0xd8, 0xa4, 0x05, 0xc9, 0xd3, + 0xc0, 0xaa, 0x27, 0xc6, 0xa6, 0x67, 0x53, 0x8f, + 0xcc, 0xd9, 0xd3, 0xdb, 0xf5, 0xdc, 0xad, 0xa0, + 0x4b, 0x3e, 0x9a, 0xfb, 0x7c, 0xe9, 0x17, 0x9c, + 0xb8, 0x17, 0x13, 0x9f, 0x32, 0x70, 0x5c, 0x62 }, .tag = { - 0x47, 0x5b, 0x2c, 0x0e, 0x5f, 0xcf, 0x6f, 0xc0, - 0xab, 0x3c, 0x24, 0xc1, 0x66, 0x88, 0x83, 0x38 + 0x04, 0xaa, 0xc8, 0x19, 0x32, 0x70, 0x32, 0x24, + 0xe8, 0x27, 0xb7, 0xab, 0xec, 0xd8, 0x2f, 0x6c }, .message = (uint8_t[]) { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, @@ -95,19 +95,19 @@ const vector VECTORS[] = { }, .ciphertext_len = 66, .ciphertext = (uint8_t[]) { - 0xca, 0x16, 0x03, 0x71, 0x0c, 0xca, 0x10, 0x2f, - 0xac, 0x46, 0x0c, 0xb4, 0x13, 0x2a, 0x55, 0x0d, - 0xc0, 0x59, 0x90, 0xb7, 0xca, 0xf2, 0x17, 0x9f, - 0x8f, 0xd6, 0x5a, 0x73, 0x49, 0x65, 0x14, 0xec, - 0x3e, 0xf4, 0xc5, 0xd0, 0x08, 0x3d, 0x85, 0x5c, - 0x11, 0x70, 0x42, 0x3b, 0x91, 0x61, 0xa7, 0xf2, - 0x7a, 0xbf, 0x51, 0x2c, 0xe3, 0x88, 0xc9, 0x97, - 0x34, 0x92, 0xed, 0xf9, 0x5b, 0xb4, 0x2a, 0x80, - 0x27, 0x3f + 0xa2, 0xd5, 0xa6, 0x38, 0xca, 0xcf, 0xce, 0x90, + 0xaf, 0xc3, 0xb8, 0x99, 0x36, 0xba, 0xf1, 0x12, + 0x94, 0x13, 0x87, 0xb8, 0x7e, 0x6c, 0x07, 0x48, + 0x25, 0x25, 0x66, 0xd8, 0xa4, 0x05, 0xc9, 0xd3, + 0xc0, 0xaa, 0x27, 0xc6, 0xa6, 0x67, 0x53, 0x8f, + 0xcc, 0xd9, 0xd3, 0xdb, 0xf5, 0xdc, 0xad, 0xa0, + 0x4b, 0x3e, 0x9a, 0xfb, 0x7c, 0xe9, 0x17, 0x9c, + 0xb8, 0x17, 0x13, 0x9f, 0x32, 0x70, 0x5c, 0x62, + 0x88, 0x5a }, .tag = { - 0xd4, 0xef, 0x1f, 0x11, 0x81, 0x90, 0xbe, 0xfd, - 0x1e, 0xa7, 0x32, 0xbe, 0x63, 0xe2, 0x18, 0x90 + 0x64, 0xa2, 0x24, 0x03, 0xc5, 0x79, 0x4f, 0xec, + 0xe7, 0x7d, 0xc1, 0xf6, 0xc9, 0xc6, 0x77, 0x2c }, .message = (uint8_t[]) { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, diff --git a/test/i-128/test-ae-encrypt.c b/test/i-128/test-ae-encrypt.c index 06f3b88..09fbb32 100644 --- a/test/i-128/test-ae-encrypt.c +++ b/test/i-128/test-ae-encrypt.c @@ -57,18 +57,18 @@ const vector VECTORS[] = { 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, }, .ciphertext = (uint8_t[]) { - 0xca, 0x16, 0x03, 0x71, 0x0c, 0xca, 0x10, 0x2f, - 0xac, 0x46, 0x0c, 0xb4, 0x13, 0x2a, 0x55, 0x0d, - 0xc0, 0x59, 0x90, 0xb7, 0xca, 0xf2, 0x17, 0x9f, - 0x8f, 0xd6, 0x5a, 0x73, 0x49, 0x65, 0x14, 0xec, - 0x3e, 0xf4, 0xc5, 0xd0, 0x08, 0x3d, 0x85, 0x5c, - 0x11, 0x70, 0x42, 0x3b, 0x91, 0x61, 0xa7, 0xf2, - 0x7a, 0xbf, 0x51, 0x2c, 0xe3, 0x88, 0xc9, 0x97, - 0x34, 0x92, 0xed, 0xf9, 0x5b, 0xb4, 0x2a, 0x80 + 0xa2, 0xd5, 0xa6, 0x38, 0xca, 0xcf, 0xce, 0x90, + 0xaf, 0xc3, 0xb8, 0x99, 0x36, 0xba, 0xf1, 0x12, + 0x94, 0x13, 0x87, 0xb8, 0x7e, 0x6c, 0x07, 0x48, + 0x25, 0x25, 0x66, 0xd8, 0xa4, 0x05, 0xc9, 0xd3, + 0xc0, 0xaa, 0x27, 0xc6, 0xa6, 0x67, 0x53, 0x8f, + 0xcc, 0xd9, 0xd3, 0xdb, 0xf5, 0xdc, 0xad, 0xa0, + 0x4b, 0x3e, 0x9a, 0xfb, 0x7c, 0xe9, 0x17, 0x9c, + 0xb8, 0x17, 0x13, 0x9f, 0x32, 0x70, 0x5c, 0x62 }, .tag = { - 0x47, 0x5b, 0x2c, 0x0e, 0x5f, 0xcf, 0x6f, 0xc0, - 0xab, 0x3c, 0x24, 0xc1, 0x66, 0x88, 0x83, 0x38 + 0x04, 0xaa, 0xc8, 0x19, 0x32, 0x70, 0x32, 0x24, + 0xe8, 0x27, 0xb7, 0xab, 0xec, 0xd8, 