From 30b6de9dd377259685cfd0aedabd1f891fcf0d44 Mon Sep 17 00:00:00 2001
From: Kévin Le Gouguec <kevin.legouguec@airbus.com>
Date: Tue, 27 Nov 2018 14:08:56 +0100
Subject: Implémentation du mode SCT-2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 crypto_aead/lilliputaeii128v1/ref/Makefile |  2 -
 src/ae-common.h                            | 19 +++----
 src/lilliput-ae-ii.c                       | 89 +++++++++++++++++++++++++-----
 3 files changed, 82 insertions(+), 28 deletions(-)

diff --git a/crypto_aead/lilliputaeii128v1/ref/Makefile b/crypto_aead/lilliputaeii128v1/ref/Makefile
index 90f2a75..ab18c62 100644
--- a/crypto_aead/lilliputaeii128v1/ref/Makefile
+++ b/crypto_aead/lilliputaeii128v1/ref/Makefile
@@ -39,5 +39,3 @@ results/src/tweakey.o: src/tweakey.h src/constants.h parameters.h
 # TODO: should add order-only prerequisites to remove mkdirs inside recipes
 # TODO: add valgrind, although it does not seem to play well with ASAN
 # TODO: should use gcc -M... to generate .o -> .h dependencies
-
-results/src/lilliput-ae-ii.o: CFLAGS += -Wno-unused # FIXME: remove once implemented
diff --git a/src/ae-common.h b/src/ae-common.h
index da5d04d..561854e 100644
--- a/src/ae-common.h
+++ b/src/ae-common.h
@@ -65,26 +65,23 @@ static inline void pad10(size_t X_len, const uint8_t X[X_len], uint8_t padded[BL
     }
 }
 
-static inline void _fill_ad_tweak(
+static inline void fill_index_tweak(
     uint8_t  prefix,
-    uint64_t block_nb,
+    uint64_t block_index,
     uint8_t  tweak[TWEAK_BYTES]
 )
 {
     /* The t-bit tweak is filled as follows:
      *
-     * - bits [  1, t-4]: block number
-     *        [  1,  64]: actual 64-bit block number
+     * - bits [  1, t-4]: block index
+     *        [  1,  64]: actual 64-bit block index
      *        [ 65, t-4]: 0-padding
      * - bits [t-3,   t]: constant 4-bit prefix
      */
 
-    for (size_t i=0; i<sizeof(block_nb); i++)
+    for (size_t i=0; i<sizeof(block_index); i++)
     {
-        uint64_t mask = (uint64_t)0xff << 8*i;
-        uint8_t b = (mask & block_nb) >> 8*i;
-
-        tweak[i] = b;
+        tweak[i] = block_index >> 8*i & 0xff;
     }
 
     /* Assume padding bytes have already been memset to 0. */
@@ -110,7 +107,7 @@ static void process_associated_data(
 
     for (size_t i=0; i<l_a; i++)
     {
-        _fill_ad_tweak(0x2, i, tweak);
+        fill_index_tweak(0x2, i, tweak);
         encrypt(key, tweak, &A[i*BLOCK_BYTES], Ek_Ai);
         xor_into(Auth, Ek_Ai);
     }
@@ -119,7 +116,7 @@ static void process_associated_data(
     {
         uint8_t A_rest[BLOCK_BYTES];
         pad10(rest, &A[l_a*BLOCK_BYTES], A_rest);
-        _fill_ad_tweak(0x6, l_a, tweak);
+        fill_index_tweak(0x6, l_a, tweak);
         encrypt(key, tweak, A_rest, Ek_Ai);
         xor_into(Auth, Ek_Ai);
     }
diff --git a/src/lilliput-ae-ii.c b/src/lilliput-ae-ii.c
index fc50211..e0e268e 100644
--- a/src/lilliput-ae-ii.c
+++ b/src/lilliput-ae-ii.c
@@ -7,16 +7,62 @@
 #include "lilliput-ae.h"
 
