Implémentation du mode ΘCB3 : chiffrement - message - tweak

Et 2-3 corrections au passage :

- taille du tweak dans les commentaires
- remplissage du tweak pour les données associées
- ordre des arguments

2 files changed, 44 insertions, 9 deletions

diff --git a/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c b/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c
index 96b0505..d054880 100644
--- a/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c
+++ b/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c
@@ -6,6 +6,16 @@
 #include "lilliput-ae.h"
 
 
+static uint8_t _upper_nibble(uint8_t i)
+{
+    return i >> 4;
+}
+
+static uint8_t _lower_nibble(uint8_t i)
+{
+    return i & 0x0f;
+}
+
 static void _lilliput_tbc(const uint8_t key[KEY_BYTES],
                           const uint8_t tweak[TWEAK_BYTES],
                           const uint8_t message[BLOCK_BYTES],
@@ -40,12 +50,12 @@ static void _pad10(size_t len, const uint8_t buf[len], uint8_t padded[BLOCK_BYTE
 
 static void _fill_ad_tweak(uint8_t prefix, uint64_t block_nb, uint8_t tweak[TWEAK_BYTES])
 {
-    /* The 128-bit tweak is filled as follows:
+    /* The 192-bit tweak is filled as follows:
      *
-     * - bits 127-124: constant 4-bit prefix
-     * - bits 123-0:   block number
-     *     - bits 123-64: 0-padding
-     *     - bits 63-0:   actual 64-bit block number
+     * - bits   1-188: block number
+     *          1- 64: actual 64-bit block number
+     *         65-188: 0-padding
+     * - bits 189-192: constant 4-bit prefix
      */
 
     for (size_t i=0; i<sizeof(block_nb); i++)
@@ -53,10 +63,10 @@ static void _fill_ad_tweak(uint8_t prefix, uint64_t block_nb, uint8_t tweak[TWEA
         uint64_t mask = (uint64_t)0xff << 8*i;
         uint8_t b = (mask & block_nb) >> 8*i;
 
-        tweak[0] = b;
+        tweak[i] = b;
     }
 
-    /* Assume bytes 8 to 15 have already been memset to 0. */
+    /* Assume padding bytes have already been memset to 0. */
 
     tweak[TWEAK_BYTES-1] ^= prefix << 4;
 }
@@ -64,6 +74,31 @@ static void _fill_ad_tweak(uint8_t prefix, uint64_t block_nb, uint8_t tweak[TWEA
 static void _fill_msg_tweak(uint8_t prefix, const uint8_t N[NONCE_BYTES],
                             uint64_t block_nb, uint8_t tweak[TWEAK_BYTES])
 {
+    /* The 192-bit tweak is filled as follows:
+     *
+     * - bits   1- 68: block number
+     *          1- 64: actual 64-bit block number
+     *         64- 68: 0-padding
+     * - bits  67-188: nonce
+     * - bits 189-192: constant 4-bit prefix
+     */
+
+    for (size_t i=0; i<sizeof(block_nb); i++)
+    {
+        uint64_t mask = (uint64_t)0xff << 8*i;
+        uint8_t b = (mask & block_nb) >> 8*i;
+
+        tweak[i] = b;
+    }
+
+    tweak[sizeof(block_nb)] = _lower_nibble(N[0]) << 4;
+
+    for (size_t i=1; i<NONCE_BYTES-1; i++)
+    {
+        tweak[sizeof(block_nb)+i] = _lower_nibble(N[i]) ^ _upper_nibble(N[i-1]);
+    }
+
+    tweak[TWEAK_BYTES-1] = prefix << 4 ^ _upper_nibble(N[NONCE_BYTES-1]);
 }
 
 static void _process_associated_data(
diff --git a/crypto_aead/lilliputaei128v1/ref/test/test-ae-roundtrip.c b/crypto_aead/lilliputaei128v1/ref/test/test-ae-roundtrip.c
index f1cb24c..4b03efb 100644
--- a/crypto_aead/lilliputaei128v1/ref/test/test-ae-roundtrip.c
+++ b/crypto_aead/lilliputaei128v1/ref/test/test-ae-roundtrip.c
@@ -87,7 +87,7 @@ int main()
         lilliput_ae_encrypt(
             v->message_len, v->message,
             v->auth_len, v->auth,
-            v->nonce, v->key,
+            v->key, v->nonce,
             &ciphertext_len, ciphertext,
             tag
         );
@@ -97,7 +97,7 @@ int main()
         bool valid = lilliput_ae_decrypt(
             ciphertext_len, ciphertext,
             v->auth_len, v->auth,
-            v->nonce, v->key, tag,
+            v->key, v->nonce, tag,
             &deciphered_len, deciphered
         );