0x2f, 0x6c } }, { @@ -106,19 +106,19 @@ const vector VECTORS[] = { 0x40, 0x01 }, .ciphertext = (uint8_t[]) { - 0xca, 0x16, 0x03, 0x71, 0x0c, 0xca, 0x10, 0x2f, - 0xac, 0x46, 0x0c, 0xb4, 0x13, 0x2a, 0x55, 0x0d, - 0xc0, 0x59, 0x90, 0xb7, 0xca, 0xf2, 0x17, 0x9f, - 0x8f, 0xd6, 0x5a, 0x73, 0x49, 0x65, 0x14, 0xec, - 0x3e, 0xf4, 0xc5, 0xd0, 0x08, 0x3d, 0x85, 0x5c, - 0x11, 0x70, 0x42, 0x3b, 0x91, 0x61, 0xa7, 0xf2, - 0x7a, 0xbf, 0x51, 0x2c, 0xe3, 0x88, 0xc9, 0x97, - 0x34, 0x92, 0xed, 0xf9, 0x5b, 0xb4, 0x2a, 0x80, - 0x27, 0x3f + 0xa2, 0xd5, 0xa6, 0x38, 0xca, 0xcf, 0xce, 0x90, + 0xaf, 0xc3, 0xb8, 0x99, 0x36, 0xba, 0xf1, 0x12, + 0x94, 0x13, 0x87, 0xb8, 0x7e, 0x6c, 0x07, 0x48, + 0x25, 0x25, 0x66, 0xd8, 0xa4, 0x05, 0xc9, 0xd3, + 0xc0, 0xaa, 0x27, 0xc6, 0xa6, 0x67, 0x53, 0x8f, + 0xcc, 0xd9, 0xd3, 0xdb, 0xf5, 0xdc, 0xad, 0xa0, + 0x4b, 0x3e, 0x9a, 0xfb, 0x7c, 0xe9, 0x17, 0x9c, + 0xb8, 0x17, 0x13, 0x9f, 0x32, 0x70, 0x5c, 0x62, + 0x88, 0x5a }, .tag = { - 0xd4, 0xef, 0x1f, 0x11, 0x81, 0x90, 0xbe, 0xfd, - 0x1e, 0xa7, 0x32, 0xbe, 0x63, 0xe2, 0x18, 0x90 + 0x64, 0xa2, 0x24, 0x03, 0xc5, 0x79, 0x4f, 0xec, + 0xe7, 0x7d, 0xc1, 0xf6, 0xc9, 0xc6, 0x77, 0x2c } } }; diff --git a/test/i-128/traces-ae.c b/test/i-128/traces-ae.c index 441ae37..a22260d 100644 --- a/test/i-128/traces-ae.c +++ b/test/i-128/traces-ae.c @@ -78,7 +78,7 @@ const vector VECTORS[] = { 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, - 0x40, 0x01 + 0x40, 0x41 }, .message_len = 66, .message = (uint8_t[]) { @@ -90,7 +90,7 @@ const vector VECTORS[] = { 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, - 0x40, 0x01 + 0x40, 0x41 } } }; diff --git a/test/i-192/traces-ae.c b/test/i-192/traces-ae.c index 6448928..328204a 100644 --- a/test/i-192/traces-ae.c +++ b/test/i-192/traces-ae.c @@ -80,7 +80,7 @@ const vector VECTORS[] = { 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, - 0x40, 0x01 + 0x40, 0x41 }, .message_len = 66, .message = (uint8_t[]) { @@ -92,7 +92,7 @@ const vector VECTORS[] = { 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, - 0x40, 0x01 + 0x40, 0x41 } } }; diff --git a/test/i-256/traces-ae.c b/test/i-256/traces-ae.c index 946518e..9b75273 100644 --- a/test/i-256/traces-ae.c +++ b/test/i-256/traces-ae.c @@ -82,7 +82,7 @@ const vector VECTORS[] = { 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, - 0x40, 0x01 + 0x40, 0x41 }, .message_len = 66, .message = (uint8_t[]) { @@ -94,7 +94,7 @@ const vector VECTORS[] = { 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, - 0x40, 0x01 + 0x40, 0x41 } } }; diff --git a/test/ii-128/traces-ae.c b/test/ii-128/traces-ae.c index 441ae37..a22260d 100644 --- a/test/ii-128/traces-ae.c +++ b/test/ii-128/traces-ae.c @@ -78,7 +78,7 @@ const vector VECTORS[] = { 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, - 0x40, 0x01 + 0x40, 0x41 }, .message_len = 66, .message = (uint8_t[]) { @@ -90,7 +90,7 @@ const vector VECTORS[] = { 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, - 0x40, 0x01 + 0x40, 0x41 } } }; diff --git a/test/ii-192/traces-ae.c b/test/ii-192/traces-ae.c