 
+static void _init_msg_tweak(const uint8_t tag[TAG_BYTES], uint8_t tweak[TWEAK_BYTES])
+{
+    /* The t-bit tweak is filled as follows:
+     *
+     * - bits [  1, t-1]: tag + block index
+     *        [  1,  64]: tag[ 1.. 64] XOR block index
+     *        [ 65, t-1]: tag[65..t-1]
+     * - bit t: 1
+     */
+
+    memcpy(tweak+sizeof(uint64_t), tag+sizeof(uint64_t), TAG_BYTES-sizeof(uint64_t));
+    tweak[TWEAK_BYTES-1] |= 0x80;
+}
+
+static void _fill_msg_tweak(const uint8_t tag[TAG_BYTES], uint64_t block_index, uint8_t tweak[TWEAK_BYTES])
+{
+    /* Assume bits 65 to t-1 are set. */
+    for (size_t i=0; i<sizeof(block_index); i++)
+    {
+        uint8_t index_i = block_index >> i*8 & 0xff;
+        tweak[i] = tag[i] ^ index_i;
+    }
+}
 
 static void _generate_tag(
     const uint8_t key[KEY_BYTES],
     size_t        M_len,
     const uint8_t M[M_len],
-    const uint8_t N[NONCE_BYTES],
     const uint8_t Auth[BLOCK_BYTES],
     uint8_t       tag[TAG_BYTES]
 )
 {
+    uint8_t Ek_Mj[BLOCK_BYTES];
+    uint8_t tweak[TWEAK_BYTES];
+    memset(tweak, 0, TWEAK_BYTES);
+
+    memcpy(tag, Auth, TAG_BYTES);
+
+    size_t l = M_len / BLOCK_BYTES;
+    size_t rest = M_len % BLOCK_BYTES;
+
+    for (size_t j=0; j<l; j++)
+    {
+        fill_index_tweak(0x0, j, tweak);
+        encrypt(key, tweak, &M[j*BLOCK_BYTES], Ek_Mj);
+        xor_into(tag, Ek_Mj);
+    }
+
+    if (rest != 0)
+    {
+        uint8_t M_rest[BLOCK_BYTES];
+        pad10(rest, &M[l*BLOCK_BYTES], M_rest);
+        fill_index_tweak(0x4, l, tweak);
+        encrypt(key, tweak, M_rest, Ek_Mj);
+        xor_into(tag, Ek_Mj);
+    }
 }
 
 static void _encrypt_message(
@@ -28,19 +74,32 @@ static void _encrypt_message(
     uint8_t       C[M_len]
 )
 {
-}
+    uint8_t Ek_N[BLOCK_BYTES];
 
-static void _decrypt_message(
-    const uint8_t key[KEY_BYTES],
-    size_t C_len,
-    const uint8_t C[C_len],
-    const uint8_t N[NONCE_BYTES],
-    const uint8_t tag[TAG_BYTES],
-    uint8_t       M[C_len]
-)
-{
-}
+    uint8_t tweak[TWEAK_BYTES];
+    _init_msg_tweak(tag, tweak);
+
+    uint8_t padded_N[BLOCK_BYTES];
+    memcpy(padded_N, N, NONCE_BYTES);
+    padded_N[BLOCK_BYTES-1] = 0;
+
+    size_t l = M_len / BLOCK_BYTES;
+    size_t rest = M_len % BLOCK_BYTES;
 
+    for (size_t j=0; j<l; j++)
+    {
+        _fill_msg_tweak(tag, j, tweak);
+        encrypt(key, tweak, padded_N, Ek_N);
+        xor_arrays(BLOCK_BYTES, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES], Ek_N);
+    }
+
+    if (rest != 0)
+    {
+        _fill_msg_tweak(tag, l, tweak);
+        encrypt(key, tweak, padded_N, Ek_N);
+        xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Ek_N);
+    }
+}
 
 void lilliput_ae_encrypt(
     size_t        message_len,
@@ -56,7 +115,7 @@ void lilliput_ae_encrypt(
     uint8_t auth[BLOCK_BYTES];
     process_associated_data(key, auth_data_len, auth_data, auth);
 
-    _generate_tag(key, message_len, message, nonce, auth, tag);
+    _generate_tag(key, message_len, message, auth, tag);
 
     _encrypt_message(key, message_len, message, nonce, tag, ciphertext);
 }
@@ -72,13 +131,13 @@ bool lilliput_ae_decrypt(
     uint8_t       message[ciphertext_len]
 )
 {
-    _decrypt_message(key, ciphertext_len, ciphertext, nonce, tag, message);
+    _encrypt_message(key, ciphertext_len, ciphertext, nonce, tag, message);
 
     uint8_t auth[BLOCK_BYTES];
     process_associated_data(key, auth_data_len, auth_data, auth);
 
     uint8_t effective_tag[TAG_BYTES];
-    _generate_tag(key, ciphertext_len, message, nonce, auth, effective_tag);
+    _generate_tag(key, ciphertext_len, message, auth, effective_tag);
 
     return memcmp(tag, effective_tag, TAG_BYTES) == 0;
 }
-- 
cgit v1.2.3