mdw@git.distorted.org.uk Git

author	Mark Wooding <mdw@distorted.org.uk>
	Mon, 5 Nov 2018 17:34:41 +0000 (17:34 +0000)
committer	Mark Wooding <mdw@distorted.org.uk>
	Thu, 5 Sep 2019 00:36:08 +0000 (01:36 +0100)
commit	ebb0df1d8203932379849c05bf8281b99985bd22
tree	17ac2db681d68eb1efdff0ff0ba75cbdaf01e082	tree \| snapshot (tar.gz zip)
parent	b39fadb608dd52cbd6fc8a11001661083d8d078b	commit \| diff

utils/advmodes: Implement (only) a toy version of OCB2.

I doubt this will ever end up as a high-quality mode implementation in
Catacomb, because it doesn't actually provide authenticity.  See
`Cryptanalysis of OCB2' by Akiko Inoue and Kazuhiko Minamatsu,
https://eprint.iacr.org/2018/1040.

This is enough to confirm their result.

  * First, choose an arbitrary key and nonce, and encrypt a two-block
    message whose first block contains len(0^{128}) = 128; the second
    block is arbitrary.

$ ./advmodes ocb2-enc rijndael 00112233445566778899aabbccddeeff 00112233445566778899aabbccddeeff "" 0000000000000000000000000000008000112233445566778899aabbccddeeff
0e6475201e14155a2744eb78f396581c3ffbfcf1d7a2505ef8f5e56b2824f4bb
5973f3fdd62e411b05c9d9d982769bbc

  * Ask Python to XOR pieces of message and ciphertext:

>>> import catacomb as C
>>> C.bytes('00000000000000000000000000000080') ^ C.bytes('0e6475201e14155a2744eb78f396581c')
bytes('0e6475201e14155a2744eb78f396589c')
>>> C.bytes('00112233445566778899aabbccddeeff') ^ C.bytes('3ffbfcf1d7a2505ef8f5e56b2824f4bb')
bytes('3feadec293f73629706c4fd0e4f91a44')

  * Use the first result as the ciphertext and the second as the MAC.

$ ./advmodes ocb2-dec rijndael 00112233445566778899aabbccddeeff 00112233445566778899aabbccddeeff "" 0e6475201e14155a2744eb78f396589c 3feadec293f73629706c4fd0e4f91a44
c5ecf37c57e1b262c83c0739468037e4

Oops.

symm/t/rijndael.local		diff \| blob \| blame \| history
utils/advmodes		diff \| blob \| blame \| history