index 6448928..328204a 100644 --- a/test/ii-192/traces-ae.c +++ b/test/ii-192/traces-ae.c @@ -80,7 +80,7 @@ const vector VECTORS[] = { 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, - 0x40, 0x01 + 0x40, 0x41 }, .message_len = 66, .message = (uint8_t[]) { @@ -92,7 +92,7 @@ const vector VECTORS[] = { 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, - 0x40, 0x01 + 0x40, 0x41 } } }; diff --git a/test/ii-256/traces-ae.c b/test/ii-256/traces-ae.c index 946518e..9b75273 100644 --- a/test/ii-256/traces-ae.c +++ b/test/ii-256/traces-ae.c @@ -82,7 +82,7 @@ const vector VECTORS[] = { 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, - 0x40, 0x01 + 0x40, 0x41 }, .message_len = 66, .message = (uint8_t[]) { @@ -94,7 +94,7 @@ const vector VECTORS[] = { 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, - 0x40, 0x01 + 0x40, 0x41 } } }; -- cgit v1.2.3 From 2d6201940ff6cf318ba4117de7c2664643930bd7 Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Fri, 14 Jun 2019 09:08:43 +0200 Subject: Adaptation de l'implémentation Python MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/add_python/lilliput/ae_common.py | 10 +++++----- src/add_python/lilliput/ae_mode_1.py | 25 ++++++++++++------------- src/add_python/lilliput/ae_mode_2.py | 32 +++++++++++++++++--------------- 3 files changed, 34 insertions(+), 33 deletions(-) diff --git a/src/add_python/lilliput/ae_common.py b/src/add_python/lilliput/ae_common.py index b94be1b..db14ec3 100644 --- a/src/add_python/lilliput/ae_common.py +++ b/src/add_python/lilliput/ae_common.py @@ -15,7 +15,7 @@ """Helper functions used in both Lilliput-I and Lilliput-II.""" -from .constants import BLOCK_BITS, BLOCK_BYTES +from .constants import BLOCK_BYTES from .helpers import xor from . import tbc @@ -48,11 +48,11 @@ def block_matrix_to_bytes(matrix): def pad10(X): zeroes = [0] * (BLOCK_BYTES-len(X)-1) - return zeroes + [0b10000000] + X + return X + [0b10000000] + zeroes def integer_to_byte_array(i, n): - return list(i.to_bytes(n, 'little')) + return list(i.to_bytes(n, 'big')) def _tweak_associated_data(t, i, padded): @@ -61,8 +61,8 @@ def _tweak_associated_data(t, i, padded): prefix = 0b0110 if padded else 0b0010 # Clear upper 4 bits and set them to prefix. - tweak[-1] &= 0b00001111 - tweak[-1] = prefix << 4 + tweak[0] &= 0b00001111 + tweak[0] |= prefix << 4 return tweak diff --git a/src/add_python/lilliput/ae_mode_1.py b/src/add_python/lilliput/ae_mode_1.py index 4a40b78..197bf37 100644 --- a/src/add_python/lilliput/ae_mode_1.py +++ b/src/add_python/lilliput/ae_mode_1.py @@ -52,27 +52,26 @@ def _lower_nibble(i): return i & 0b00001111 -def _byte_from_nibbles(lower, upper): - return upper<<4 | lower +def _byte(high, low): + return high<<4 ^ low def _tweak_message(N, j, prefix): - # j is encoded on 68 bits; get 72 and clear the upper 4. - j_len = (TWEAK_BITS-NONCE_BITS-4)//8 + 1 - tweak = integer_to_byte_array(j, j_len) - tweak[-1] &= 0b00001111 + tweak = [_byte(prefix.value, _upper_nibble(N[0]))] - # Add nonce. - tweak[-1] |= _lower_nibble(N[0]) << 4 