Remaniement de la génération des traces

Pour que les traces  des modes AE ne comprennent pas  les traces de la
partie TBC.

1 files changed, 0 insertions, 455 deletions

diff --git a/traces.patch b/traces.patch
deleted file mode 100644
index 4a1854f..0000000
--- a/traces.patch
+++ /dev/null
@@ -1,455 +0,0 @@
-diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ae-common.h b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ae-common.h
-index 561854e..397dac0 100644
---- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ae-common.h
-+++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ae-common.h
-@@ -1,3 +1,5 @@
-+#include "debug.h"
-+
- #ifndef AE_COMMON_H
- #define AE_COMMON_H
- 
-@@ -105,20 +107,45 @@ static void process_associated_data(
-     size_t l_a = A_len / BLOCK_BYTES;
-     size_t rest = A_len % BLOCK_BYTES;
- 
-+    fprintf(DUMP, "computing Auth\n");
-+
-     for (size_t i=0; i<l_a; i++)
-     {
-+        fprintf(DUMP, "    i=%zu\n", i);
-+
-         fill_index_tweak(0x2, i, tweak);
-+
-+        debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
-+
-         encrypt(key, tweak, &A[i*BLOCK_BYTES], Ek_Ai);
-+
-+        debug_dump_buffer("Ai", BLOCK_BYTES, &A[i*BLOCK_BYTES], 8);
-+        debug_dump_buffer("Ek(Ai)", BLOCK_BYTES, Ek_Ai, 8);
-+
-         xor_into(Auth, Ek_Ai);
-+
-+        debug_dump_buffer("Auth", BLOCK_BYTES, Auth, 8);
-     }
- 
-     if (rest != 0)
-     {
-         uint8_t A_rest[BLOCK_BYTES];
-         pad10(rest, &A[l_a*BLOCK_BYTES], A_rest);
-+
-+        fprintf(DUMP, "    l_a=%zu (padding)\n", l_a);
-+
-         fill_index_tweak(0x6, l_a, tweak);
-+
-+        debug_dump_buffer("pad10*(A*)", BLOCK_BYTES, A_rest, 8);
-+        debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
-+
-         encrypt(key, tweak, A_rest, Ek_Ai);
-+
-+        debug_dump_buffer("Ek(A*)", BLOCK_BYTES, Ek_Ai, 8);
-+
-         xor_into(Auth, Ek_Ai);
-+
-+        debug_dump_buffer("Auth", BLOCK_BYTES, Auth, 8);
-     }
- }
- 
-diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/cipher.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/cipher.c
-index 7f1152a..caae858 100644
---- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/cipher.c
-+++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/cipher.c
-@@ -1,3 +1,5 @@
-+#include "debug.h"
-+
- #include <stdint.h>
- #include <string.h>
- 
-@@ -47,40 +49,61 @@ static void _compute_round_tweakeys(
-     uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES]
- )
- {
-+    fprintf(DUMP, "computing %zu round sub-tweakeys\n", (size_t)ROUNDS);
-+
-     tweakey_state TK;
-     tweakey_state_init(&TK, key, tweak);
-     tweakey_state_extract(&TK, RTK[0], 0);
- 
-+    fprintf(DUMP, "    0\n");
-+    debug_dump_buffer("RTK", ROUND_TWEAKEY_BYTES, RTK[0], 8);
-+
-     for (uint8_t i=1; i<ROUNDS; i++)
-     {
-+        fprintf(DUMP, "    %zu\n", (size_t)i);
-+
-         tweakey_state_update(&TK);
-+        debug_dump_buffer("TK", TWEAK_BYTES, TK.TK, 8);
-         tweakey_state_extract(&TK, RTK[i], i);
-+        debug_dump_buffer("RTK", ROUND_TWEAKEY_BYTES, RTK[i], 8);
-     }
- }
- 
- 
