From db2c7ed005cd201d708b43fd5babb626b9819e31 Mon Sep 17 00:00:00 2001
From: Kévin Le Gouguec <kevin.legouguec@airbus.com>
Date: Mon, 26 Nov 2018 14:21:01 +0100
Subject: Implémentation du mode ΘCB3 : chiffrement - message - tweak
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Et 2-3 corrections au passage :

- taille du tweak dans les commentaires
- remplissage du tweak pour les données associées
- ordre des arguments
---
 crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c | 49 ++++++++++++++++++++----
 1 file changed, 42 insertions(+), 7 deletions(-)

(limited to 'crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c')

diff --git a/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c b/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c
index 96b0505..d054880 100644
--- a/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c
+++ b/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c
@@ -6,6 +6,16 @@
 #include "lilliput-ae.h"
 
 
+static uint8_t _upper_nibble(uint8_t i)
+{
+    return i >> 4;
+}
+
+static uint8_t _lower_nibble(uint8_t i)
+{
+    return i & 0x0f;
+}
+
 static void _lilliput_tbc(const uint8_t key[KEY_BYTES],
                           const uint8_t tweak[TWEAK_BYTES],
                           const uint8_t message[BLOCK_BYTES],
@@ -40,12 +50,12 @@ static void _pad10(size_t len, const uint8_t buf[len], uint8_t padded[BLOCK_BYTE
 
 static void _fill_ad_tweak(uint8_t prefix, uint64_t block_nb, uint8_t tweak[TWEAK_BYTES])
 {
-    /* The 128-bit tweak is filled as follows:
+    /* The 192-bit tweak is filled as follows:
      *
-     * - bits 127-124: constant 4-bit prefix
-     * - bits 123-0:   block number
-     *     - bits 123-64: 0-padding
-     *     - bits 63-0:   actual 64-bit block number
+     * - bits   1-188: block number
+     *          1- 64: actual 64-bit block number
+     *         65-188: 0-padding
+     * - bits 189-192: constant 4-bit prefix
      */
 
     for (size_t i=0; i<sizeof(block_nb); i++)
@@ -53,10 +63,10 @@ static void _fill_ad_tweak(uint8_t prefix, uint64_t block_nb, uint8_t tweak[TWEA
         uint64_t mask = (uint64_t)0xff << 8*i;
         uint8_t b = (mask & block_nb) >> 8*i;
 
-        tweak[0] = b;
+        tweak[i] = b;
     }
 
-    /* Assume bytes 8 to 15 have already been memset to 0. */
+    /* Assume padding bytes have already been memset to 0. */
 
     tweak[TWEAK_BYTES-1] ^= prefix << 4;
 }
@@ -64,6 +74,31 @@ static void _fill_ad_tweak(uint8_t prefix, uint64_t block_nb, uint8_t tweak[TWEA
 static void _fill_msg_tweak(uint8_t prefix, const uint8_t N[NONCE_BYTES],
                             uint64_t block_nb, uint8_t tweak[TWEAK_BYTES])
 {
+    /* The 192-bit tweak is filled as follows:
+     *
+     * - bits   1- 68: block number
+     *          1- 64: actual 64-bit block number
+     *         64- 68: 0-padding
+     * - bits  67-188: nonce
+     * - bits 189-192: constant 4-bit prefix
+     */
+
+    for (size_t i=0; i<sizeof(block_nb); i++)
+    {
+        uint64_t mask = (uint64_t)0xff << 8*i;
+        uint8_t b = (mask & block_nb) >> 8*i;
+
+        tweak[i] = b;
+    }
+
+    tweak[sizeof(block_nb)] = _lower_nibble(N[0]) << 4;
+
+    for (size_t i=1; i<NONCE_BYTES-1; i++)
+    {
+        tweak[sizeof(block_nb)+i] = _lower_nibble(N[i]) ^ _upper_nibble(N[i-1]);
+    }
+
+    tweak[TWEAK_BYTES-1] = prefix << 4 ^ _upper_nibble(N[NONCE_BYTES-1]);
 }
 
 static void _process_associated_data(
-- 
cgit v1.2.3