tweak.extend( - _byte_from_nibbles(_upper_nibble(N[i-1]), _lower_nibble(N[i])) + _byte(_lower_nibble(N[i-1]), _upper_nibble(N[i])) for i in range(1, NONCE_BITS//8) ) - # Add last nibble from nonce and prefix. - tweak.append( - _byte_from_nibbles(_upper_nibble(N[-1]), prefix.value) - ) + # j is encoded on 68 bits; get 72 then set the upper 4 to the + # nonce's lower 4. + j_len = (TWEAK_BITS-NONCE_BITS-4)//8 + 1 + j_array = integer_to_byte_array(j, j_len) + j_array[0] &= 0b00001111 + j_array[0] |= _lower_nibble(N[-1]) << 4 + + tweak.extend(j_array) return tweak diff --git a/src/add_python/lilliput/ae_mode_2.py b/src/add_python/lilliput/ae_mode_2.py index 79d1bcd..a55ecb8 100644 --- a/src/add_python/lilliput/ae_mode_2.py +++ b/src/add_python/lilliput/ae_mode_2.py @@ -18,6 +18,8 @@ This module provides the functions for authenticated encryption and decryption using Lilliput-AE's nonce-misuse-resistant mode based on SCT-2. """ +from enum import Enum + from .constants import BLOCK_BYTES from .ae_common import ( bytes_to_block_matrix, @@ -35,22 +37,24 @@ TWEAK_BITS = 128 TWEAK_BYTES = TWEAK_BITS//8 -def _tweak_tag(j, padded): - tweak = integer_to_byte_array(j, TWEAK_BYTES) +class _TagTweak(Enum): + BLOCK = 0b0000 + PAD = 0b0100 - prefix = 0b0100 if padded else 0b0000 + +def _tweak_tag(j, prefix): + tweak = integer_to_byte_array(j, TWEAK_BYTES) # Clear upper 4 bits and set them to prefix. - tweak[-1] &= 0b00001111 - tweak[-1] = prefix << 4 + tweak[0] &= 0b00001111 + tweak[0] |= prefix.value << 4 return tweak def _add_tag_j(tag, j): - array_j = integer_to_byte_array(j, TWEAK_BYTES) - tweak = xor(tag, array_j) - tweak[-1] |= 0b10000000 + tweak = xor(tag, integer_to_byte_array(j, TWEAK_BYTES)) + tweak[0] |= 0b10000000 return tweak @@ -63,18 +67,16 @@ def _message_auth_tag(M, N, Auth, key): M = bytes_to_block_matrix(M) for j in range(0, l): - tweak = _tweak_tag(j, False) + tweak = _tweak_tag(j, _TagTweak.BLOCK) encryption = tbc.encrypt(tweak, key, M[j]) tag = xor(tag, encryption) if need_padding: - tweak = _tweak_tag(l, True) + tweak = _tweak_tag(l, _TagTweak.PAD) encryption = tbc.encrypt(tweak, key, pad10(M[l])) tag = xor(tag, encryption) - tweak = N + [0b00010000] - encryption = tbc.encrypt(tweak, key, tag) - tag = encryption + tag = tbc.encrypt([0b00010000]+N, key, tag) return tag @@ -88,12 +90,12 @@ def _message_encryption(M, N, tag, key): for j in range(0, l): tweak = _add_tag_j(tag, j) - encryption = tbc.encrypt(tweak, key, N+[0b00000000]) + encryption = tbc.encrypt(tweak, key, [0b00000000]+N) C.append(xor(M[j], encryption)) if need_padding: tweak = _add_tag_j(tag, l) - encryption = tbc.encrypt(tweak, key, N+[0b00000000]) + encryption = tbc.encrypt(tweak, key, [0b00000000]+N) C.append(xor(M[l], encryption)) return C -- cgit v1.2.3 From c616151cbfdd3c7b3882c16656b4f8af74d48519 Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Thu, 27 Jun 2019 16:36:11 +0200 Subject: Réécriture des commentaires schématiques sur les tweaks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/ref/lilliput-ae-utils.h | 13 ++++++++----- src/ref/lilliput-i.c | 28 ++++++++++++++++------------ src/ref/lilliput-ii.c | 30 ++++++++++++++++++------------ 3 files changed, 42 insertions(+), 29 deletions(-) diff --git a/src/ref/lilliput-ae-utils.h b/src/ref/lilliput-ae-utils.h index a66b75c..19b4623 100644 --- a/src/ref/lilliput-ae-utils.h +++ b/src/ref/lilliput-ae-utils.h @@ -102,12 +102,15 @@ static inline void fill_index_tweak( uint8_t tweak[TWEAK_BYTES] ) { - /* With an s-bit block index, the t-bit tweak is filled as follows: + /* The t-bit tweak is filled as follows: * - * [ 1, 4]: 4-bit prefix - * [ 5, t]: block index - * [ 5, t-s]: 0-padding - * [t-s+1, t]: actual block index, from MSB to LSB + * 1 4 5 t + * [ prefix || block index ] + * + * The s-bit block index is encoded as follows: + * + * 5 t-s t-s+1 t + * [ zero padding || block index, MSB first ] */ tweak[0] = prefix<<4; diff --git a/src/ref/lilliput-i.c b/src/ref/lilliput-i.c index fb06237..3358b10 100644 --- a/src/ref/lilliput-i.c +++ b/src/ref/lilliput-i.c @@ -44,13 +44,15 @@ static uint8_t _lower_nibble(uint8_t i) static void _init_msg_tweak(const uint8_t N[NONCE_BYTES], uint8_t tweak[TWEAK_BYTES]) { - /* With an s-bit block index, the t-bit tweak is filled as follows: + /* The t-bit tweak is filled as follows: * - * [ 1, 4]: 4-bit prefix - * [ 5, |N|+4]: nonce - * [ |N|+5, t]: block index - * [|N|+5, t-s]: 0-padding - * [t-s+1, t]: actual block index, from MSB to LSB + * 1 4 5 |N|+4 |N|+5 t + * [ prefix || nonce || block index ] + * + * The s-bit block index is encoded as follows: + * + * |N|+5 t-s t-s+1 t + * [ zero padding || block index, MSB first ] * * This function sets bits 5 to t-s once and for all. */ @@ -77,13 +79,15 @@ static void _fill_msg_tweak( uint8_t tweak[TWEAK_BYTES] ) { - /* With an s-bit block index, the t-bit tweak is filled as follows: + /* The t-bit tweak is filled as follows: + * + * 1 4 5 |N|+4 |N|+5 t + * [ prefix || nonce || block index ] + * + * The s-bit block index is encoded as follows: * - * [ 1, 4]: 4-bit prefix - * [ 5, |N|+4]: nonce - * [ |N|+5, t]: block index - * [|N|+5, t-s]: 0-padding - * [t-s+1, t]: actual block index, from MSB to LSB + * |N|+5 t-s t-s+1 t + * [ zero padding || block index, MSB first ] * * This function assumes bits 5 to t-s have already been set, and * only sets bits 1 to 4 and t-s+1 to t. diff --git a/src/ref/lilliput-ii.c b/src/ref/lilliput-ii.c index 9ed17a2..bb43d08 100644 --- a/src/ref/lilliput-ii.c +++ b/src/ref/lilliput-ii.c @@ -28,12 +28,15 @@ This file implements Lilliput-AE's nonce-misuse-resistant mode based on SCT-2. static void _init_msg_tweak(const uint8_t tag[TAG_BYTES], uint8_t tweak[TWEAK_BYTES]) { - /* With an s-bit block index, the t-bit tweak is filled as follows: + /* The t-bit tweak is filled as follows: + * + * 1 2 t + * [ 1 || tag[2,t] XOR block index ] + * + * The s-bit block index is XORed to the tag as follows: * - * 1: 1 - * [ 2, t]: tag[ 2, t] XOR block index - * [ 2, t-s]: tag[ 2, t-s] - * [t-s+1, t]: tag[t-s+1, t] XOR block index + * 2 t-s t-s+1 