- static void _nonlinear_layer(cipher_state *X, const uint8_t RTK[ROUND_TWEAKEY_BYTES])
- {
-+    fprintf(DUMP, "        nonlinear layer\n");
-+
-+    debug_dump_buffer("X", BLOCK_BYTES, X->X, 12);
-+
-     uint8_t F[ROUND_TWEAKEY_BYTES];
-     for (size_t j=0; j<sizeof(F); j++)
-     {
-         F[j] = X->X[j] ^ RTK[j];
-     }
- 
-+    debug_dump_buffer("Xj XOR RTKj", sizeof(F), F, 12);
-+
-     for (size_t j=0; j<sizeof(F); j++)
-     {
-         F[j] = S[F[j]];
-     }
- 
-+    debug_dump_buffer("F (post-S-box)", sizeof(F), F, 12);
-+
-     for (size_t j=0; j<8; j++)
-     {
-         size_t dest_j = 15-j;
-         X->X[dest_j] ^= F[j];
-     }
-+
-+    debug_dump_buffer("X (post-XOR)", BLOCK_BYTES, X->X, 12);
- }
- 
- static void _linear_layer(cipher_state *X)
- {
-+    fprintf(DUMP, "        linear layer\n");
-+
-     X->X[15] ^= X->X[1];
-     X->X[15] ^= X->X[2];
-     X->X[15] ^= X->X[3];
-@@ -95,6 +118,8 @@ static void _linear_layer(cipher_state *X)
-     X->X[11] ^= X->X[7];
-     X->X[10] ^= X->X[7];
-     X->X[9]  ^= X->X[7];
-+
-+    debug_dump_buffer("X", BLOCK_BYTES, X->X, 12);
- }
- 
- static void _permutation_layer(cipher_state *X, permutation p)
-@@ -104,6 +129,8 @@ static void _permutation_layer(cipher_state *X, permutation p)
-         return;
-     }
- 
-+    fprintf(DUMP, "        permutation layer\n");
-+
-     uint8_t X_old[BLOCK_BYTES];
-     memcpy(X_old, X, sizeof(X_old));
- 
-@@ -113,6 +140,8 @@ static void _permutation_layer(cipher_state *X, permutation p)
-     {
-         X->X[pi[j]] = X_old[j];
-     }
-+
-+    debug_dump_buffer("X", BLOCK_BYTES, X->X, 12);
- }
- 
- static void _one_round_egfn(cipher_state *X, const uint8_t RTK[ROUND_TWEAKEY_BYTES], permutation p)
-@@ -136,11 +165,15 @@ void lilliput_tbc_encrypt(
-     uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES];
-     _compute_round_tweakeys(key, tweak, RTK);
- 
-+    fprintf(DUMP, "running EGFN %zu times\n", (size_t)ROUNDS);
-+
-     for (uint8_t i=0; i<ROUNDS-1; i++)
-     {
-+        fprintf(DUMP, "    round %zu\n", (size_t)i);
-         _one_round_egfn(&X, RTK[i], PERMUTATION_ENCRYPTION);
-     }
- 
-+    fprintf(DUMP, "    round %zu\n", (size_t)(ROUNDS-1));
-     _one_round_egfn(&X, RTK[ROUNDS-1], PERMUTATION_NONE);
- 
-     memcpy(ciphertext, X.X, BLOCK_BYTES);
-diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-i.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-i.c
-index b1758c9..5cbb3f4 100644
---- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-i.c
-+++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-i.c
-@@ -1,3 +1,5 @@
-+#include "debug.h"
-+
- #include <stdbool.h>
- #include <stdint.h>
- #include <string.h>
-@@ -65,32 +67,54 @@ static void _encrypt_message(
-     memset(tweak, 0, TWEAK_BYTES);
-     memset(checksum, 0, BLOCK_BYTES);
- 
-+    fprintf(DUMP, "message encryption\n");
-+
-     for (size_t j=0; j<l; j++)
-     {
-+        fprintf(DUMP, "    j=%zu\n", j);
-+
-+        debug_dump_buffer("Mj", BLOCK_BYTES, &M[j*BLOCK_BYTES], 8);
-         xor_into(checksum, &M[j*BLOCK_BYTES]);
-+        debug_dump_buffer("Checksum", BLOCK_BYTES, checksum, 8);
-         _fill_msg_tweak(0x0, N, j, tweak);
