diff options
Diffstat (limited to 'src/ref/lilliput-ii.c')
| -rw-r--r-- | src/ref/lilliput-ii.c | 30 |
1 files changed, 18 insertions, 12 deletions
diff --git a/src/ref/lilliput-ii.c b/src/ref/lilliput-ii.c index 9ed17a2..bb43d08 100644 --- a/src/ref/lilliput-ii.c +++ b/src/ref/lilliput-ii.c @@ -28,12 +28,15 @@ This file implements Lilliput-AE's nonce-misuse-resistant mode based on SCT-2. static void _init_msg_tweak(const uint8_t tag[TAG_BYTES], uint8_t tweak[TWEAK_BYTES]) { - /* With an s-bit block index, the t-bit tweak is filled as follows: + /* The t-bit tweak is filled as follows: + * + * 1 2 t + * [ 1 || tag[2,t] XOR block index ] + * + * The s-bit block index is XORed to the tag as follows: * - * 1: 1 - * [ 2, t]: tag[ 2, t] XOR block index - * [ 2, t-s]: tag[ 2, t-s] - * [t-s+1, t]: tag[t-s+1, t] XOR block index + * 2 t-s t-s+1 t + * [ tag[2, t-s] || tag[t-s+1, t] XOR block index, MSB first ] * * This function sets bits 1 to t-s once and for all. */ @@ -44,12 +47,15 @@ static void _init_msg_tweak(const uint8_t tag[TAG_BYTES], uint8_t tweak[TWEAK_BY static void _fill_msg_tweak(const uint8_t tag[TAG_BYTES], size_t block_index, uint8_t tweak[TWEAK_BYTES]) { - /* With an s-bit block index, the t-bit tweak is filled as follows: + /* The t-bit tweak is filled as follows: + * + * 1 2 t + * [ 1 || tag[2,t] XOR block index ] + * + * The s-bit block index is XORed to the tag as follows: * - * 1: 1 - * [ 2, t]: tag + block index - * [ 2, t-s]: tag[ 2, t-s] - * [t-s+1, t]: tag[t-s+1, t] XOR block index + * 2 t-s t-s+1 t + * [ tag[2, t-s] || tag[t-s+1, t] XOR block index, MSB first ] * * This function assumes bits 1 to t-s have already been set, and * only sets bits t-s+1 to t. @@ -67,8 +73,8 @@ static void _fill_tag_tweak(const uint8_t N[NONCE_BYTES], uint8_t tweak[TWEAK_BY { /* The t-bit tweak is filled as follows: * - * [ 1, 8]: 0001||0^4 - * [t-|N|+1, t]: N + * 1 4 5 8 t-|N|+1 t + * [ 0001 || 0^4 || nonce ] */ tweak[0] = 0x10; |