t + * [ tag[2, t-s] || tag[t-s+1, t] XOR block index, MSB first ] * * This function sets bits 1 to t-s once and for all. */ @@ -44,12 +47,15 @@ static void _init_msg_tweak(const uint8_t tag[TAG_BYTES], uint8_t tweak[TWEAK_BY static void _fill_msg_tweak(const uint8_t tag[TAG_BYTES], size_t block_index, uint8_t tweak[TWEAK_BYTES]) { - /* With an s-bit block index, the t-bit tweak is filled as follows: + /* The t-bit tweak is filled as follows: + * + * 1 2 t + * [ 1 || tag[2,t] XOR block index ] + * + * The s-bit block index is XORed to the tag as follows: * - * 1: 1 - * [ 2, t]: tag + block index - * [ 2, t-s]: tag[ 2, t-s] - * [t-s+1, t]: tag[t-s+1, t] XOR block index + * 2 t-s t-s+1 t + * [ tag[2, t-s] || tag[t-s+1, t] XOR block index, MSB first ] * * This function assumes bits 1 to t-s have already been set, and * only sets bits t-s+1 to t. @@ -67,8 +73,8 @@ static void _fill_tag_tweak(const uint8_t N[NONCE_BYTES], uint8_t tweak[TWEAK_BY { /* The t-bit tweak is filled as follows: * - * [ 1, 8]: 0001||0^4 - * [t-|N|+1, t]: N + * 1 4 5 8 t-|N|+1 t + * [ 0001 || 0^4 || nonce ] */ tweak[0] = 0x10; -- cgit v1.2.3 From 6539c825b51dcb1bf5181e5aba91cdc41ff0850f Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Thu, 4 Jul 2019 17:24:52 +0200 Subject: Ajout d'indices dans les traces --- test/debug.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/debug.h b/test/debug.h index d958475..56cd123 100644 --- a/test/debug.h +++ b/test/debug.h @@ -30,7 +30,7 @@ static inline void debug_dump_buffer(const char *header, size_t len, const uint8 for (size_t line=0; line %zu]", line, b, line*8+b); */ @@ -42,7 +42,7 @@ static inline void debug_dump_buffer(const char *header, size_t len, const uint8 size_t rest = len%8; if (rest != 0) { - fprintf(DUMP, "%*s", indent, ""); + fprintf(DUMP, "%*s[0x%02zx] ", indent, "", len-rest); for (size_t b=0; b Date: Fri, 5 Jul 2019 11:06:43 +0200 Subject: Ajout d'une explication dans le changelog --- CHANGELOG.txt | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 5a15c61..2e92008 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -38,6 +38,25 @@ ref - lane 6: M_R^3 (unchanged) (multiplications.h, tweakey.c) +[break] +- Make byte string concatenation more consistent in AE modes: + + - v1 mixed two interpretations of concatenation: + 1. M_0 || M_1 was interpreted as { M[0], ... M[15] } || { M[16], ... M[31] }, + 2. pad(10*) and tweak-building functions interpreted X||Y as { Y[0], ... Y[ylen-1] } || { X[0], ... X[xlen-1] }. + + This was potentially confusing, and also led to inefficient hardware implementations. E.g. a message M of length 34 bytes was padded as follows: + + M_0 M_1 pad10*(M_*) + { M[0], ... M[15] } || { M[16], ... M[31] } || { 0, ... 0, 0x80, M[32], M[33] } + + - v1.1 sticks to the first interpretation. The same message M is now padded as follows: + + M_0 M_1 pad10*(M_*) + { M[0], ... M[15] } || { M[16], ... M[31] } || { M[32], M[33], 0x80, 0, ... 0 } + + (lilliput-ae-utils.h, lilliput-i.c, lilliput-ii.c) + add_felicsref ------------- -- cgit v1.2.3