-+        debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
-         encrypt(key, tweak, &M[j*BLOCK_BYTES], &C[j*BLOCK_BYTES]);
-+        debug_dump_buffer("Cj", BLOCK_BYTES, &C[j*BLOCK_BYTES], 8);
-     }
- 
-     if (rest == 0)
-     {
-+        fprintf(DUMP, "    no padding\n");
-+
-         _fill_msg_tweak(0x1, N, l-1, tweak);
-+        debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
-         encrypt(key, tweak, checksum, Final);
-+        debug_dump_buffer("Final", BLOCK_BYTES, Final, 8);
-     }
-     else
-     {
-+        fprintf(DUMP, "    padding\n");
-+
-         uint8_t M_rest[BLOCK_BYTES];
-         uint8_t Pad[BLOCK_BYTES];
- 
-         pad10(rest, &M[l*BLOCK_BYTES], M_rest);
-+        debug_dump_buffer("M*", rest, &M[l*BLOCK_BYTES], 8);
-+        debug_dump_buffer("pad10*(M*)", BLOCK_BYTES, M_rest, 8);
-         xor_into(checksum, M_rest);
-+        debug_dump_buffer("Checksum", BLOCK_BYTES, checksum, 8);
- 
-         _fill_msg_tweak(0x4, N, l, tweak);
-+        debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
-         encrypt(key, tweak, _0n, Pad);
-         xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Pad);
-+        debug_dump_buffer("Pad", BLOCK_BYTES, Pad, 8);
-+        debug_dump_buffer("C*", rest, &C[l*BLOCK_BYTES], 8);
- 
-         _fill_msg_tweak(0x5, N, l, tweak);
-+        debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
-         encrypt(key, tweak, checksum, Final);
-+        debug_dump_buffer("Final", BLOCK_BYTES, Final, 8);
-     }
- }
- 
-@@ -112,32 +136,54 @@ static void _decrypt_message(
-     memset(tweak, 0, TWEAK_BYTES);
-     memset(checksum, 0, BLOCK_BYTES);
- 
-+    fprintf(DUMP, "message decryption\n");
-+
-     for (size_t j=0; j<l; j++)
-     {
-+        fprintf(DUMP, "    j=%zu\n", j);
-+
-+        debug_dump_buffer("Cj", BLOCK_BYTES, &C[j*BLOCK_BYTES], 8);
-         _fill_msg_tweak(0x0, N, j, tweak);
-+        debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
-         decrypt(key, tweak, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES]);
-+        debug_dump_buffer("Mj", BLOCK_BYTES, &M[j*BLOCK_BYTES], 8);
-         xor_into(checksum, &M[j*BLOCK_BYTES]);
-+        debug_dump_buffer("Checksum", BLOCK_BYTES, checksum, 8);
-     }
- 
-     if (rest == 0)
-     {
-+        fprintf(DUMP, "    no padding\n");
-+
-         _fill_msg_tweak(0x1, N, l-1, tweak);
-+        debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
-         encrypt(key, tweak, checksum, Final);
-+        debug_dump_buffer("Final", BLOCK_BYTES, Final, 8);
-     }
-     else
-     {
-+        fprintf(DUMP, "    padding\n");
-+
-         uint8_t M_rest[BLOCK_BYTES];
-         uint8_t Pad[BLOCK_BYTES];
- 
-+        debug_dump_buffer("C*", rest, &C[l*BLOCK_BYTES], 8);
-         _fill_msg_tweak(0x4, N, l, tweak);
-+        debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
-         encrypt(key, tweak, _0n, Pad);
-+        debug_dump_buffer("Pad", BLOCK_BYTES, Pad, 8);
-         xor_arrays(rest, &M[l*BLOCK_BYTES], &C[l*BLOCK_BYTES], Pad);
-+        debug_dump_buffer("M*", rest, &M[l*BLOCK_BYTES], 8);
- 
-         pad10(rest, &M[l*BLOCK_BYTES], M_rest);
-+        debug_dump_buffer("pad10*(M*)", BLOCK_BYTES, M_rest, 8);
-         xor_into(checksum, M_rest);
- 
-         _fill_msg_tweak(0x5, N, l, tweak);
-+        debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
-+        debug_dump_buffer("Checksum", BLOCK_BYTES, checksum, 8);
-         encrypt(key, tweak, checksum, Final);
-+        debug_dump_buffer("Final", BLOCK_BYTES, Final, 8);
-     }
- }
- 
-@@ -147,7 +193,13 @@ static void _generate_tag(
-     uint8_t       tag[TAG_BYTES]
- )
- {
-+    fprintf(DUMP, "generating tag\n");
-+    debug_dump_buffer("Final", BLOCK_BYTES, Final, 8);
-+    debug_dump_buffer("Auth", BLOCK_BYTES, Auth, 8);
-+
-     xor_arrays(TAG_BYTES, tag, Final, Auth);
-+
-+    debug_dump_buffer("tag", TAG_BYTES, tag, 8);
- }
- 
- 
-diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-ii.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-ii.c
-index 26885e5..88f9ae0 100644
---- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-ii.c
-+++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/lilliput-ae-ii.c
-@@ -1,3 +1,5 @@
-+#include "debug.h"
-+
- #include <stdbool.h>
- #include <stdint.h>
- #include <string.h>
-@@ -62,24 +64,40 @@ static void _generate_tag(
-     size_t l = M_len / BLOCK_BYTES;
-     size_t rest = M_len % BLOCK_BYTES;
- 
-+    fprintf(DUMP, "computing tag\n");
-+    debug_dump_buffer("Auth", BLOCK_BYTES, Auth, 8);
-+
-     for (size_t j=0; j<l; j++)
-     {
-+        fprintf(DUMP, "    j=%zu\n", j);
-         fill_index_tweak(0x0, j, tweak);
-+        debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
-         encrypt(key, tweak, &M[j*BLOCK_BYTES], Ek_Mj);
-+        debug_dump_buffer("Mj", BLOCK_BYTES, &M[j*BLOCK_BYTES], 8);
-+        debug_dump_buffer("Ek(Mj)", BLOCK_BYTES, Ek_Mj, 8);
-         xor_into(tag_tmp, Ek_Mj);
-+        debug_dump_buffer("tag", TAG_BYTES, tag_tmp, 8);
-     }
- 
-     if (rest != 0)
-     {
-+        fprintf(DUMP, "    l=%zu (padding)\n", l);
-         uint8_t M_rest[BLOCK_BYTES];
-         pad10(rest, &M[l*BLOCK_BYTES], M_rest);
-         fill_index_tweak(0x4, l, tweak);
-+        debug_dump_buffer("pad10*(M*)", BLOCK_BYTES, M_rest, 8);
-+        debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
-         encrypt(key, tweak, M_rest, Ek_Mj);
-+        debug_dump_buffer("Ek(M*)", BLOCK_BYTES, Ek_Mj, 8);
-         xor_into(tag_tmp, Ek_Mj);
-+        debug_dump_buffer("tag", TAG_BYTES, tag_tmp, 8);
-     }
- 
-+    fprintf(DUMP, "    Ek(tag)\n");
-     _fill_tag_tweak(N, tweak);
-+    debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
-     encrypt(key, tweak, tag_tmp, tag);
-+    debug_dump_buffer("tag = Ek(tag)", TAG_BYTES, tag, 8);
- }
- 
- static void _encrypt_message(
-@@ -103,18 +121,33 @@ static void _encrypt_message(
-     size_t l = M_len / BLOCK_BYTES;
-     size_t rest = M_len % BLOCK_BYTES;
- 
-+    fprintf(DUMP, "message encryption\n");
-+
-     for (size_t j=0; j<l; j++)
-     {
-+        fprintf(DUMP, "    j=%zu\n", j);
-+
-         _fill_msg_tweak(tag, j, tweak);
-+        debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
-         encrypt(key, tweak, padded_N, Ek_N);
-+        debug_dump_buffer("N (padded)", BLOCK_BYTES, padded_N, 8);
-+        debug_dump_buffer("Ek(Mj, N)", BLOCK_BYTES, Ek_N, 8);
-+        debug_dump_buffer("Mj", BLOCK_BYTES, &M[j*BLOCK_BYTES], 8);
-         xor_arrays(BLOCK_BYTES, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES], Ek_N);
-+        debug_dump_buffer("Cj", BLOCK_BYTES, &C[j*BLOCK_BYTES], 8);
-     }
- 
-     if (rest != 0)
-     {
-+        fprintf(DUMP, "    l=%zu (padding)\n", l);
-         _fill_msg_tweak(tag, l, tweak);
-+        debug_dump_buffer("tweak", TWEAK_BYTES, tweak, 8);
-         encrypt(key, tweak, padded_N, Ek_N);
-+        debug_dump_buffer("N (padded)", BLOCK_BYTES, padded_N, 8);
-+        debug_dump_buffer("Ek(M*, N)", BLOCK_BYTES, Ek_N, 8);
-+        debug_dump_buffer("M*", rest, &M[l*BLOCK_BYTES], 8);
-         xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Ek_N);
-+        debug_dump_buffer("C*", rest, &C[l*BLOCK_BYTES], 8);
-     }
- }
- 
-diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/tweakey.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/tweakey.c
-index da97019..cbff16a 100644
---- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/tweakey.c
-+++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/tweakey.c
-@@ -1,3 +1,5 @@
-+#include "debug.h"
-+
- #include <stdint.h>
- #include <string.h>
- 
-@@ -32,10 +34,16 @@ void tweakey_state_extract(
- 
-     for (const uint8_t *lane=TK->TK; lane<TK->TK+TWEAKEY_BYTES; lane+=LANE_BYTES)
-     {
-+        fprintf(DUMP, "        XORing lane %zu/%zu\n", 1+(size_t)((lane-TK->TK)/LANE_BYTES), (size_t)LANES_NB);
-+        debug_dump_buffer("RTK", ROUND_TWEAKEY_BYTES, round_tweakey, 12);
-+        debug_dump_buffer("lane[j]", LANE_BYTES, lane, 12);
-+
-         for (size_t j=0; j<LANE_BYTES; j++)
-         {
-             round_tweakey[j] ^= lane[j];
-         }
-+
-+        debug_dump_buffer("=> RTK", ROUND_TWEAKEY_BYTES, round_tweakey, 12);
-     }
- 
-     round_tweakey[0] ^= i;
-@@ -44,6 +52,8 @@ void tweakey_state_extract(
- 
- static void _permute_state(tweakey_state *TK)
- {
-+    fprintf(DUMP, "        permuting TK\n");
-+
-     uint8_t TK_old[TWEAKEY_BYTES];
-     memcpy(TK_old, TK->TK, sizeof(TK_old));
- 
-@@ -56,12 +66,19 @@ static void _permute_state(tweakey_state *TK)
-             TK->TK[j+h[k]] = TK_old[j+k];
-         }
-     }
-+
-+    debug_dump_buffer("TKi-1", TWEAKEY_BYTES, TK_old, 12);
-+    debug_dump_buffer("TKi", TWEAKEY_BYTES, TK->TK, 12);
- }
- 
- static void _multiply_state(tweakey_state *TK)
- {
-+    fprintf(DUMP, "        multiplying TK\n");
-+
-     /* Lane 0 is multiplied by Id; lane 1 by P_0, lane 2 by P_1... */
- 
-+    debug_dump_buffer("TKi-1", TWEAKEY_BYTES, TK->TK, 12);
-+
-     for (size_t lane=1; lane<LANES_NB; lane++)
-     {
-         const uint8_t* P_lane = P[lane-1];
-@@ -74,6 +91,8 @@ static void _multiply_state(tweakey_state *TK)
-             TK->TK[offset] = P_lane[TK->TK[offset]];
-         }
-     }
-+
-+    debug_dump_buffer("TKi", TWEAKEY_BYTES, TK->TK, 12);
- }
- 
- void tweakey_state_update(tweakey_state *TK)